CVE-2022-38489

CVE-2022-38489

by mrahier96

Abstract Advisory Information

Some features of the application are prone to stored Cross-site Scripting (XSS).

Author: Valentin Giannini and Alexis Pain

Version affected

Name: EasyVista

Versions: 2020.2.125.3

Common Vulnerability Scoring System

4.8

CVSS:3.1/AV:N/AC:L/PR:H/UR:R/S:C/C:L/A:N

Patch

2022.1.110.1.02

References

Vulnerability Disclosure Timeline

  • 17/05/2022: Vulnerability discovery
  • 18/05/2022: Vulnerability Report to CERT-XLM
  • 19/05/2022: Vulnerability Report to Vendor through Contact Form
  • 24/05/2022: Vulnerability Report to Vendor through investigation at “supptech@easyvista.com”
  • 24/05/2022: Vulnerability Report to Vendor through Contact Form
  • 03/06/2022: Vulnerability Report to Vendor through investigation at “supptech@easyvista.com”
  • 03/06/2022: Vulnerability Report to Vendor through Contact Form
  • 03/06/2022: Vendor called, redirect us to support team 08/07/2022: Vulnerability Report to Vendor through investigation at multiple contact point
  • 25/07/2022: Vulnerability Report sent to Vendor through multiple investigations at security contact point
  • 25/07/2022: Phonecall with Vendor
  • 19/08/2022: Updates asked to vendor through multiple investigations
  • 19/08/2022: Updates received from Vendor, fix is done (now awaiting fix for other CVE)
  • 20/08/2022: Request CVE ID to Mitre
  • 20/08/2022: CVE IDs assigned
  • 26/08/2022: Updates asked to vendor
  • 02/09/2022: Updates asked to vendor and CVE ID sent to vendor
  • 05/09/2022: Meeting with vendor to prepare the publication
  • 30/09/2022: Updates asked to vendor
  • 04/10/2022: Multiple call attempts to the vendors
  • 31/10/2022: Expected Vulnerability disclosure
Top