DIVD-2022-00064 - Multiple injection vulnerabilities identified within Axiell Iguana CMS
| Our reference | DIVD-2022-00064 |
| Case lead | Max van der Horst |
| Researcher(s) |
|
| CVE(s) | |
| Product | Axiell Iguana CMS |
| Versions |
|
| Recommendation | Upgrade to the latest version of Iguana. |
| Status | Closed |
| Last modified | 23 Jul 2024 09:59 CEST |
Summary
Multiple injection vulnerabilities have been identified in Axiell Iguana CMS. Leveraging these vulnerabilities could allow an attacker to compromise a website.
What you can do
Upgrade your Iguana version to 4.5.02 or higher.
What we are doing
DIVD is currently working with the finder and Axiell to get these vulnerabilities patched. Axiell is coordinating the patch process with its customers.
Timeline
| Date | Description |
|---|---|
| 08 Sep 2022 | First four vulnerabilities (Reflected XSS, LFI) are reported to DIVD, DIVD starts evaluation and reporting process. |
|
08 Sep 2022- 03 Nov 2022 |
Time to fix first 4 CVEs |
| 03 Nov 2022 | Axiell releases Iguana 4.5.02, which contains a fix for CVE-2022-45049, CVE-2022-45050, CVE-2022-45051 and CVE-2022-45052. |
|
08 Sep 2022- 03 Nov 2022 |
Time to acknowledge first 4 CVEs |
| 03 Nov 2022 | First contact between Axiell and DIVD. |
| 17 Nov 2022 | Researcher and DIVD confirm that the first four vulnerabilities have been remediated with the patch. |
| 21 Nov 2022 | Researcher reports two additional vulnerabilities (SSRF and Reflected XSS). |
| 21 Nov 2022 | DIVD contacts Axiell about the additional vulnerabilities. |
| 03 Jan 2023 | Limited disclosure for the four CVEs |
|
21 Nov 2022- 22 Jul 2024 |
Case closed |
gantt
title DIVD-2022-00064 - Multiple injection vulnerabilities identified within Axiell Iguana CMS
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2022-00064 - Multiple injection vulnerabilities identified within Axiell Iguana CMS (683 days) :2022-09-08, 2024-07-22
section Events
First four vulnerabilities (Reflected XSS, LFI) are reported to DIVD, DIVD starts evaluation and reporting process. : milestone, 2022-09-08, 0d
Time to fix first 4 CVEs (56 days) : 2022-09-08, 2022-11-03
Axiell releases Iguana 4.5.02, which contains a fix for CVE-2022-45049, CVE-2022-45050, CVE-2022-45051 and CVE-2022-45052. : milestone, 2022-11-03, 0d
Time to acknowledge first 4 CVEs (56 days) : 2022-09-08, 2022-11-03
First contact between Axiell and DIVD. : milestone, 2022-11-03, 0d
Researcher and DIVD confirm that the first four vulnerabilities have been remediated with the patch. : milestone, 2022-11-17, 0d
Researcher reports two additional vulnerabilities (SSRF and Reflected XSS). : milestone, 2022-11-21, 0d
DIVD contacts Axiell about the additional vulnerabilities. : milestone, 2022-11-21, 0d
Limited disclosure for the four CVEs : milestone, 2023-01-03, 0d
Case closed (609 days) : 2022-11-21, 2024-07-22