Vulnerability Details : CVE-2019-17551
In Apak Wholesale Floorplanning Finance 6.31.8.3 and 6.31.8.5, an attacker can send an authenticated POST request with a malicious payload to /WFS/agreementView.faces allowing a stored XSS via the mainForm:loanNotesnotes:0:rich_text_editor_note_text parameter in the Notes section. Although versions 6.31.8.3 and 6.31.8.5 are confirmed to be affected, all versions with the vulnerable WYSIWYG editor in the Notes section are likely affected.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-17551
- cpe:2.3:a:apakgroup:wholesale_floorplanning_finance:6.31.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:apakgroup:wholesale_floorplanning_finance:6.31.8.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-17551
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 35 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-17551
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-17551
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-17551
-
https://www.apakgroup.com/products/wholesale-floorplanning-finance/
Wholesale Floorplanning Finance - Apak GroupProduct
-
https://www.cybersecurity-help.cz/vdb/SB2019103106?affChecked=1
Cross-site scripting in Apak Wholesale Floorplanning FinanceThird Party Advisory
-
https://www2.deloitte.com/de/de/pages/risk/articles/wholesale-finance-xss.html
APAK Wholesale Finance XSS | Deloitte Deutschland
Jump to