CVE-2022-21828

CVE-2022-21828

by mathildeexlm

Abstract Advisory Information

A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using an unspecified attack vector in Incapptic Connect version 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1, 1.37.0, 1.36.0, 1.35.5, 1.35.4 and 1.35.3.

Authors: Dominique Righetto from Excellium Services

Version affected

Name: Incapptic
Versions: Incapptic Connect versions 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1, 1.37.0, 1.36.0, 1.35.5, 1.35.4 and 1.35.3.

Common Vulnerability Scoring System

9.1 – 3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Patches

version 1.40.1

References

Vulnerability Disclosure Timeline

  • 18/02/2022: Vulnerability discovery
  • 18/02/2022: Vulnerability Report to CERT-XLM
  • 21/02/2022: Vulnerability Report to Vendor
  • 22/02/2022: Acknowledge from vendor
  • 23/02/2022: CVE ID requested by vendor
  • 23/02/2022: CVE ID assigned CVE-2022-21828
  • 24/02/2022: Bug fixed and security advisory published
  • 18/03/2022: Contacted vendor to update CVSS score
  • 21/03/2022: Vendor answered they can’t modify it.
  • 04/04/2022: Security advisory published

Find more vulnerabilities in our Security Advisory section.

Top