Skip to content

Instantly share code, notes, and snippets.

@kukuxumushi
Last active March 17, 2021 13:51
Show Gist options
  • Save kukuxumushi/7436994ef395573023b79652e104a2a0 to your computer and use it in GitHub Desktop.
Save kukuxumushi/7436994ef395573023b79652e104a2a0 to your computer and use it in GitHub Desktop.
Stored XSS in TranzWare e-Commerce Payment Gateway - CVE-2021-28126
CVE-2021-28126
[Description]
TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27.5 had a Stored cross-site scripting vulnerability that was fixed with a notification sent to customers using TWEC PG.
------------------------------------------
[Additional Information]
During penetration testing of our clients' infrastructure, we discovered several vulnerabilities in third-party software - TranzWare e-Commerce Payment Gateway (TWEC PG). We contacted the Software Development Company to disclose the vulnerabilities.
The Software Development Company confirmed that the vulnerabilities had been fixed and the patched software had been released. We were told the version of the software in which the vulnerabilities had been fixed.
------------------------------------------
[VulnerabilityType Other]
Fixed with a notification sent to customers using TWEC PG.
------------------------------------------
[Vendor of Product]
Compass Plus Ltd.
------------------------------------------
[Affected Product Code Base]
TranzWare e-Commerce Payment Gateway (TWEC PG) - before 3.1.27.5.
------------------------------------------
[Attack Type]
Remote.
------------------------------------------
[Affected Component]
/index.jsp
------------------------------------------
[Discoverers]
Dmitriy Tatarov (https://www.linkedin.com/in/kukuxumushi/)
Evgeny Borovkov (https://www.linkedin.com/in/evgeny-borovkov-841734110/)
Deiteriy Co. Ltd. (https://deiteriylab.com/)
------------------------------------------
[Reference]
https://compassplus.ru/solutions/plug-play/merchant-acquiring/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment