|
[Japanese]
|
JVNDB-2019-000045
|
Multiple vulnerabilities in Access analysis CGI An-Analyzer
|
|
Access analysis CGI An-Analyzer provided by ANGLERSNET Co,.Ltd. contains multiple vulnerabilities listed below.
* OS command injection in the Management Page (CWE-78) - CVE-2019-5987
* Stored cross-site scripting in the Management Page (CWE-79) - CVE-2019-5988
* DOM-based cross-site scripting in the Analysis Object Page (CWE-79) - CVE-2019-5989
* Information disclosure (CWE-200) - CVE-2019-5990
Yuuta Watanabe of STNet, Incorporated reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 6.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2019-5987
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
5.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5988
|
CVSS V3 Severity:
Base Metrics:
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5989
|
CVSS V3 Severity:
Base Metrics:
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
4.3 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2019-5990
|
|
|
ANGLERSNET Co,.Ltd.
- Access analysis CGI An-Analyzer released in 2019 June 24 and earlier
|
|
|
* An attacker who can login the product may execute arbitrary OS command. - CVE-2019-5987
* An arbitrary script may be executed on the user's web browser. - CVE-2019-5988, CVE-2019-5989
* A remote attacker may obtain an login password from HTTP referer. - CVE-2019-5990
|
|
[Apply an update file and fix the Analysis script]
Download to latest script provided by the developer, update the file with extension .cgi, and then fix the Analysis script.
For more information, refer to the developer's website.
|
|
ANGLERSNET Co,.Ltd.
|
|
- Information Exposure(CWE-200) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2019-5987
- CVE-2019-5988
- CVE-2019-5989
- CVE-2019-5990
|
|
- JVN : JVN#37230341
- National Vulnerability Database (NVD) : CVE-2019-5987
- National Vulnerability Database (NVD) : CVE-2019-5988
- National Vulnerability Database (NVD) : CVE-2019-5989
- National Vulnerability Database (NVD) : CVE-2019-5990
|
|
- [2019/07/05]
Web page was published
|
