Skip to content

Instantly share code, notes, and snippets.

@kukuxumushi
Last active Mar 17, 2021
Embed
What would you like to do?
Stored XSS in TranzWare e-Commerce Payment Gateway - CVE-2021-28126
CVE-2021-28126
[Description]
TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a Stored cross-site scripting vulnerability that was fixed with a notification sent to customers using TWEC PG.
------------------------------------------
[Additional Information]
During penetration testing of our clients' infrastructure, we discovered several vulnerabilities in third-party software - TranzWare e-Commerce Payment Gateway (TWEC PG). We contacted the Software Development Company to disclose the vulnerabilities.
The Software Development Company confirmed that the vulnerabilities had been fixed and the patched software had been released. We were told the version of the software in which the vulnerabilities had been fixed.
------------------------------------------
[VulnerabilityType Other]
Fixed with a notification sent to customers using TWEC PG.
------------------------------------------
[Vendor of Product]
Compass Plus Ltd.
------------------------------------------
[Affected Product Code Base]
TranzWare e-Commerce Payment Gateway (TWEC PG) - before 3.1.27.5.
------------------------------------------
[Attack Type]
Remote.
------------------------------------------
[Affected Component]
/index.jsp
------------------------------------------
[Discoverers]
Dmitriy Tatarov (https://www.linkedin.com/in/kukuxumushi/)
Evgeny Borovkov (https://www.linkedin.com/in/evgeny-borovkov-841734110/)
Deiteriy Co. Ltd. (https://deiteriylab.com/)
------------------------------------------
[Reference]
https://compassplus.ru/solutions/plug-play/merchant-acquiring/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment