[Japanese]

JVNDB-2015-000139

baserCMS vulnerable to SQL injection

Overview

baserCMS contains an SQL injection vulnerability.
baserCMS is an open-source Contents Management System (CMS). baserCMS contains a vulnerability that allows an authenticated user to inject arbitrary SQL statements (CWE-89).

Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


baserCMS Users Community
  • BaserCMS 3.0.7 and earlier

Impact

A logged in attacker may execute arbitrary SQL statements.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.

[Apply the Patch]
Patches for versions 3.0.0 through 3.0.7 have been released. For more information, refer to "How to Apply the Patches".
Vendor Information

baserCMS Users Community
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-5641
References

  1. JVN : JVN#79633796
  2. National Vulnerability Database (NVD) : CVE-2015-5641
Revision History

[2015/09/30]
  Web page was published
[2015/10/07]
  References : Content was added