[Japanese]
|
JVNDB-2020-000054
|
Multiple cross-site scripting vulnerabilities in Exment
|
Exment provided by Kajitori Co.,Ltd contains multiple cross-site scripting vulnerabilities listed below.
* Stored cross-site scripting vulnerability in some input fields (CWE-79) - CVE-2020-5619
* Stored cross-site scripting vulnerability in upload files (CWE-79) - CVE-2020-5620
Ryoya Koyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity: Base Metrics 3.5 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5619
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5620
|
|
Kajitori Corporation
- Exment prior to version v3.6.0
|
|
An arbitrary script may be executed on a logged-in user's web browser.
|
[Update the software]
Update to the latest version according to the information provided by the developer.
|
Kajitori Corporation
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2020-5619
- CVE-2020-5620
|
- JVN : JVN#88315581
- National Vulnerability Database (NVD) : CVE-2020-5619
- National Vulnerability Database (NVD) : CVE-2020-5620
|
- [2020/08/21]
Web page was published
|