CVE-2019-20151

TreasuryXpress contains a cross-site scripting vulnerability which allows targetted attacks against the application's administrator.

TreasuryXpress is a SaaS (Software as a Service) company that offers treasury management and cash forecasting solutions.

A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the TreasuryXpress web application (version 19191105). This vulnerability allows arbitrary JavaScript code to be inserted and can be targetted directly at the application’s administrator.

The affected component exists within the Multi Approval security feature of the application. This feature is used to restrict lower privilege users from applying changes to sensitive modules, requiring the manual approval of one or more administrators prior to becoming active.

Whilst submitting an approval request, a comment can be added within the request which is vulnerable to XSS. Delivering a payload using this method would result in execution by the application’s administrator. This allows a targetted attack to take place, which escalates the risk of this vulnerability significantly.

As TreasuryXpress is primarily a SaaS solution, the TreasuryXpress website mentions their on-premise offering as a deployment option. If the affected TreasuryXpress version was found to be deployed on-premise, the vulnerability could be exploited in the same way.

Posted by Sion Evans on August 20, 2020