Clear2Pay Bank Visibility Application Payment Execution Reflected Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in Clear2Pay Bank Visibility Application - Payment Execution version 1.10.0.104. The issue arises in the ID parameter of the URL, where input is not properly validated or sanitized before being displayed in the response. This flaw allows attackers to inject malicious scripts that are executed in the context of the user's browser.

Impact

Exploitation of this vulnerability enables the injection of malicious scripts into the user's browser, potentially leading to session theft, unauthorized content modification, or the creation of phishing scenarios.

Reproduction

To reproduce this vulnerability, send a request to the '/BankVisibility/processPerson.do' endpoint with a crafted ID parameter that includes the malicious script payload, such as an image tag (with an invalid image source) using an 'onerror' event. The injected script will be reflected in the response without any sanitization, executing in the context of the user's browser. This vulnerability also exists on the '/BankVisibility/processBank.do', '/BankVisibility/processInterchange.do', and '/BankVisibility/processBankDept.do' endpoints, using similar injection methods.