TranzAxis 3.2.41.10.26 - Stored Cross-Site Scripting (XSS) (Authenticated)

vendor:

TranzAxis

by:

ABABANK REDTEAM

6.1

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: TranzAxis

Affected Version From: 3.2.41.10.26

Affected Version To: 3.2.41.10.26

Patch Exists: NO

Related CWE:

CPE: a:compassplustechnologies:tranzaxis:3.2.41.10.26

Metasploit:

Other Scripts:

Platforms Tested: Windows Server 2016

2025

TranzAxis 3.2.41.10.26 – Stored Cross-Site Scripting (XSS) (Authenticated)

The TranzAxis version 3.2.41.10.26 web application is vulnerable to stored cross-site scripting (XSS) attacks. An authenticated user can inject malicious scripts by supplying a crafted payload in the 'Enter Explorer Item Title' field, leading to the execution of arbitrary code in the context of the user's session.

Mitigation:

To mitigate this vulnerability, input validation should be implemented to sanitize user-supplied data before displaying it on the web application. Additionally, encoding user inputs and implementing content security policies can help prevent XSS attacks.

Source

Exploit-DB raw data:

Exploit Title: TranzAxis 3.2.41.10.26 - Stored Cross-Site Scripting (XSS) (Authenticated)
Date: 10th, March, 2025
Exploit Author: ABABANK REDTEAM
Vendor Homepage: https://compassplustechnologies.com/
Version: 3.2.41.10.26
Tested on: Window Server 2016

1. Login to web application
2. Click on `Entire System` goto `Monitoring` then click on `Terminals
Monitoring`
3. Select any name below `Terminals Monitoring` then click on `Open Object
in Tree`
4. Select on Filter then supply with any filter name then click `Apply
Filter`
5. On the right side select on `Save Settings in Explorer Tree`, on the
`Enter Explorer Item Title` supply the payload <img src=x
onerror=alert(document.domain)> then click OK.

Payload: <img src=x onerror=alert(document.domain)>