Abstract Advisory Information

The application is vulnerable to an XSS vulnerability.

Author: Thomas CLAIR

Version affected

Name: Vound software

Product : Intella connect

Versions: 2.6.0.3

Common Vulnerability Scoring System

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Patch

No known patch

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35792

Vulnerability Disclosure Timeline

• • 17/04/2023: Vulnerability discovery
  • 24/04/2023: Vulnerability Report to CERT-XLM
  • 25/04/2023: Vulnerability Reported to Vound Software by mail
  • 26/04/2023: Reply from Vendor
  • 04/05/2023: Reply from Vendor
  • 08/05/2023: Reply from Vendor, ask for more informations to pentest team
  • 15/05/2023: Hashes of the installer provided to the vendor
  • 16/06/2023: Request CVE ID from MITRE
  • 19/06/2023: CVE IDs assigned Use CVE-2023-35792
  • 20/06/2023: Updated asked to Vendor
  • 27/06/2023: Updated received from Vendor
  • 04/07/2023: Updated asked to Vendor
  • 18/07/2023: Ask vendor for a release date
  • 27/07/2023: Expected Vulnerability disclosure