[Japanese]
|
JVNDB-2020-009584
|
Multiple vulnerabilities in KonaWiki3
|
KonaWiki3 is a lightweight wiki clone that supports Japanese wiki notation. KonaWiki3 contains multiple vulnerabilities listed below.
* Path Traversal (CWE-22) - CVE-2020-5670
* Path Traversal (CWE-22) - CVE-2020-5671
* Stored Cross-site Scripting (CWE-79) - CVE-2020-5672
* Reflected Cross-site Scripting (CWE-79) - CVE-2020-5673
stypr of Flatt Security Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.
|
CVSS V3 Severity: Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5671
|
CVSS V3 Severity:
Base Metrics:
4.7 (Medium) [JPCERT/CC Score]
-
Attack Vector: Adjacent
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5670
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5672
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5673
|
|
kujirahand
- KonaWiki 3.1.1 and earlier
|
|
* Inadequate query checking allows unauthorized disclosure of information stored above the target directory published as a website by a remote attacker. The exploit of this vulnerability is limited to the files with specific extension only. - CVE-2020-5670
* Inadequate query checking allows unauthorized disclosure of information stored above the target directory published as a website by a remote attacker. By exploiting this vulnerability, arbitrary files can be obtained. - CVE-2020-5671
* Because the sanitizing process is not performed properly, an arbitrary script is executed on the web browser of the user who accesses a wiki page containing a specially crafted content written by an attacker. - CVE-2020-5672
* Because the sanitizing process is not performed properly, an arbitrary script is executed on the web browser of the user who accesses a specially crafted URL. - CVE-2020-5673
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
* KonaWiki3.1.2
|
kujirahand
|
- Path Traversal(CWE-22) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2020-5670
- CVE-2020-5671
- CVE-2020-5672
- CVE-2020-5673
|
- JVN : JVNVU#99880454
|
- [2020/11/18]
Web page was published
|