A zero-day cross-site scripting vulnerability has been discovered in BuySpeed, an automated procure-to-pay tool from Periscope Holdings, a provider of procurement software solutions for public-sector entities and their suppliers. The flaw, found in BuySpeed version 14.5, “could allow a local, authenticated attacker to store arbitrary JavaScript within the application,” warns a vulnerability advisory from the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute. “This JavaScript is subsequently displayed by the application without sanitization, leading to it executing in the browser of the user. This could potentially allow for website redirection, session hijacking, or information disclosure.”
Source: SC Magazine