[Japanese]

JVNDB-2020-000058

Multiple vulnerabilities in XOOPS module "XooNIps"

Overview

XOOPS module "XooNIps" contains multiple vulnerabilities listed below.
* SQL injection (CWE-89) - CVE-2020-5624
* Cross-site Scripting (CWE-79) - CVE-2020-5625

Neuroinformatics Unit, Integrative Computational Brain Science Collaboration Division, RIKEN Center for Brain Science reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.3 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2020-5624


CVSS V3 Severity:
Base Metrics: 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5625
Affected Products


Neuroinformatics Japan Center, RIKEN Center for Brain Science
  • XooNIps 3.48 and earlier

Impact

* A remote attacker may obtain and/or alter the information stored in the database - CVE-2020-5624
* Arbitrary Script may be executed on the user's web browser - CVE-2020-5625
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Neuroinformatics Japan Center, RIKEN Center for Brain Science
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
  2. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5624
  2. CVE-2020-5625
References

  1. JVN : JVN#40725650
  2. National Vulnerability Database (NVD) : CVE-2020-5624
  3. National Vulnerability Database (NVD) : CVE-2020-5625
Revision History

  • [2020/08/27]
      Web page was published