CVE-2022-45164

Abstract Advisory Information

A service exposed by the application allows a basic user to cancel (delete) a booking, created by another user, and for which is not a member of.

Author: Dominique Righetto

Version affected

Name: Archibus Web Central

Versions: 2022.03.01.107

Common Vulnerability Scoring System

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Patches

none

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45164

Vulnerability Disclosure Timeline

• 29/07/2022: Vulnerability discovery
• 29/07/2022: Vulnerability Report to CERT-XLM
• 29/07/2022: Vulnerability Report to Vendor through Contact Form
• 29/07/2022: Vulnerability Report to Vendor through Investigation and Contact form
• 12/08/2022: Vulnerability Report to Vendor through Investigation
• 19/08/2022: Vulnerability Report to Vendor through Investigation and Contact form
• 22/08/2022: Vulnerability Report to Vendor through contact point
• 24/08/2022: Update asked to contact point
• 02/09/2022: Vulnerability Report to Vendor through contact point
• 06/09/2022: Acknowledge from vendor, update and explanation of the disclosure process sent to vendor.
• 10/11/2022: Request CVE ID to Mitre
• 18/11/2022: CVE IDs assigned CVE-2022-45164
• 30/11/2022: Vulnerability disclosure