CVE-2023-31299
Description
Reflected XSS in Sesami CPTO 6.3.8.6 via the Barcode field allows remote attackers to execute arbitrary JavaScript when the Send button is pressed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Sesami CPTO 6.3.8.6 via the Barcode field allows remote attackers to execute arbitrary JavaScript when the Send button is pressed.
Vulnerability
A reflected Cross-Site Scripting (XSS) vulnerability exists in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) released on July 6, 2021. The flaw occurs in the Barcode field of a container; user-supplied input is not properly neutralized before being included in the page that is generated after pressing the Send button [1]. This is categorized as CWE-79.
Exploitation
An attacker needs to craft a malicious payload (e.g., JavaScript code) and insert it into the Barcode field. No special network position or authentication is required beyond being able to access the web interface. When the victim or an operator presses the Send button, the XSS payload is reflected and executed in the context of the victim's browser [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code in the victim's browser. This can lead to session hijacking, data theft, or further compromise within the CPTO application's security context [1].
Mitigation
The vendor has acknowledged the vulnerability and recommends updating CPTO to the current version; a specific fixed version number beyond 6.3.8.6 is not explicitly provided in the available references. Users should apply the latest update from Sesami and sanitize all user-supplied input [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sesami/Cash Point & Transport Optimizerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-supplied input in the Barcode field allows reflected cross-site scripting (XSS)."
Attack vector
A remote attacker inserts a malicious XSS payload into the Barcode field of a container. When the Send button is pressed, the payload is executed in the victim's browser because the application does not neutralize the input before reflecting it in the generated web page [ref_id=1]. This is a reflected cross-site scripting attack (CWE-79) that requires no special privileges beyond the ability to submit a container record.
Affected code
The advisory identifies the Barcode field of a container in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) as the vulnerable input point [ref_id=1]. No specific function or file names are disclosed in the advisory.
What the fix does
The vendor acknowledged the vulnerability and fixed it in a later version of CPTO [ref_id=1]. The advisory recommends that users update CPTO to its current version and that user-supplied input should always be sanitized before being rendered in web pages [ref_id=1]. No patch diff is available in the bundle.
Preconditions
- inputAttacker must be able to input data into the Barcode field of a container (e.g., through the application's UI or API)
- inputA victim user must press the Send button after the payload has been inserted into the Barcode field
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.