Total
3 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-20152 | 1 Treasuryxpress | 1 Treasuryxpress | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed throughout the application. A malicious payload can be injected within the Custom Workflow component and inserted via the Create New Workflow field. As a result, the payload is executed via the navigation bar throughout the application. | |||||
CVE-2019-20151 | 1 Treasuryxpress | 1 Treasuryxpress | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed by the application's administrator(s). A malicious payload can be injected within the Multi Approval security component and inserted via the Note field. As a result, the payload is executed by the application's administrator(s). | |||||
CVE-2019-20150 | 1 Treasuryxpress | 1 Treasuryxpress | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
In TreasuryXpress 19191105, a logged-in user can discover saved credentials, even though the UI hides them. Using functionality within the application and a malicious host, it is possible to force the application to expose saved SSH/SFTP credentials. This can be done by using the application's editor to change the expected SFTP Host IP to a malicious host, and then using the Check Connectivity option. The application then sends these saved credentials to the malicious host. |