LiveActive security incident?Get immediate response
CVE Record

CVE-2020-36012: Stored XSS vulnerability in BDTASK Multi-Store Inventory Management System 1.0 allows a local admin to inje...

Stored XSS vulnerability in BDTASK Multi-Store Inventory Management System 1.0 allows a local admin to inject arbitrary code via the Customer Name Field.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This CVE describes a stored cross-site scripting issue in BDTASK Multi-Store Inventory Management System 1.0. A local admin can place code in the Customer Name field, which may later run in another user’s browser. The supplied sources do not provide a CVSS score, patch, or evidence of active exploitation.

Executive priority

Treat this as a targeted application-risk item, not an internet-wide emergency. Prioritize if the product is deployed, handles sensitive customer data, or has many local admins. Lack of patch information means vendor follow-up is important.

Technical view

CVE-2020-36012 is reported as stored XSS through the Add Customer Customer Name field in Multi-Store Inventory Management System 1.0. The attacker role is described as local admin. No CWE, CPE, vendor advisory, fixed version, or detailed impact metrics are provided in the supplied CVE bundle.

Likely exposure

Exposure is most likely limited to organizations running BDTASK Multi-Store Inventory Management System 1.0, especially where local admin accounts are broadly shared or weakly governed. The CVE record’s structured affected-product data is incomplete.

Exploitation context

The source bundle says exploitation requires a local admin injecting code into a stored customer-name value. KEV is false, and the supplied sources do not show active exploitation in the wild or public weaponization beyond the referenced write-up.

Researcher notes

Evidence is thin: the CVE description and one public write-up identify stored XSS in Customer Name, but no CVSS, CWE, CPE, patch, or broad exploitation data is supplied. Avoid assuming other versions or modules are affected.

Mitigation direction

  • Check BDTASK or product-owner guidance for a fixed version or official workaround.
  • Restrict local admin access to trusted, accountable users only.
  • Review existing customer records for suspicious script-like content.
  • Apply output encoding and input validation if maintaining custom code around this field.
  • Monitor the CVE record for updated affected-version or remediation data.

Validation and detection

  • Confirm whether BDTASK Multi-Store Inventory Management System 1.0 is deployed.
  • Identify who has local admin access and whether accounts are shared.
  • Review Customer Name data for unusual markup or script-like values.
  • In a test copy, verify customer-name output is safely encoded.
  • Check audit logs for recent customer creation or modification by admins.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-36012 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
2Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.