C2Box 4.0.0(r19171) Validation Bypass

`#####################################  
Title: Validation Bypass in C2Box application allows user to input negative value  
Author: Harish Ramadoss   
Vendor: boxautomation(B.A.S)  
Product: C2Box  
Version: All versions below 4.0.0(r19171)  
Tested Version: Version 4.0.0(r19171)  
Severity: Medium  
CVE Reference: 2015-4626  
  
# About the Product:  
B.A.S C2Box provides global solutions enabling full control and visibility over cash positions and managing domestic or cross border payment processes.  
  
# Description:  
Performing validation in client side code, generally JavaScript, provides no protection for server-side code. An attacker can simply disable JavaScript use a security testing proxy such as BurpSuite to bypass the client side validation. Invalidated input might corrupt business logic.  
  
# Vulnerability Class:  
Unvalidated Input - https://www.owasp.org/index.php/Unvalidated_Input  
  
# How to Reproduce: (POC):  
While creating an overdraft using the overdraft editor form on C2Box application disable JavaScript to disable client side validation and the value can be intercepted using a proxy and negative value can be inserted corrupting the business logic.   
  
# Disclosure:  
Discovered: June 10, 2015  
Vendor Notification: June 10, 2015  
Advisory Publication: Mar 28, 2016  
Public Disclosure: Mar 28, 2016  
  
# Solution:  
Upgrade to the latest Build will fix this issue.  
The new version number is 15.6.22  
Release date: June 22, 2015  
  
# credits:  
Harish Ramadoss  
Senior Security Analyst  
Help AG Middle East  
  
#References:  
[1] help AG middle East http://www.helpag.com/.  
[2] http://www.boxautomation.com/.  
[3] https://www.owasp.org/index.php/Unvalidated_Input  
[4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.  
`