Cross site scripting

2019-10-3103:15:00

PRIOn knowledge base

www.prio-n.com

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.3%

JSON

In Apak Wholesale Floorplanning Finance 6.31.8.3 and 6.31.8.5, an attacker can send an authenticated POST request with a malicious payload to /WFS/agreementView.faces allowing a stored XSS via the mainForm:loanNotesnotes:0:rich_text_editor_note_text parameter in the Notes section. Although versions 6.31.8.3 and 6.31.8.5 are confirmed to be affected, all versions with the vulnerable WYSIWYG editor in the Notes section are likely affected.

CPENameOperatorVersion
wholesale_floorplanning_financeeq6.31.8.3
wholesale_floorplanning_financeeq6.31.8.5

CPE	Name	Operator	Version
	wholesale_floorplanning_finance	eq	6.31.8.3
	wholesale_floorplanning_finance	eq	6.31.8.5

References

www.apakgroup.com/products/wholesale-floorplanning-finance/

www.cybersecurity-help.cz/vdb/SB2019103106?affChecked=1

www2.deloitte.com/de/de/pages/risk/articles/wholesale-finance-xss.html