[Japanese]
|
JVNDB-2021-000027
|
Multiple vulnerabilities in baserCMS
|
baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below.
*Improper Neutralization of JavaScript input in the page editing function (CWE-79) - CVE-2021-20681
*OS command injection (CWE-78) - CVE-2021-20682
*Improper Neutralization of JavaScript input in the blog article editing function (CWE-79) - CVE-2021-20683
CVE-2021-20681, CVE-2021-20682
Sho Odagiri of Information Science College reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2021-20683
Yamaguchi Kakeru reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity: Base Metrics 3.5 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20681
|
CVSS V3 Severity:
Base Metrics:
7.2 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics:
6.5 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20682
|
CVSS V3 Severity:
Base Metrics:
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics:
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20683
|
|
baserCMS Users Community
|
|
*An arbitrary script may be executed on the user's web browser - CVE-2021-20681, CVE-2021-20683
*An arbitrary OS command may be executed, by accessing the product with the administrator privileges - CVE-2021-20682
|
[Update the Software]
Update the software to the latest version according to the information provided by the developer.
|
baserCMS Users Community
|
- OS Command Injection(CWE-78) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
- CVE-2021-20681
- CVE-2021-20682
- CVE-2021-20683
|
- JVN : JVN#64869876
- National Vulnerability Database (NVD) : CVE-2021-20681
- National Vulnerability Database (NVD) : CVE-2021-20682
- National Vulnerability Database (NVD) : CVE-2021-20683
|
- [2021/03/26]
Web page was published
|