CVE-2020-14943 in BSA Radar
Summary
by MITRE
The Firstname and Lastname parameters in Global RADAR BSA Radar 1.6.7234.24750 and earlier are vulnerable to stored cross-site scripting (XSS) via Update User Profile.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/05/2025
The vulnerability identified as CVE-2020-14943 affects the Global RADAR BSA Radar version 1.6.7234.24750 and earlier installations, specifically targeting the firstname and lastname parameters within the Update User Profile functionality. This represents a critical security flaw that allows attackers to inject malicious scripts into user profile data that persists and executes when other users view the affected profiles. The vulnerability falls under the category of stored cross-site scripting attacks, where malicious code is stored on the server and executed whenever legitimate users access the compromised data.
The technical implementation of this vulnerability stems from inadequate input validation and output sanitization within the user profile update mechanism. When users submit their firstname or lastname information through the profile update interface, the application fails to properly sanitize these parameters before storing them in the database. This allows attackers to submit malicious payloads containing javascript code or other malicious scripts that get stored alongside the user data. The vulnerability is classified as a CWE-79: Cross-site Scripting, which is a common web application security weakness that enables attackers to inject client-side scripts into web pages viewed by other users.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. An attacker who successfully exploits this vulnerability can craft malicious profile entries that execute scripts when other users view the affected profiles, potentially stealing session cookies or redirecting users to malicious sites. The stored nature of the XSS vulnerability means that the attack persists even after the initial injection, making it particularly dangerous as it can affect multiple users over extended periods. This vulnerability aligns with ATT&CK technique T1531: Account Access Removal, as compromised user profiles can be used to gain unauthorized access to systems through session manipulation.
The exploitation of this vulnerability requires an attacker to first gain access to a user account or find a way to submit malicious data through the user profile update interface. Once the malicious payload is stored in the database, any user who views the compromised profile will execute the injected scripts, potentially leading to complete account compromise or further system infiltration. The vulnerability affects the authentication and authorization mechanisms of the system by allowing attackers to manipulate user data in a way that can be leveraged for broader attacks. Organizations using affected versions of Global RADAR BSA Radar should immediately implement mitigations including input validation, output encoding, and regular security assessments to prevent exploitation of this vulnerability. The remediation approach should focus on implementing proper parameter validation and sanitization techniques to prevent malicious input from being stored and executed within the application.