Research Advisory - Vulnerable Disclosure 10

Submitted by user123 on Fri, 07/23/2021 - 17:14
Aveva Vijeo Citect & Schneider Citect
Part No.
Server Crash
Disclosure Timeline
24-July-2019 Reported vulnerability to Aveva.
24-July-2019 Aveva said we'll confirm this.
26-July-2019 Aveva asked for a script and app file also.
26-July-2019 C3i sent script and app file with POC.
26-July-2019 Aveva asked for some other file also.
26-July-2019 C3i resolved the query of Aveva regarding files.
27-July-2019 Aveva appreciated our comments about the file.
29-July-2019 C3i asked for a case number & gave some files.
29-July-2019 Aveva provided us a case number regarding this
05-Aug-2019 C3i asked for an update about this case.
06-Aug-2019 Aveva confirmed this vulnerability and looking for a patch
about this.
12-Aug-2019 C3i Acknowledged their reply and waiting for an update on
22-Aug-2019 ICS-CERT assigned an ICSA for this vulnerability but still,
they didn't disclose it.
13-Sep-2019 C3i asked for an update about this.
14-Sep-2019 Aveva shared a patch with us.
01-Oct-2019 C3i commented on the released patch with some issue.
04-Oct-2019 Aveva mentioned some security bulletin points in his draft.
04-Oct-2019 C3i asked for a responsible discloser document.
10-Oct-2019 Shared a document.
11-Oct-2019 C3i suggest some point to mention in the document.
15-Oct-2019 Aveva uploaded this document on his website as a
17-Oct-2019 ICS-CERT released this vulnerability and update on his
website as a security notification.
21-Oct-2019 C3i acknowledged to Aveva about this vulnerability and
closed with the ICSA number.
CVE Number