CVE-2023-48644

Abstract Advisory Information

There is an XSS vulnerability in module of Archibus iOS application.

This vulnerability allows an attacker to perform action on behalf of the user, exfiltrate data and so on.

Impact : Client-side code execution

Author: Elliot Rasch

Version affected

Name: Archibus iOS application

Vendor: Eptura

Versions: V4.0.3

Common Vulnerability Scoring System

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Patches

No patch available

References

• https://cds.thalesgroup.com/en/tcs-belgium-luxembourg/CVE-2023-48644

Vulnerability Disclosure Timeline

• 18/07/2023: Vulnerability discovery
• 13/10/2023: Vulnerability Report to CERT-XLM
• 17/10/2023: Vulnerability Report to Vendor through mails
• 17/10/2023: Vulnerability Report to Vendor through form
• 24/10/2023: Meeting with Eptura (Canceled by the vendor)
• 24/10/2023: Vulnerability Report to Vendor through email
• 07/11/2023: Called vendor, without any answer, and without possibility to leave a message.
• 14/11/2023: Request CVE ID to Mitre
• 17/11/2023: CVE number assigned
• 21/11/2023: Vendor contacted again
• 31/01/2024: Vulnerability disclosure