CVE-2022-38491

CVE-2022-38491

by mrahier96

Abstract Advisory Information

A part of the application is vulnerable to brute-force attack.

Author: Valentin Giannini & Alexis Pain

Version affected

Name: Easy Vista

Versions: 2020.2.125.3 & 2022.1.109.0.03

Common Vulnerability Scoring System

8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Patch

<TBD>

References

Vulnerability Disclosure Timeline

  • 17/05/2022: Vulnerability discovery
  • 18/05/2022: Vulnerability Report to CERT-XLM
  • 19/05/2022: Vulnerability Report to Vendor through Contact Form
  • 24/05/2022: Vulnerability Report to Vendor through investigation at “supptech@easyvista.com”
  • 24/05/2022: Vulnerability Report to Vendor through Contact Form
  • 03/06/2022: Vulnerability Report to Vendor through investigation at “supptech@easyvista.com”
  • 03/06/2022: Vulnerability Report to Vendor through Contact Form
  • 03/06/2022: Vendor called, redirect us to support team
  • 08/07/2022: Vulnerability Report to Vendor through investigation at multiple contact point
  • 25/07/2022: Vulnerability Report sent to Vendor through multiple investigations at security contact point
  • 25/07/2022: Phonecall with Vendor
  • 19/08/2022: Updates asked to vendor through multiple investigations
  • 19/08/2022: Fix is ongoing
  • 20/08/2022: Request CVE ID to Mitre
  • 20/08/2022: CVE IDs assigned
  • 26/08/2022: Updates asked to vendor
  • 02/09/2022: Updates asked to vendor and CVE ID sent to vendor
  • 05/09/2022: Meeting with vendor to prepare the publication
  • 30/09/2022: Updates asked to vendor
  • 04/10/2022: Multiple calls attempts to the vendors
  • 14/11/2022: Expected Vulnerability disclosure
Top