search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting

Vulnerability Note VU#962085

Original Release Date: 2020-03-30 | Last Revised: 2020-03-30

Overview

The Versiant LYNX Customer Service Portal version 3.5.2 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript.

Description

The Versiant LYNX Customer Service Portal (CSP) is a "full-service customer portal that provides real-time information to terminal operators on the status of shipments into and out of a marine container terminal". The LYNX CSP, version 3.5.2, is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user.

Impact

A local, authenticated attacker could store malicious JavaScript in the CSP that would execute JavaScript in the browser of any user that views it. This could lead to website redirects, session cookie hijacking, or information disclosure.

Solution

Apply an update

This vulnerability has been patched in version 3.5.3 of Versiant LYNX Customer Service Portal. Customers should log into the Lynx customer portal to obtain the latest version.

Vendor Information

962085
 
Affected   Unknown   Unaffected

Versiant

Notified:  June 26, 2019 Updated:  March 27, 2020

Statement Date:   March 25, 2020

Status

  Affected

Vendor Statement

This item has since been resolved in Lynx version 3.5.3.

    Special characters are prevented from being input from user forms. Form input values are being sanitized/escaped now to prevent this vulnerability if special characters are needed for input.

Vendor Information

To obtain the latest version, users should log into the Lynx customer portal at https://csp.poha.com/.

Vendor References


CVSS Metrics

Group Score Vector
Base 3.2 AV:L/AC:L/Au:S/C:N/I:P/A:P
Temporal 2.9 E:POC/RL:U/RC:C
Environmental 0.9 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Laurie Tyzenhaus.

Other Information

CVE IDs: CVE-2020-9055
Date Public: 2020-03-30
Date First Published: 2020-03-30
Date Last Updated: 2020-03-30 17:39 UTC
Document Revision: 46

Sponsored by CISA.