Abstract Advisory Information

The consultation permission allows the users to view, add, modify, and delete data instead of just viewing it.

Author: Alexis Pain

Version affected

Name: APSAL

Versions: 3.14.2022.235 b

Common Vulnerability Scoring System

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Patch

APSAL 2023.0237

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26099″
• https://www.telindus.lu/fr/produits/apsal

Vulnerability Disclosure Timeline

• • 01/12/2022: Vulnerability discovery
  • 09/01/2023: Vulnerability Report to CERT-XLM
  • 20/01/2023: Vulnerability Report to Vendor through email
  • 17/02/2023: Vendor contacted again for an update
  • 20/02/2023: CVE number assigned: CVE-2023-26099
  • 24/02/2023: CVE ID communicated to vendor and asked for an update regarding the patch.
  • 03/03/2023: Update asked to vendor
  • 23/03/2023: Update received from vendor, use fix APSAL 2023.0237
  • 24/04/2023: Expected Vulnerability disclosure