|
[Japanese]
|
JVNDB-2017-000042
|
OneThird CMS vulnerable to cross-site scripting
|
|
OneThird CMS provided by SpiQe Software contains a cross-site scripting vulnerability (CWE-79) due to an issue in processing the language selection screen.
Note that this vulnerability is different from JVN#13003724.
Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
SpiQe Software
- OneThird CMS v1.73 Heaven's Door and earlier
|
|
|
An arbitrary script may be executed on the user's web browser.
|
|
For the users who have installed OneThird CMS already:
[Update the Software]
Update to the latest version according to the information provided by the developer.
For the users who are to install OneThird CMS for the first time:
[Install using OneThird CMS Online Installer or OneThird CMS v1.80 Show Off and later]
Install using OneThird CMS Online Installer or OneThird CMS v1.80 Show Off and later according to the information provided by the developer.
|
|
SpiQe Software
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2017-2123
|
|
- JVN : JVN#49408248
- National Vulnerability Database (NVD) : CVE-2017-2123
|
|
- [2017/03/08]
Web page was published
[2017/06/01]
References : Content was added
|
