CVE-2019-20152

TreasuryXpress contains a cross-site scripting vulnerability which allows targetted attacks against users of the application.

TreasuryXpress is a SaaS (Software as a Service) company that offers treasury management and cash forecasting solutions.

A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the TreasuryXpress web application (version 19191105). This vulnerability allows arbitrary JavaScript code to be inserted and can be targetted at all users of the application.

The affected component exists within the Custom Workflow feature of the web application. Due to the lack of filtering and sanitisation of user-supplied input, arbitrary JavaScript can be inserted as part of the application’s navigation bar and executed throughout the application.

As TreasuryXpress is primarily a SaaS solution, the TreasuryXpress website mentions their on-premise offering as a deployment option. If the affected TreasuryXpress version was found to be deployed on-premise, the vulnerability could be exploited in the same way.

Posted by Sion Evans on August 20, 2020