LiveActive security incident?Get immediate response
CVE Record

CVE-2014-10398: Multiple cross-site scripting (XSS) vulnerabilities in bsi.dll in Bank Soft Systems (BSS) RBS BS-Client.

Multiple cross-site scripting (XSS) vulnerabilities in bsi.dll in Bank Soft Systems (BSS) RBS BS-Client. Private Client (aka RBS BS-Client. Retail Client) 2.5, 2.4, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) DICTIONARY, (2) FILTERIDENT, (3) FROMSCHEME, (4) FromPoint, or (5) FName_0 parameter and a valid sid parameter value.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This CVE describes multiple cross-site scripting flaws in Bank Soft Systems RBS BS-Client Private/Retail Client. An attacker with a valid session identifier could inject script or HTML through vulnerable inputs. The business concern is potential user-session abuse or fraud-enabling browser actions in a banking client context.

Executive priority

Treat this as a targeted legacy-banking-client risk. Prioritize inventory and vendor-status checks, especially in environments handling customer banking sessions. Escalate if affected systems are internet-accessible or still used for production financial workflows.

Technical view

The issue is in bsi.dll for RBS BS-Client Private/Retail Client 2.5, 2.4, and earlier. The CVE reports multiple reflected input-handling weaknesses across named parameters, requiring a valid sid value. No CVSS score, CWE mapping, or vendor-fixed version is provided in the supplied sources.

Likely exposure

Exposure is most likely where legacy RBS BS-Client Private/Retail Client 2.5, 2.4, or earlier remains deployed and reachable by users. The supplied affected-product metadata is incomplete, so inventory confirmation is required.

Exploitation context

The source bundle does not show CISA KEV listing or active exploitation evidence. The flaw is remotely triggerable according to the CVE description, but it requires a valid sid parameter value, indicating some session context is needed.

Researcher notes

Evidence is limited to the CVE description and Trustwave advisory reference. The CVE names vulnerable parameters and a valid sid requirement, but supplies no CVSS, CWE, exploit status, or patch version. Avoid assuming affected CPEs beyond the stated product and versions.

Mitigation direction

  • Check Bank Soft Systems or Trustwave guidance for fixed builds or official remediation.
  • Inventory and retire unsupported RBS BS-Client Private/Retail Client deployments.
  • Restrict access to affected interfaces to trusted networks and users.
  • Review web-layer filtering for script or HTML injection attempts.
  • Monitor application logs for suspicious parameter content.

Validation and detection

  • Identify installed RBS BS-Client Private/Retail Client versions across the environment.
  • Confirm whether bsi.dll endpoints are reachable by users or external parties.
  • Review logs for unusual script-like input in affected request parameters.
  • Validate remediation status against vendor or Trustwave advisory information.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2014-10398 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.