[Japanese]

JVNDB-2020-009467

Multiple vulnerabilities in XOOPS module "XooNIps"

Overview

XOOPS module "XooNIps" contains multiple vulnerabilities listed below.

* SQL injection (CWE-89) - CVE-2020-5659
* Reflected cross-site scripting (CWE-79) - CVE-2020-5662
* Stored cross-site scripting (CWE-79) - CVE-2020-5663
* Deserialization of untrusted data (CWE-502) - CVE-2020-5664

stypr of Flatt Security Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2020-5659

CVSS V3 Severity:
Base Metrics: 4.6 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5662

CVSS V3 Severity:
Base Metrics: 4.6 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2020-5663

CVSS V3 Severity:
Base Metrics: 8.1 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2020-5664
Affected Products


Neuroinformatics Japan Center, RIKEN Center for Brain Science
  • XooNIps 3.49 and earlier

Impact

* A logged in user may obtain and/or modify information in the database - CVE-2020-5659
* An arbitrary script may be executed on the user's web browser - CVE-2020-5662, CVE-2020-5663
* Arbitrary code may be executed if untrusted data is deserialized - CVE-2020-5664
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Neuroinformatics Japan Center, RIKEN Center for Brain Science
CWE (What is CWE?)

  1. Deserialization of Untrusted Data(CWE-502) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
  3. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5659
  2. CVE-2020-5662
  3. CVE-2020-5663
  4. CVE-2020-5664
References

  1. JVN : JVNVU#92053563
Revision History

  • [2020/11/09]
      Web page was published

Date Public2020/11/06
Date First Published2020/11/09
Date Last Updated2020/11/09