Security readout for executives and security teams
Plain-English summary
This CVE describes multiple cross-site scripting flaws in Bank Soft Systems RBS BS-Client Private/Retail Client. An attacker with a valid session identifier could inject script or HTML through vulnerable inputs. The business concern is potential user-session abuse or fraud-enabling browser actions in a banking client context.
Executive priority
Treat this as a targeted legacy-banking-client risk. Prioritize inventory and vendor-status checks, especially in environments handling customer banking sessions. Escalate if affected systems are internet-accessible or still used for production financial workflows.
Technical view
The issue is in bsi.dll for RBS BS-Client Private/Retail Client 2.5, 2.4, and earlier. The CVE reports multiple reflected input-handling weaknesses across named parameters, requiring a valid sid value. No CVSS score, CWE mapping, or vendor-fixed version is provided in the supplied sources.
Likely exposure
Exposure is most likely where legacy RBS BS-Client Private/Retail Client 2.5, 2.4, or earlier remains deployed and reachable by users. The supplied affected-product metadata is incomplete, so inventory confirmation is required.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation evidence. The flaw is remotely triggerable according to the CVE description, but it requires a valid sid parameter value, indicating some session context is needed.
Researcher notes
Evidence is limited to the CVE description and Trustwave advisory reference. The CVE names vulnerable parameters and a valid sid requirement, but supplies no CVSS, CWE, exploit status, or patch version. Avoid assuming affected CPEs beyond the stated product and versions.
Mitigation direction
- Check Bank Soft Systems or Trustwave guidance for fixed builds or official remediation.
- Inventory and retire unsupported RBS BS-Client Private/Retail Client deployments.
- Restrict access to affected interfaces to trusted networks and users.
- Review web-layer filtering for script or HTML injection attempts.
- Monitor application logs for suspicious parameter content.
Validation and detection
- Identify installed RBS BS-Client Private/Retail Client versions across the environment.
- Confirm whether bsi.dll endpoints are reachable by users or external parties.
- Review logs for unusual script-like input in affected request parameters.
- Validate remediation status against vendor or Trustwave advisory information.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2014-10398 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-009.txtCVE reference · x_refsource_MISC
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
