CVE-2022-24967

CVE-2022-24967

by mathildeexlm

Abstract Advisory Information

The application is prone to store Cross-site Scripting (XSS) attacks in several features allowing an attacker to store a JavaScript payload that will be executed when another user uses the application.

This vulnerability allows an attacker to perform an action on behalf of the user, exfiltrate data, in some cases, perform network discovery operations or run requests against other web applications from the browser of the user.

Author: Elliot RASCH

Version affected

Vendor: Black Rainbow

Name: NIMBUS

Version: 3.4.0

Common Vulnerability Scoring System

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Patches

3.7.0

References

Vulnerability Disclosure Timeline

  • 26/01/2022: Vulnerability discovery
  • 27/01/2022: Vulnerability Report to CERT-XLM
  • 27/01/2022: Vulnerability Report to Vendor through Contact Form
  • 04/02/2022: Vulnerability Report to the Vendor through Contact Form
  • 04/02/2022: Vulnerability Report to the Vendor through investigation at info@blackrainbow.com
  • 04/02/2022: Acknowledge from the vendor
  • 11/02/2022: Publication planning with the vendor
  • 11/02/2022: Request CVE IDs to Mitre
  • 11/02/2022: CVE IDs assigned Use CVE-2022-24967.
  • 29/04/2022: Expected Vulnerability disclosure
  • 05/05/2022: New expected Vulnerability disclosure date as to vendor request
  • 06/05/2022: Called vendor to discuss disclosure details.
  • 25/05/2022: Vulnerability disclosure

Find other vulnerabilities in our Security Advisory section.

Top