[Japanese]

JVNDB-2021-000042

Multiple cross-site scripting vulnerabilities in multiple PHP Factory products

Overview

Multiple products provided by PHP Factory contain multiple cross-site scripting vulnerabilities listed below.
*Reflected cross-site scripting vulnerability (CWE-79) - CVE-2021-20723
*Reflected cross-site scripting vulnerability in the admin page (CWE-79) - CVE-2021-20724
*Reflected cross-site scripting vulnerability in the admin page (CWE-79) - CVE-2021-20725

apple502j reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20724

CVSS V3 Severity:
Base Metrics: 4.7 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20723

CVSS V3 Severity:
Base Metrics: 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20725
Affected Products


PHP Kobo
  • [Calendar01] (for 3 Devices) PHP Business Days, Schedule Calendar free edition 1.0.1 and earlier (CVE-2021-20725)
  • [MailForm01] PHP Multifunctional Mail Form free edition versions which the last updated date listed at the top of descriptions in the program file is from December 12, 2014 to July 27, 2018 (CVE-2021-20723)
  • [Telop01] PHP Telop, News Sticker, Headline CMS free edition 1.0.1 and earlier (CVE-2021-20724)

Impact

The expected impact depends on each vulnerability, but it may be affected as follows.
*An arbitrary script may be executed on the user's web browser - CVE-2021-20723
*An arbitrary script may be executed on the logged-in user's web browser - CVE-2021-20724, CVE-2021-20725
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.

[Add code to the affected file]
In situations where updating the software is difficult, add code to the affected file according to the information provided by the developer.
Vendor Information

PHP Kobo
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20723
  2. CVE-2021-20724
  3. CVE-2021-20725
References

  1. JVN : JVN#53910556
  2. National Vulnerability Database (NVD) : CVE-2021-20723
  3. National Vulnerability Database (NVD) : CVE-2021-20724
  4. National Vulnerability Database (NVD) : CVE-2021-20725
Revision History

  • [2021/05/21]
      Web page was published

Date Public2021/05/21
Date First Published2021/05/21
Date Last Updated2021/05/21