CVE-2022-38490

CVE-2022-38490

by mrahier96

Abstract Advisory Information

Some parameters are prone to SQL injections.

Author: Valentin Giannini & Alexis Pain

Version affected

Name: EasyVista

Versions: 2020.2.125.3 & 2022.1.109.0.03

Common Vulnerability Scoring System

9.6

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Patch

2020.2.125.3 & 2022.1.109.0.03

References

Vulnerability Disclosure Timeline

  • 17/05/2022: Vulnerability discovery
  • 18/05/2022: Vulnerability Report to CERT-XLM
  • 19/05/2022: Vulnerability Report to Vendor through Contact Form
  • 24/05/2022: Vulnerability Report to Vendor through investigation at “supptech@easyvista.com”
  • 24/05/2022: Vulnerability Report to Vendor through Contact Form
  • 03/06/2022: Vulnerability Report to Vendor through investigation at “supptech@easyvista.com”
  • 03/06/2022: Vulnerability Report to Vendor through Contact Form
  • 03/06/2022: Vendor called, redirect us to support team08/07/2022: Vulnerability Report to Vendor through investigation at multiple contact point
  • 25/07/2022: Vulnerability Report sent to Vendor through multiple investigations at security contact point
  • 25/07/2022: Phonecall with Vendor
  • 19/08/2022: Updates asked to vendor through multiple investigations
  • 19/08/2022: Updates received from Vendor, fix is done (now awaiting fix for other CVE)
  • 20/08/2022: Request CVE ID to Mitre
  • 20/08/2022: CVE IDs assigned
  • 26/08/2022: Updates asked to vendor
  • 02/09/2022: Updates asked to vendor and CVE ID sent to vendor
  • 05/09/2022: Meeting with vendor to prepare the publication
  • 30/09/2022: Updates asked to vendor
  • 04/10/2022: Multiple calls attempts to the vendors
  • 31/10/2022: Expected Vulnerability disclosure
Top