Telos Automated Message Handling System reflected XSS in itemlookup.asp
Description
Telos AMHS versions before 4.1.5.5 allow remote attackers to inject arbitrary JavaScript into an AMHS session via a crafted URI in itemlookup.asp.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Telos AMHS versions before 4.1.5.5 allow remote attackers to inject arbitrary JavaScript into an AMHS session via a crafted URI in itemlookup.asp.
Vulnerability
This cross-site scripting (XSS) vulnerability resides in the itemlookup.asp page of Telos Automated Message Handling System (AMHS). Improper neutralization of user input allows arbitrary script injection. Affected are versions prior to 4.1.5.5 [1].
Exploitation
A remote attacker can exploit the flaw by crafting a URI that includes malicious JavaScript in parameters passed to itemlookup.asp. No authentication is required; the attacker only needs to trick a user into clicking the crafted link. The script then executes in the context of the victim's AMHS session [1].
Impact
Successful exploitation enables the attacker to inject arbitrary script into an active AMHS session, leading to potential information disclosure (e.g., viewing other users' details) or further client-side attacks within the session [1].
Mitigation
Telos addressed these issues in AMHS version 4.1.5.5. Organizations should contact Telos to obtain the update and apply it. No workarounds are mentioned in the available references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<4.1.5.5+ 1 more
- (no CPE)range: <4.1.5.5
- (no CPE)range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- www.kb.cert.org/vuls/id/873161/mitrethird-party-advisoryx_refsource_CERT-VN
News mentions
0No linked articles in our index yet.