CVE-2020-36012: Stored XSS vulnerability in BDTASK Multi-Store Inventory Management System 1.0 allows a local admin to inje...
Stored XSS vulnerability in BDTASK Multi-Store Inventory Management System 1.0 allows a local admin to inject arbitrary code via the Customer Name Field.
Security readout for executives and security teams
Plain-English summary
This CVE describes a stored cross-site scripting issue in BDTASK Multi-Store Inventory Management System 1.0. A local admin can place code in the Customer Name field, which may later run in another user’s browser. The supplied sources do not provide a CVSS score, patch, or evidence of active exploitation.
Executive priority
Treat this as a targeted application-risk item, not an internet-wide emergency. Prioritize if the product is deployed, handles sensitive customer data, or has many local admins. Lack of patch information means vendor follow-up is important.
Technical view
CVE-2020-36012 is reported as stored XSS through the Add Customer Customer Name field in Multi-Store Inventory Management System 1.0. The attacker role is described as local admin. No CWE, CPE, vendor advisory, fixed version, or detailed impact metrics are provided in the supplied CVE bundle.
Likely exposure
Exposure is most likely limited to organizations running BDTASK Multi-Store Inventory Management System 1.0, especially where local admin accounts are broadly shared or weakly governed. The CVE record’s structured affected-product data is incomplete.
Exploitation context
The source bundle says exploitation requires a local admin injecting code into a stored customer-name value. KEV is false, and the supplied sources do not show active exploitation in the wild or public weaponization beyond the referenced write-up.
Researcher notes
Evidence is thin: the CVE description and one public write-up identify stored XSS in Customer Name, but no CVSS, CWE, CPE, patch, or broad exploitation data is supplied. Avoid assuming other versions or modules are affected.
Mitigation direction
Check BDTASK or product-owner guidance for a fixed version or official workaround.
Restrict local admin access to trusted, accountable users only.
Review existing customer records for suspicious script-like content.
Apply output encoding and input validation if maintaining custom code around this field.
Monitor the CVE record for updated affected-version or remediation data.
Validation and detection
Confirm whether BDTASK Multi-Store Inventory Management System 1.0 is deployed.
Identify who has local admin access and whether accounts are shared.
Review Customer Name data for unusual markup or script-like values.
In a test copy, verify customer-name output is safely encoded.
Check audit logs for recent customer creation or modification by admins.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Execution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
2Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jan 27, 2021, 12:11 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.