CVE-2023-31302
Description
A reflected XSS vulnerability in Sesami CPTO 6.3.8.6 allows remote attackers to execute arbitrary code via the Teller field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in Sesami CPTO 6.3.8.6 allows remote attackers to execute arbitrary code via the Teller field.
Vulnerability
A reflected Cross-Site Scripting (XSS) vulnerability exists in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718, released 2021-07-06). The flaw resides in the Teller input field, which fails to properly neutralize user-supplied input before rendering it in the web page [1]. When a user interacts with the vulnerable field and clicks the Select button, the unsanitized input is executed in the browser [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious payload in the Teller field. No authentication is explicitly required to access the feature, though the user must be logged into the application for the attack to execute. The attacker must lure a victim to a page containing the crafted Teller field, or if the user can submit the Teller value via a request (e.g., through a URL parameter), the XSS triggers when the user pushes the Select button [1]. The attack is reflected — payload is not persisted on the server.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to cookie theft, session hijacking, defacement, or redirection to malicious sites. The CVSS base score is not disclosed in the reference, but the advisory classifies the risk as Medium [1].
Mitigation
The vendor has acknowledged the vulnerability and released a fix. Users should update CPTO to the current version, as the advisory notes that the vendor status is Fixed [1]. As a workaround, input sanitization on the Teller field should be enforced. No CVE link was available at the time of the advisory publication [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sesami/Cash Point & Transport Optimizer (CPTO)description
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-supplied input in the Teller field allows injection of arbitrary JavaScript."
Attack vector
An attacker injects a JavaScript payload into the Teller field of the CPTO application. When a victim user pushes the Select button, the unsanitized payload executes in the victim's browser [ref_id=1]. The attack is reflected (the payload is embedded in the page response) and requires no special network position beyond reaching the web interface [CWE-79].
Affected code
The advisory identifies the Teller field as the vulnerable input point in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718) [ref_id=1]. No specific function names or file paths are disclosed.
What the fix does
The advisory confirms the vendor acknowledged the vulnerability and released a fix in a current version of CPTO [ref_id=1]. No patch diff is provided in the bundle. The recommended remediation is to update CPTO to its current version and to always sanitize user-supplied input before rendering it in a web page [ref_id=1].
Preconditions
- networkAttacker must be able to reach the CPTO web interface.
- inputAttacker must supply a crafted XSS payload in the Teller field.
- authA victim user must be logged into the application and click the Select button.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.