CVE-2022-38482

CVE-2022-38482

by mrahier96

Abstract Advisory Information

Link manipulation occurs when an application embeds user input into the path or domain of URLs that appears within application responses. An attacker can use this vulnerability to construct a link that, if visited by another application user, will modify the target of URLs within the response.

Author: Elliot Rasch

Version affected

Name: Mega HOPEX

Versions: 15.2.0.6110

Common Vulnerability Scoring System

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Patch

Hotfix V5CP4

References

Vulnerability Disclosure Timeline

  • 17/05/2022: Vulnerability discovery
  • 18/05/2022: Vulnerability Report to CERT-XLM
  • 19/05/2022: Vulnerability Report to Vendor through Contact Form
  • 24/05/2022: Vulnerability Report to Vendor through Contact Form + Account created on their support portal
  • 03/06/2022: Called vendor, redirected us to specific email address
  • 10/06/2022: Investigation at given email address
  • 17/06/2022: Investigation at given email address
  • 24/06/2022: Investigation at given email address
  • 24/06/2022: Contacted Technical Support Manager
  • 24/06/2022: Vendor acknowledged and gave us contact point
  • 01/07/2022: Investigation at Technical Support email address
  • 08/07/2022: Reminder to the Technical Support email address
  • 22/07/2022: Investigation at given helpdesk and security email address
  • 22/07/2022: Investigation at personal email address
  • 03/08/2022: Called vendor, told reception to ask IT to recontact us
  • 19/08/2022: Update on all contact point we have
  • 19/08/2022: Request CVE ID to Mitre
  • 20/08/2022: CVE IDs assigned CVE-2022-38482 ID07/10/2022: Hotfix V5CP4 released by Vendor
  • 31/10/2022: Vulnerability disclosure
Top