Abstract Advisory Information
Link manipulation occurs when an application embeds user input into the path or domain of URLs that appears within application responses. An attacker can use this vulnerability to construct a link that, if visited by another application user, will modify the target of URLs within the response.
Author: Elliot Rasch
Version affected
Name: Mega HOPEX
Versions: 15.2.0.6110
Common Vulnerability Scoring System
4.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Patch
Hotfix V5CP4
References
Vulnerability Disclosure Timeline
- 17/05/2022: Vulnerability discovery
- 18/05/2022: Vulnerability Report to CERT-XLM
- 19/05/2022: Vulnerability Report to Vendor through Contact Form
- 24/05/2022: Vulnerability Report to Vendor through Contact Form + Account created on their support portal
- 03/06/2022: Called vendor, redirected us to specific email address
- 10/06/2022: Investigation at given email address
- 17/06/2022: Investigation at given email address
- 24/06/2022: Investigation at given email address
- 24/06/2022: Contacted Technical Support Manager
- 24/06/2022: Vendor acknowledged and gave us contact point
- 01/07/2022: Investigation at Technical Support email address
- 08/07/2022: Reminder to the Technical Support email address
- 22/07/2022: Investigation at given helpdesk and security email address
- 22/07/2022: Investigation at personal email address
- 03/08/2022: Called vendor, told reception to ask IT to recontact us
- 19/08/2022: Update on all contact point we have
- 19/08/2022: Request CVE ID to Mitre
- 20/08/2022: CVE IDs assigned CVE-2022-38482 ID07/10/2022: Hotfix V5CP4 released by Vendor
- 31/10/2022: Vulnerability disclosure