CVE-2022-37028

CVE-2022-37028

by mrahier96

Abstract Advisory Information

The application is prone to stored Cross-site Scripting (XSS) attack on a specific page and field.

Author: Mathieu Vivier

Version affected

Name: ISAMS

Versions: 22.2.3.2

Common Vulnerability Scoring System

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Patch

22.8.1.9

References

Vulnerability Disclosure Timeline

  • 28/06/2022: Vulnerability discovery
  • 30/06/2022: Vulnerability Report to CERT-XLM
  • 01/07/2022: Vulnerability Report to Vendor through investigation (to find a point of contact)
  • 08/07/2022: Reminder + phone call to find a point of contact
  • 08/07/2022: Call in which we are told to contact marketing or sales without giving us a contact and finally telling us to contact the email on the website (the one that has already been contacted)
  • 08/07/2022: Appeal to ISAMS on Twitter
  • 22/07/2022: Phone call to the support which redirected us toward sales email
  • 22/07/2022: Vulnerability report through webform
  • 22/07/2022: Vulnerability report through investigation
  • 25/07/2022: Acknowledge from vendor
  • 29/07/2022: Request CVE ID to Mitre
  • 29/07/2022: CVE IDs assigned use CVE-2022-37028
  • 05/08/2022: Refresh vendor to ask status of the fix
  • 12/08/2022: Called both phone numbers: no answer. Call center doesn’t take our calls
  • 19/08/2022: Refresh vendor and provide the CVE ID to him
  • 26/08/2022: Called both the mobile and office phone number, no answer. Leaved an email and a voicemail. Answer to email: our tested version is too old. But we can’t have an updated version
  • 02/09/2022: Contact the vendor to ask if vulnerability still present or not in newer version
  • 05/09/2022: Contact vendor for explanation around vulnerability fixe check, phone call proposed.
  • 06/09/2022: Vendor replied with the fixed version.
  • 26/09/2022: Expected disclosure
Top