[Japanese]

JVNDB-2024-000003

Pleasanter vulnerable to cross-site scripting

Overview

Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability (CWE-79).

Masamitsu Kushi of Operation Group, Communication Technology Department, Digital Innovation HQ at Mitsubishi Heavy Industries, Ltd. reported this vulnerability to Implem Inc. and coordinated. After the coordination was completed, Implem Inc. reported the case to IPA under the Information Security Early Warning Partnership to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Implem Inc.
  • Pleasanter 1.3.49.0 and earlier versions

The developer states that Community Edition and Enterprise Edition are both affected.
Impact

If an attacker tricks the user to access the product with a specially crafted URL and perform a specific operation, an arbitrary script may be executed on the web browser of the user.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Implem Inc.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-21584
References

  1. JVN : JVN#51135247
Revision History

  • [2024/01/15]
      Web page was published

Date Public2024/01/15
Date First Published2024/01/15
Date Last Updated2024/01/15