Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Treasuryxpress Subscribe
Filtered by product Treasuryxpress
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-20150 1 Treasuryxpress 1 Treasuryxpress 2021-07-21 4.0 MEDIUM 6.5 MEDIUM
In TreasuryXpress 19191105, a logged-in user can discover saved credentials, even though the UI hides them. Using functionality within the application and a malicious host, it is possible to force the application to expose saved SSH/SFTP credentials. This can be done by using the application's editor to change the expected SFTP Host IP to a malicious host, and then using the Check Connectivity option. The application then sends these saved credentials to the malicious host.
CVE-2019-20152 1 Treasuryxpress 1 Treasuryxpress 2020-08-24 4.3 MEDIUM 6.1 MEDIUM
An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed throughout the application. A malicious payload can be injected within the Custom Workflow component and inserted via the Create New Workflow field. As a result, the payload is executed via the navigation bar throughout the application.
CVE-2019-20151 1 Treasuryxpress 1 Treasuryxpress 2020-08-24 4.3 MEDIUM 6.1 MEDIUM
An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed by the application's administrator(s). A malicious payload can be injected within the Multi Approval security component and inserted via the Note field. As a result, the payload is executed by the application's administrator(s).