Abstract Advisory Information
The application is prone to stored Cross-site Scripting (XSS) attack on a specific page and field.
Author: Mathieu Vivier
Version affected
Name: ISAMS
Versions: 22.2.3.2
Common Vulnerability Scoring System
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Patch
22.8.1.9
References
Vulnerability Disclosure Timeline
- 28/06/2022: Vulnerability discovery
- 30/06/2022: Vulnerability Report to CERT-XLM
- 01/07/2022: Vulnerability Report to Vendor through investigation (to find a point of contact)
- 08/07/2022: Reminder + phone call to find a point of contact
- 08/07/2022: Call in which we are told to contact marketing or sales without giving us a contact and finally telling us to contact the email on the website (the one that has already been contacted)
- 08/07/2022: Appeal to ISAMS on Twitter
- 22/07/2022: Phone call to the support which redirected us toward sales email
- 22/07/2022: Vulnerability report through webform
- 22/07/2022: Vulnerability report through investigation
- 25/07/2022: Acknowledge from vendor
- 29/07/2022: Request CVE ID to Mitre
- 29/07/2022: CVE IDs assigned use CVE-2022-37028
- 05/08/2022: Refresh vendor to ask status of the fix
- 12/08/2022: Called both phone numbers: no answer. Call center doesn’t take our calls
- 19/08/2022: Refresh vendor and provide the CVE ID to him
- 26/08/2022: Called both the mobile and office phone number, no answer. Leaved an email and a voicemail. Answer to email: our tested version is too old. But we can’t have an updated version
- 02/09/2022: Contact the vendor to ask if vulnerability still present or not in newer version
- 05/09/2022: Contact vendor for explanation around vulnerability fixe check, phone call proposed.
- 06/09/2022: Vendor replied with the fixed version.
- 26/09/2022: Expected disclosure