Skip to the content.

DIVD-2022-00064 - Multiple injection vulnerabilities identified within Axiell Iguana CMS

Our reference DIVD-2022-00064
Case lead Max van der Horst
Researcher(s)
CVE(s)
Product Axiell Iguana CMS
Versions
  • All versions prior to 4.5.02
Recommendation Upgrade to the latest version of Iguana.
Status Open
Last modified 04 Jan 2023 16:22

Summary

Multiple injection vulnerabilities have been identified in Axiell Iguana CMS. Leveraging these vulnerabilities could allow an attacker to compromise a website.

What you can do

Upgrade your Iguana version to 4.5.02 or higher.

What we are doing

DIVD is currently working with the finder and Axiell to get these vulnerabilities patched. Axiell is coordinating the patch process with its customers, after which DIVD will run a scan to confirm.

Timeline

Date Description
08 Sep 2022 First four vulnerabilities (Reflected XSS, LFI) are reported to DIVD, DIVD starts evaluation and reporting process.
08 Sep 2022-
03 Nov 2022
Time to fix first 4 CVEs
03 Nov 2022 Axiell releases Iguana 4.5.02, which contains a fix for CVE-2022-45049, CVE-2022-45050, CVE-2022-45051 and CVE-2022-45052.
08 Sep 2022-
03 Nov 2022
Time to acknowledge first 4 CVEs
03 Nov 2022 First contact between Axiell and DIVD.
17 Nov 2022 Researcher and DIVD confirm that the first four vulnerabilities have been remediated with the patch.
21 Nov 2022 Researcher reports two additional vulnerabilities (SSRF and Reflected XSS).
21 Nov 2022 DIVD contacts Axiell about the additional vulnerabilities.
03 Jan 2023 Limited disclosure first four CVEs
21 Nov 2022
?
Time to acknowldge additional two vulnerabilities
21 Nov 2022
?
Time to fix additional two vulnerabilities
gantt title DIVD-2022-00064 - Multiple injection vulnerabilities identified within Axiell Iguana CMS dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00064 - Multiple injection vulnerabilities identified within Axiell Iguana CMS (still open) :2022-09-08, 2023-02-14 section Events First four vulnerabilities (Reflected XSS, LFI) are reported to DIVD, DIVD starts evaluation and reporting process. : milestone, 2022-09-08, 0d Time to fix first 4 CVEs (56 days) : 2022-09-08, 2022-11-03 Axiell releases Iguana 4.5.02, which contains a fix for CVE-2022-45049, CVE-2022-45050, CVE-2022-45051 and CVE-2022-45052. : milestone, 2022-11-03, 0d Time to acknowledge first 4 CVEs (56 days) : 2022-09-08, 2022-11-03 First contact between Axiell and DIVD. : milestone, 2022-11-03, 0d Researcher and DIVD confirm that the first four vulnerabilities have been remediated with the patch. : milestone, 2022-11-17, 0d Researcher reports two additional vulnerabilities (SSRF and Reflected XSS). : milestone, 2022-11-21, 0d DIVD contacts Axiell about the additional vulnerabilities. : milestone, 2022-11-21, 0d Limited disclosure first four CVEs : milestone, 2023-01-03, 0d Time to acknowldge additional two vulnerabilities (?d): 2022-11-21, 2023-02-14 Time to fix additional two vulnerabilities (?d): 2022-11-21, 2023-02-14

More information