CVE-2023-26099

Abstract Advisory Information

The consultation permission allows the users to view, add, modify, and delete data instead of just viewing it.

Author: Alexis Pain

Version affected

Name: APSAL

Versions: 3.14.2022.235 b

Common Vulnerability Scoring System

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Patches

APSAL 2023.0237

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26099″
• https://www.telindus.lu/fr/produits/apsal

Vulnerability Disclosure Timeline

• 01/12/2022: Vulnerability discovery
• 09/01/2023: Vulnerability Report to CERT-XLM
• 20/01/2023: Vulnerability Report to Vendor through email
• 17/02/2023: Vendor contacted again for an update
• 20/02/2023: CVE number assigned: CVE-2023-26099
• 24/02/2023: CVE ID communicated to vendor and asked for an update regarding the patch.
• 03/03/2023: Update asked to vendor
• 23/03/2023: Update received from vendor, use fix APSAL 2023.0237
• 24/04/2023: Expected Vulnerability disclosure