JVNDB-2020-000058

[Japanese]
JVNDB-2020-000058
Multiple vulnerabilities in XOOPS module "XooNIps"
Overview
XOOPS module "XooNIps" contains multiple vulnerabilities listed below. * SQL injection (CWE-89) - CVE-2020-5624 * Cross-site Scripting (CWE-79) - CVE-2020-5625 Neuroinformatics Unit, Integrative Computational Brain Science Collaboration Division, RIKEN Center for Brain Science reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 7.3 (High) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: Low Integrity Impact: Low Availability Impact: Low CVSS V2 Severity: Base Metrics 7.5 (High) [IPA Score] Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial The above CVSS base scores have been assigned for CVE-2020-5624
CVSS V3 Severity: Base Metrics: 6.1 (Medium) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality Impact: Low Integrity Impact: Low Availability Impact: None CVSS V2 Severity: Base Metrics: 4.3 (Medium) [IPA Score] Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None The above CVSS base scores have been assigned for CVE-2020-5625
Affected Products

Neuroinformatics Japan Center, RIKEN Center for Brain Science XooNIps 3.48 and earlier

Impact
* A remote attacker may obtain and/or alter the information stored in the database - CVE-2020-5624 * Arbitrary Script may be executed on the user's web browser - CVE-2020-5625
Solution
[Update the software] Update the software to the latest version according to the information provided by the developer.
Vendor Information
Neuroinformatics Japan Center, RIKEN Center for Brain Science Neuroinformatics Japan Center, RIKEN Center for Brain Science : XooNIps Official Site (in Japanese) Neuroinformatics Japan Center, RIKEN Center for Brain Science : Release notice of XooNIps 3.49 (in Japanese)
CWE (What is CWE?)
Cross-site Scripting(CWE-79) [IPA Evaluation] SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)
CVE-2020-5624 CVE-2020-5625
References
JVN : JVN#40725650 National Vulnerability Database (NVD) : CVE-2020-5624 National Vulnerability Database (NVD) : CVE-2020-5625
Revision History
[2020/08/27] Web page was published


Date Public	2020/08/27
Date First Published	2020/08/27
Date Last Updated	2020/08/27

Multiple vulnerabilities in XOOPS module "XooNIps"