CVE-2021-28109

CVE-2021-28109
------------------------------------------

TranzWare (POI) FIMI before 4.2.20.4.2 had an XSS vulnerability that was fixed with a notification sent to all customers using TranzWare (POI) FIMI.

------------------------------------------

[Additional Information]
During penetration testing of our clients' infrastructure, we discovered vulnerabilities in a third-party software - TranzWare (POI) FIMI v.4.2.17.5.

We contacted the Software Development Company to disclose the vulnerabilities. The Company confirmed that the vulnerabilities had been fixed and the patched software had been released.

We found a vulnerability that can lead to a reflected Cross-Site Scripting (XSS) attack.
The web application TranzWare (POI) FIMI v.4.2.17.5 uses a part of URL to build a web page login_tw.php without proper sanitization.

------------------------------------------

[VulnerabilityType Other]
Fixed with a notification sent to all customers using TranzWare (POI) FIMI.

------------------------------------------

[Vendor of Product]
Compass Plus Ltd.

------------------------------------------

[Affected Product Code Base]
TranzWare (POI) FIMI before 4.2.20.4.2

------------------------------------------
 
[Has vendor confirmed or acknowledged the vulnerability?]
true
 
------------------------------------------
 
[Affected Component]
login_tw.php
 
-----------------------------------------
 
[Attack Type]
Remote
 
------------------------------------------
 
[Discoverer]
Artem Brylev (https://twitter.com/ArtyomBrylev)
Deiteriy Co. Ltd. (https://deiteriylab.com/)
 
------------------------------------------

[Reference]
Compass Plus Ltd. (https://compassplus.com/)

Artem Brylev / Deiteriy Co. Ltd. (https://deiteriylab.com/)