search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Periscope BuySpeed is vulnerable to stored cross-site scripting

Vulnerability Note VU#660597

Original Release Date: 2020-04-06 | Last Revised: 2020-04-15

Overview

Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript.

Description

Periscope BuySpeed is a "tool to automate the full procure-to-pay process efficiently and intelligently". BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to store arbitrary JavaScript within the application. This JavaScript is subsequently displayed by the application without sanitization, leading to it executing in the browser of the user. This could potentially allow for website redirection, session hijacking, or information disclosure.

Impact

A local, authenticated attacker could add arbitrary JavaScript within the application that would execute in the browser of any user that views it, which potentially allows for website redirection, session hijacking, or information disclosure.

Solution

This vulnerability has been corrected in BuySpeed version 15.3.

Vendor Information

660597
 
Affected   Unknown   Unaffected

Periscope Holdings

Notified:  June 26, 2019 Updated:  April 10, 2020

Statement Date:   November 01, 2019

Status

  Affected

Vendor Statement

Periscope Holdings, Inc. takes cybersecurity very seriously, including the report of this vulnerability by Carnegie Mellon’s CERT Coordination Center. Our team was aware of this vulnerability prior to CERT's notification on April 6, 2020 and had already developed remediation and made this available to customers in BuySpeed version 15.3.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 3.2 AV:L/AC:L/Au:S/C:N/I:P/A:P
Temporal 2.9 E:POC/RL:U/RC:C
Environmental 0.9 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Laurie Tyzenhaus.

Other Information

CVE IDs: CVE-2020-9056
Date Public: 2020-04-06
Date First Published: 2020-04-06
Date Last Updated: 2020-04-15 13:42 UTC
Document Revision: 49

Sponsored by CISA.