CVE-2020-28414

Vulnerability

The TranzWare Payment Gateway version 3.1.12.3.2 is vulnerable to a reflected cross-site scripting (XSS) vulnerability. A remote, unauthenticated attacker can inject arbitrary HTML code into the application's response by crafting a malicious URL that triggers the flaw in the gateway's input handling [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted URL to a legitimate user of the TranzWare Payment Gateway, who must then click on the link. No authentication or special privileges are required; the attack is fully remote. The attacker does not need to be on the same network as the target [1].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement. The impact is considered code execution within the browser, but the underlying server integrity is not compromised [1].

Mitigation

As of the published date (2020-11-12), no patched version has been released by TranzWare. The vendor, Compass Plus, has acknowledged the vulnerability according to the discoverer's report [1]. Users are advised to apply input validation and output encoding as a workaround, monitor vendor advisories for a patch, and consider deploying web application firewall (WAF) rules to detect and block malicious payloads.