Abstract Advisory Information
The application is prone to reflected Cross-site Scripting (XSS) attack in several features. This vulnerability allows an attacker to perform action on behalf of the users and exfiltrate data.
Author: Elliot Rasch
Version affected
Name: HOPEX
Versions: 15.2.0.6110
Common Vulnerability Scoring System
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Patch
Hotfix V5CP2
References
Vulnerability Disclosure Timeline
- 17/05/2022: Vulnerability discovery
- 18/05/2022: Vulnerability Report to CERT-XLM
- 19/05/2022: Vulnerability Report to Vendor through Contact Form
- 24/05/2022: Vulnerability Report to Vendor through Contact Form + Account created on their support portal
- 03/06/2022: Called vendor, redirected us to specific email address
- 10/06/2022: Investigation at given email address
- 17/06/2022: Investigation at given email address
- 24/06/2022: Investigation at given email address
- 24/06/2022: Contacted Technical Support Manager
- 24/06/2022: Vendor acknowledged and gave us contact point
- 01/07/2022: Investigation at Technical Support email address
- 08/07/2022: Reminder to the Technical Support email address
- 22/07/2022: Investigation at given helpdesk and security email address
- 22/07/2022: Investigation at personal email address
- 03/08/2022: Called vendor, told reception to ask IT to recontact us
- 19/08/2022: Update on all contact points we have
- 19/08/2022: Request CVE ID to Mitre
- 02/09/2022: CVE IDs assigned -> CVE-2022-38481
- 14/09/2022: Vulnerability patched in V5CP2 Hotfix
- 28/10/2022: Expected Vulnerability disclosure