DIVD-2021-00029 - Smartertrack
| Our reference | DIVD-2021-00029 |
| Case lead | Victor Gevers |
| Author | Finn van der Knaap |
| Researcher(s) | |
| CVE(s) | |
| Product | SmarterTrack |
| Versions | All versions / v100.0.8019.14010 |
| Recommendation | Upgrade to the latest version |
| Status | Closed |
| Last modified | 11 Oct 2022 15:57 |
Summary
On 17 November 2021, the case was created, and around the end of 2021 the investigation began. This concerns Windows servers that are running the latest version of SmarterTrack, which was at the time v100.0.8019.14010. Wietse found four different vulnerabilities, which are currently all fixed in the latest version.
What you can do
If you are using SmarterTrack, check your version number to see if you’re still vulnerable. If you are using an older version, then update by downloading the newer build here. There is also an opportunity to see if the vulnerabilities have been exploited on your system before.
What we are doing
We notified the SmarterTools, and they brought out a new, fully patched version.
Timeline
| Date | Description |
|---|---|
| 17 Oct 2021 | Vulnerabilities discovered by Wietse Boonstra |
| 17 Jan 2022 | Testing by DIVD conforms that the vulnerabilities are still present in the product |
| 29 Jan 2022 | Report sent to SmarterTrack |
| 29 Jan 2022 | Automatic vendor reply that email cannot be processed |
| 29 Jan 2022 | Ticket 24A-2988414F-0012 created via SmarterTrack website |
| 02 Feb 2022 | Ticket closed without resolution |
| 02 Feb 2022 | Email sent to security@smartertools.com |
| 02 Feb 2022 | Vendor ackknowledges receipt of email |
|
29 Jan 2022- 02 Feb 2022 |
Time to acknowledge receipt |
| 07 Feb 2022 | Vendor requests and receives additional details |
| 09 Feb 2022 | Vendor releases new update and asks us to retest vulnerabilities |
|
02 Feb 2022- 09 Feb 2022 |
Time to fix |
| 10 Feb 2022 | We confirm vulnerabilities have been fixed in build 8075 |
| 12 Mar 2022 | Limited Disclosure |
| 10 Oct 2022 | Case Closed |
gantt
title DIVD-2021-00029 - Smartertrack
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2021-00029 - Smartertrack (358 days) :2021-10-17, 2022-10-10
section Events
Vulnerabilities discovered by Wietse Boonstra : milestone, 2021-10-17, 0d
Testing by DIVD conforms that the vulnerabilities are still present in the product : milestone, 2022-01-17, 0d
Report sent to SmarterTrack : milestone, 2022-01-29, 0d
Automatic vendor reply that email cannot be processed : milestone, 2022-01-29, 0d
Ticket 24A-2988414F-0012 created via SmarterTrack website : milestone, 2022-01-29, 0d
Ticket closed without resolution : milestone, 2022-02-02, 0d
Email sent to security@smartertools.com : milestone, 2022-02-02, 0d
Vendor ackknowledges receipt of email : milestone, 2022-02-02, 0d
Time to acknowledge receipt (4 days) : 2022-01-29, 2022-02-02
Vendor requests and receives additional details : milestone, 2022-02-07, 0d
Vendor releases new update and asks us to retest vulnerabilities : milestone, 2022-02-09, 0d
Time to fix (7 days) : 2022-02-02, 2022-02-09
We confirm vulnerabilities have been fixed in build 8075 : milestone, 2022-02-10, 0d
Limited Disclosure : milestone, 2022-03-12, 0d
Case Closed : milestone, 2022-10-10, 0d
More information
- Vendor release notes
- CVE-2022-24384 - Refelective XSS in SmarterTrack v100.0.8019.14010
- CVE-2022-24385 - Unauthenticated downloading of ticket attachments in SmarterTrack v100.0.8019.14010
- CVE-2022-24386 - XSS on opening of chat in SmarterTrack v100.0.8019.14010
- CVE-2022-24387 - File upload and overwrite to app_data/Config in SmarterTrack v100.0.8019.14010