Abstract Advisory Information
A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using an unspecified attack vector in Incapptic Connect version 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1, 1.37.0, 1.36.0, 1.35.5, 1.35.4 and 1.35.3.
Author: Dominique Righetto
Version affected
Name: Incapptic
Versions: Incapptic Connect versions 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1, 1.37.0, 1.36.0, 1.35.5, 1.35.4 and 1.35.3.Common Vulnerability Scoring System
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Patches
version 1.40.1
References
- https://forums.ivanti.com/s/article/SA-2022-02-23?language=en_US
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21828
Vulnerability Disclosure Timeline
- 18/02/2022: Vulnerability discovery
- 18/02/2022: Vulnerability Report to CERT-XLM
- 21/02/2022: Vulnerability Report to Vendor
- 22/02/2022: Acknowledge from vendor
- 23/02/2022: CVE ID requested by vendor
- 23/02/2022: CVE ID assigned CVE-2022-21828
- 24/02/2022: Bug fixed and security advisory published
- 18/03/2022: Contacted vendor to update CVSS score
- 21/03/2022: Vendor answered they can’t modify it.
- 04/04/2022: Security advisory published