Periscope BuySpeed is a"tool to automate the full procure-to-pay process efficiently and intelligently". BuySpeed version 14.5 is vulnerable to stored cross-site scripting,which could allow a local,authenticated attacker to store arbitrary JavaScript within the application. This JavaScript is subsequently displayed by the application without sanitization,leading to it executing in the browser of the user. This could potentially allow for website redirection,session hijacking,or information disclosure.
↧