Platform
other
Component
lynx-customer-service-portal
Fixed in
3.5.3
CVE-2020-9055 describes a stored Cross-Site Scripting (XSS) vulnerability affecting the Versiant LYNX Customer Service Portal. This vulnerability allows a local, authenticated attacker to inject malicious JavaScript code that is then stored and displayed to other users. Versions 3.5.2 are affected, and a patch is available in version 3.5.3.
Successful exploitation of CVE-2020-9055 could allow an attacker to execute arbitrary JavaScript code within the context of another user's browser session. This could lead to a variety of malicious actions, including website redirection to phishing sites, theft of session cookies (allowing account takeover), and the exfiltration of sensitive information displayed on the portal. The stored nature of the XSS means the injected script persists until removed, potentially impacting multiple users over time. While the CVSS score is LOW, the potential for account compromise and data theft warrants immediate attention.
CVE-2020-9055 was publicly disclosed on March 30, 2020. There is no indication of active exploitation campaigns targeting this vulnerability at this time. No public proof-of-concept (PoC) code has been widely released, but the nature of XSS vulnerabilities makes it likely that a PoC could be developed relatively easily. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.31% (54% percentile)
CVSS Vector
The primary mitigation for CVE-2020-9055 is to upgrade the LYNX Customer Service Portal to version 3.5.3 or later. If upgrading immediately is not possible, consider implementing strict input validation and output encoding on all user-supplied data to prevent the injection of malicious scripts. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and sanitize stored data within the portal to identify and remove any potentially malicious scripts.
Update to a version later than 3.5.2 that addresses the XSS vulnerability. Contact the vendor (Versiant) for the corrected version or a security patch.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-9055 is a stored XSS vulnerability in Versiant LYNX Customer Service Portal versions 3.5.2, allowing authenticated attackers to inject malicious JavaScript.
If you are running Versiant LYNX Customer Service Portal version 3.5.2, you are potentially affected by this vulnerability.
Upgrade to version 3.5.3 or later to resolve the vulnerability. Implement input validation and output encoding as a temporary measure.
There is currently no evidence of active exploitation campaigns targeting CVE-2020-9055.
Refer to the Versiant security advisory for detailed information and updates regarding CVE-2020-9055.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.