JVNDB-2016-000167

Multiple plugins for Geeklog IVYWE edition vulnerable to cross-site scripting

Geeklog is an open source content management system (CMS). The Geeklog IVYWE edition plugins Assist, dataBox, and userBox each contain a cross-site scripting (CWE-79) vulnerability.

IVY WE CO.,LTD. reported this vulnerability to IPA and JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and IVY WE CO.,LTD. coordinated under the Information Security Early Warning Partnership.

Geeklog IVYWE edition is affected when the any of the following plugins are enabled:

IVY WE CO.,LTD.

• Assist plugin versions prior to 1.1.2.test20160906
• dataBox plugin versions prior to 0.0.0.20160906
• userBox plugin versions prior to 0.0.0.20160906

An arbitrary script may be executed on the web browser of a user who is logged on as an administrator.

[Apply the Patch]
Apply the appropriate patch according to the information provided by the developer.

[Apply a Workaround]
The following workaround may mitigate the affects of this vulnerability.

* Disable the Assist, dataBox and userBox plugins

IVY WE CO.,LTD.

• GitHub : [XSS fixed] Assist plugin og: metatag
• GitHub : [XSS fixed] headercode template ogp url
• IVY WE CO.,LTD. : Geeklog IVYWE edition Assist, dataBox, and userBox vulnerable to cross-site scripting (in Japanese)

1. Cross-site Scripting(CWE-79) [IPA Evaluation]

1. CVE-2016-4875

1. JVN : JVN#46087986
2. National Vulnerability Database (NVD) : CVE-2016-4875

• [2016/09/23]
    Web page was published
  [2017/05/23]
    References : Content was added