CVE-2023-48645

Abstract Advisory Information

There is an SQL injection in the application that allows doing query on the local database.

Author: Elliot Rasch

Version affected

Name: Archibus iOS application

Vendor: Eptura

Versions: V4.0.3

Common Vulnerability Scoring System

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Patches

No patch available

References

• https://cds.thalesgroup.com/en/tcs-belgium-luxembourg/CVE-2023-48645

Vulnerability Disclosure Timeline

• 18/07/2023: Vulnerability discovery
• 13/10/2023: Vulnerability Report to CERT-XLM
• 17/10/2023: Vulnerability Report to Vendor through mails
• 17/10/2023: Vulnerability Report to Vendor through form
• 24/10/2023: Meeting with Eptura (Canceled by the vendor)
• 24/10/2023: Vulnerability Report to Vendor through email
• 07/11/2023: Called vendor, without any answer, and without possibility to leave a message.
• 14/11/2023: Request CVE ID to Mitre
• 17/11/2023: CVE number assigned
• 21/11/2023: Vendor contacted again
• 31/01/2024: Vulnerability disclosure