CVE-2020-28415

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in TranzWare Payment Gateway version 3.1.12.3.2 [1]. The flaw allows an unauthenticated remote attacker to inject arbitrary HTML or script code into the application's response via a specially crafted URL. This is a different attack vector from CVE-2020-28414.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the XSS payload and convincing a user to click it (e.g., via phishing or social engineering). No authentication or special privileges are required [1]. The injected code executes in the context of the victim's browser session against the affected payment gateway.

Impact

Successful exploitation enables the attacker to execute arbitrary HTML and JavaScript in the victim's browser within the security context of the TranzWare Payment Gateway. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the gateway pages [1].

Mitigation

As of the publication date (2020-11-12), the vendor (Compass Plus) has confirmed the vulnerability, but no patched version has been released in the available references [1]. Users should apply input validation and output encoding as a workaround, and monitor vendor updates for a fix.