Description
TranzAxis 3.2.41.10.26 allows authenticated users to inject cross-site scripting via the `Open Object in Tree` endpoint, allowing attackers to steal session cookies and potentially escalate privileges.
Published: 2025-12-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can steal session cookies and potentially enable privilege escalation
Action: Check for Updates
AI Analysis

Impact

TranzAxis 3.2.41.10.26 suffers a stored cross‑site scripting flaw that can be triggered by an authenticated user through the "Open Object in Tree" endpoint. The vulnerability allows the injection of malicious JavaScript which, when executed in a victim’s browser, can read and exfiltrate session cookies. Because the script is stored, any subsequent user who views the compromised content may be affected, potentially allowing escalation of privileges if the attacker can manipulate authenticated sessions.

Affected Systems

The affected product is TranzAxis version 3.2.41.10.26 distributed by Compass Plustechologies. No other versions are mentioned as vulnerable. The flaw resides in the server‑side handling of the "Open Object in Tree" API and requires the user to be authenticated to perform the injection.

Risk and Exploitability

The flaw’s CVSS score of 5.3 indicates moderate severity. The EPSS score is reported as < 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need valid user credentials to access the vulnerable endpoint; if such credentials exist, the stored XSS could compromise additional users’ sessions and lead to unauthorized privileged actions. Existing defensive controls such as web application firewalls or input sanitization could mitigate the risk, but the most effective countermeasure is to remediate the affected application.

Generated by OpenCVE AI on April 27, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether Compass Plustechologies has released a patch or newer version of TranzAxis that addresses the stored XSS flaw and apply it if available.
  • Restrict the use of privileged accounts that can access the "Open Object in Tree" endpoint and monitor for abnormal usage patterns.
  • Deploy a web application firewall or enforce a strict Content Security Policy that disallows inline script execution and restricts the origin of scripts to mitigate stored XSS risk.

Generated by OpenCVE AI on April 27, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Dec 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Compassplustechnologies
Compassplustechnologies tranzaxis
CPEs cpe:2.3:a:compassplustechnologies:tranzaxis:3.2.41.10.26:*:*:*:*:*:*:*
Vendors & Products Compassplustechnologies
Compassplustechnologies tranzaxis
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 05 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Compassplus
Compassplus tranzaxis
Vendors & Products Compassplus
Compassplus tranzaxis

Thu, 04 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description TranzAxis 3.2.41.10.26 allows authenticated users to inject cross-site scripting via the `Open Object in Tree` endpoint, allowing attackers to steal session cookies and potentially escalate privileges.
Title TranzAxis 3.2.41.10.26 - Stored Cross-Site Scripting (XSS)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Compassplus Tranzaxis
Compassplustechnologies Tranzaxis
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:51.960Z

Reserved: 2025-12-04T16:24:10.581Z

Link: CVE-2025-66574

cve-icon Vulnrichment

Updated: 2025-12-05T17:50:17.419Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-04T21:16:10.250

Modified: 2025-12-19T19:43:41.877

Link: CVE-2025-66574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:45:15Z

Weaknesses