PatchSiren cyber security CVE debrief
CVE-2015-4626 Treasuryxpress CVE debrief
CVE-2015-4626 describes a business-logic integrity flaw in B.A.S C2Box before 4.0.0 (r19171). According to NVD, the product relied on client-side validation, which could let a remote attacker supply a negative overdraft value and corrupt the application’s business logic. NVD scores the issue as HIGH with network access, no authentication, and high integrity impact.
- Vendor
- Treasuryxpress
- Product
- CVE-2015-4626
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-23
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-23
- Advisory updated
- 2026-05-13
Who should care
Administrators, security teams, and developers responsible for B.A.S C2Box deployments, especially any systems still running versions before 4.0.0 (r19171). Teams that rely on the application for financial or account-related workflows should treat this as a data-integrity issue.
Technical summary
NVD lists the vulnerable CPE as treasuryxpress:c2box up to and including 4.0.0, with a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N and weakness CWE-189. The issue stems from trusting client-side validation for an overdraft-related input, allowing remote manipulation of business logic. The NVD record references a third-party advisory on Packet Storm.
Defensive priority
High. The flaw is remotely reachable, requires no privileges, and can alter application state or transaction logic. If C2Box is exposed to untrusted users or used in sensitive financial workflows, remediation should be prioritized.
Recommended defensive actions
- Upgrade or replace B.A.S C2Box to a version beyond 4.0.0 (r19171) if available and supported.
- Do not rely on client-side validation for overdraft or other financial inputs; enforce validation and bounds checks on the server side.
- Add server-side controls to reject negative or out-of-policy values before any business-logic processing.
- Review application logs and transaction records for unexpected negative overdraft values or other malformed inputs.
- If upgrade is not immediately possible, restrict access to trusted networks and apply compensating controls around the affected workflow.
- Validate that downstream services and integrations also enforce input rules, so a bypass in the client cannot propagate further.
Evidence notes
The CVE description states that B.A.S C2Box before 4.0.0 (r19171) relies on client-side validation and can be abused via a negative overdraft value. NVD’s CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, and the weakness is mapped to CWE-189. The NVD record also includes a Packet Storm advisory reference. Timing context: the CVE was published on 2017-01-23T21:59:00.360Z and later modified on 2026-05-13T00:24:29.033Z.
Official resources
-
CVE-2015-4626 CVE record
CVE.org
-
CVE-2015-4626 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Publicly disclosed in the CVE record on 2017-01-23T21:59:00.360Z. The record was later modified on 2026-05-13T00:24:29.033Z.