CVE-2023-31301
Description
Sesami CPTO 6.3.8.6 has stored XSS in the Username field of the login form, triggering in the application log to allow attacker code execution and info disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sesami CPTO 6.3.8.6 has stored XSS in the Username field of the login form, triggering in the application log to allow attacker code execution and info disclosure.
Vulnerability
Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) contains a stored cross-site scripting (XSS) vulnerability in the Username field of the login form. An unauthenticated attacker can inject arbitrary JavaScript into this field; the payload is stored and later rendered in the application log, which an authenticated administrator views [1].
Exploitation
An attacker can send a crafted login request with a JavaScript payload in the Username field. No prior authentication is needed to submit the payload. When an admin user accesses the application log (which displays failed authentication attempts, invalid user IDs, and blacklisted usernames), the injected script executes in the admin's browser [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin's session. This can lead to theft of session cookies, exfiltration of sensitive data, or performance of administrative actions on behalf of the victim. The vulnerability also enables information disclosure, as the attacker can interact with the application's internal data [1].
Mitigation
Sesami has fixed the vulnerability in a later version of CPTO. Users should update to the current release. Input sanitization of user-supplied data, especially in the Username field, is recommended as a general security measure [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sesami/Cash Point & Transport Optimizerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-supplied input in the Username field allows stored JavaScript payloads to execute when an admin views the application log."
Attack vector
An unauthenticated attacker inserts a JavaScript payload into the Username field of the login form [ref_id=1]. The payload is stored server-side and later rendered unsanitized when an admin user views the application log, which displays authentication attempts, invalid and blacklisted user IDs [ref_id=1]. When the admin's browser executes the injected script, the attacker can execute arbitrary code and obtain sensitive information in the context of the admin session [CWE-79]. No authentication is required to submit the malicious payload, making the attack vector accessible to any remote attacker.
Affected code
The vulnerability resides in the login form's Username field and the application log of Sesami CPTO version 6.3.8.6 (#718). The advisory does not specify exact file paths or function names, but the Username input field on the login page and the log-viewing page where authentication attempts are displayed are the affected code paths [ref_id=1].
What the fix does
The vendor fixed the vulnerability in a subsequent version of CPTO, though no patch diff is publicly available [ref_id=1]. The advisory recommends that user-supplied input should always be sanitized before being stored or rendered, which would prevent JavaScript payloads in the Username field from executing in the admin's browser when viewing the application log [ref_id=1]. Users should update CPTO to its current version to receive the fix.
Preconditions
- authAn admin user must view the application log where the attacker's malicious username entry is displayed.
- networkThe attacker must be able to reach the login form over the network.
- inputNo authentication is required for the attacker to submit the payload.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.