DIVD-2022-00064 - Multiple injection vulnerabilities identified within Axiell Iguana CMS
| Our reference | DIVD-2022-00064 |
| Case lead | Max van der Horst |
| Researcher(s) |
|
| CVE(s) | |
| Product | Axiell Iguana CMS |
| Versions |
|
| Recommendation | Upgrade to the latest version of Iguana. |
| Status | Open |
| Last modified | 04 Jan 2023 16:22 |
Summary
Multiple injection vulnerabilities have been identified in Axiell Iguana CMS. Leveraging these vulnerabilities could allow an attacker to compromise a website.
What you can do
Upgrade your Iguana version to 4.5.02 or higher.
What we are doing
DIVD is currently working with the finder and Axiell to get these vulnerabilities patched. Axiell is coordinating the patch process with its customers, after which DIVD will run a scan to confirm.
Timeline
| Date | Description |
|---|---|
| 08 Sep 2022 | First four vulnerabilities (Reflected XSS, LFI) are reported to DIVD, DIVD starts evaluation and reporting process. |
|
08 Sep 2022- 03 Nov 2022 |
Time to fix first 4 CVEs |
| 03 Nov 2022 | Axiell releases Iguana 4.5.02, which contains a fix for CVE-2022-45049, CVE-2022-45050, CVE-2022-45051 and CVE-2022-45052. |
|
08 Sep 2022- 03 Nov 2022 |
Time to acknowledge first 4 CVEs |
| 03 Nov 2022 | First contact between Axiell and DIVD. |
| 17 Nov 2022 | Researcher and DIVD confirm that the first four vulnerabilities have been remediated with the patch. |
| 21 Nov 2022 | Researcher reports two additional vulnerabilities (SSRF and Reflected XSS). |
| 21 Nov 2022 | DIVD contacts Axiell about the additional vulnerabilities. |
| 03 Jan 2023 | Limited disclosure first four CVEs |
|
21 Nov 2022 ? |
Time to acknowldge additional two vulnerabilities |
|
21 Nov 2022 ? |
Time to fix additional two vulnerabilities |
gantt
title DIVD-2022-00064 - Multiple injection vulnerabilities identified within Axiell Iguana CMS
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2022-00064 - Multiple injection vulnerabilities identified within Axiell Iguana CMS (still open) :2022-09-08, 2023-12-13
section Events
First four vulnerabilities (Reflected XSS, LFI) are reported to DIVD, DIVD starts evaluation and reporting process. : milestone, 2022-09-08, 0d
Time to fix first 4 CVEs (56 days) : 2022-09-08, 2022-11-03
Axiell releases Iguana 4.5.02, which contains a fix for CVE-2022-45049, CVE-2022-45050, CVE-2022-45051 and CVE-2022-45052. : milestone, 2022-11-03, 0d
Time to acknowledge first 4 CVEs (56 days) : 2022-09-08, 2022-11-03
First contact between Axiell and DIVD. : milestone, 2022-11-03, 0d
Researcher and DIVD confirm that the first four vulnerabilities have been remediated with the patch. : milestone, 2022-11-17, 0d
Researcher reports two additional vulnerabilities (SSRF and Reflected XSS). : milestone, 2022-11-21, 0d
DIVD contacts Axiell about the additional vulnerabilities. : milestone, 2022-11-21, 0d
Limited disclosure first four CVEs : milestone, 2023-01-03, 0d
Time to acknowldge additional two vulnerabilities (?d): 2022-11-21, 2023-12-13
Time to fix additional two vulnerabilities (?d): 2022-11-21, 2023-12-13