[Japanese]
|
JVNDB-2020-009467
|
Multiple vulnerabilities in XOOPS module "XooNIps"
|
XOOPS module "XooNIps" contains multiple vulnerabilities listed below.
* SQL injection (CWE-89) - CVE-2020-5659
* Reflected cross-site scripting (CWE-79) - CVE-2020-5662
* Stored cross-site scripting (CWE-79) - CVE-2020-5663
* Deserialization of untrusted data (CWE-502) - CVE-2020-5664
stypr of Flatt Security Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.
|
CVSS V3 Severity: Base Metrics 6.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2020-5659
|
CVSS V3 Severity:
Base Metrics:
4.6 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5662
|
CVSS V3 Severity:
Base Metrics:
4.6 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5663
|
CVSS V3 Severity:
Base Metrics:
8.1 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
The above CVSS base scores have been assigned for CVE-2020-5664
|
|
Neuroinformatics Japan Center, RIKEN Center for Brain Science
|
|
* A logged in user may obtain and/or modify information in the database - CVE-2020-5659
* An arbitrary script may be executed on the user's web browser - CVE-2020-5662, CVE-2020-5663
* Arbitrary code may be executed if untrusted data is deserialized - CVE-2020-5664
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
|
Neuroinformatics Japan Center, RIKEN Center for Brain Science
|
- Deserialization of Untrusted Data(CWE-502) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- SQL Injection(CWE-89) [IPA Evaluation]
|
- CVE-2020-5659
- CVE-2020-5662
- CVE-2020-5663
- CVE-2020-5664
|
- JVN : JVNVU#92053563
|
- [2020/11/09]
Web page was published
|