CVE-2023-31298
Description
Stored XSS vulnerability in Sesami CPTO 6.3.8.6 (#718) allows remote attackers to execute arbitrary code via crafted User ID when creating a new user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in Sesami CPTO 6.3.8.6 (#718) allows remote attackers to execute arbitrary code via crafted User ID when creating a new user.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718). The vulnerability, classified as CWE-79, allows an admin user to inject JavaScript code into the User ID field when creating a new system user. The injected script executes when the new user logs in for the first time and is prompted to change their password. The payload also triggers upon subsequent logins and when another admin user views the application log. [1]
Exploitation
An attacker with administrative privileges can create a new system user with a malicious JavaScript payload in the User ID field. The payload executes automatically when the new user logs in, without requiring additional user interaction beyond normal login steps. The script also runs when other admin users view the application log, broadening the attack surface. [1]
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the application, potentially leading to information disclosure, session hijacking, or unauthorized actions. The attacker can execute arbitrary code and obtain sensitive information. The risk is rated as medium. [1]
Mitigation
Users should update CPTO to the current version. The vendor has acknowledged the vulnerability and provided a fix. Input sanitization is recommended to prevent similar issues. No specific patched version number is listed in the advisory, but the vendor status is marked as "Fixed". [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sesami/Cash Point & Transport Optimizerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stored Cross-Site Scripting (XSS) due to improper neutralization of user-supplied input in the User ID field when creating a new system user."
Attack vector
An admin user creates a new system user and injects malicious JavaScript into the User ID field [ref_id=1]. The payload is stored and triggers when the new user logs in for the first time and is prompted to change their password [ref_id=1]. The payload also executes when the new user is logged in, and when a different admin user views the application log [ref_id=1]. This allows the attacker to execute arbitrary code and obtain sensitive information in the context of the victim's session [CWE-79].
Affected code
The advisory does not specify the exact file or function path. The vulnerability exists in the User ID input field of the new system user creation form in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) [ref_id=1].
What the fix does
The advisory states the vendor acknowledged the vulnerability and has fixed it in the current version of CPTO [ref_id=1]. No patch diff is provided in the bundle. The recommended remediation is to update CPTO to its current version and to always sanitize user-supplied input [ref_id=1].
Preconditions
- authAttacker must be an authenticated admin user with privileges to create new system users.
- inputAttacker must inject malicious JavaScript into the User ID field when creating a new system user.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.