Abstract Advisory Information
A user with high privilege access to the incapptic Connect web console can store a cross-site scripting playload, which can be opened by any authenticated user, who opens the file in all Incapptic Connect versions.
Authors: Dominique Righetto from Excellium Services
Version affected
Name: Incapptic
Versions: All incapptic Connect versions.
Common Vulnerability Scoring System
8.1 – CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A
Patches
No patch available. Instead, the vendor published a workaround.
References
- https://forums.ivanti.com/s/article/Security-Advisory-for-incapptic-Connect-SA-2022-03-11?language=en_US
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22571
Vulnerability Disclosure Timeline
- 21/02/2022: Vulnerability discovery
- 21/02/2022: Vulnerability Report to CERT-XLM
- 21/02/2022: Vulnerability Report to Vendor
- 25/02/2022: Vulnerability Report to Vendor
- 11/03/2022: Vulnerability Report to Vendor
- 11/03/2022: Acknowledge from vendor
- 18/03/2022: Asked Vendor if a patch is planned
- 21/03/2022: CVE ID assigned CVE-2022-22571
- 28/03/2022: Security advisory published
Find more vulnerabilities in our Security Advisory section.
