CVE-2019-20151

{"id": "CVE-2019-20151", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-08-20T13:15:11.920", "references": [{"url": "https://sion-evans.com/blog/CVE-2019-20151.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed by the application's administrator(s). A malicious payload can be injected within the Multi Approval security component and inserted via the Note field. As a result, the payload is executed by the application's administrator(s)."}, {"lang": "es", "value": "Se detect\u00f3 un problema de tipo XSS en TreasuryXpress versi\u00f3n 19191105. Debido a una falta de filtrado y saneamiento de la entrada del usuario, un JavaScript malicioso puede ser ejecutado por los administradores de la aplicaci\u00f3n. Una carga \u00fatil maliciosa puede ser inyectada dentro del componente de seguridad Multi Approval e insertada por medio del campo Note. Como resultado, la carga \u00fatil es ejecutada por los administradores de la aplicaci\u00f3n."}], "lastModified": "2020-08-24T19:34:02.147", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:treasuryxpress:treasuryxpress:19191105:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA3BC12C-C7AB-40AF-9176-B6A3884598FD"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}