|
[Japanese]
|
JVNDB-2021-002282
|
Multiple vulnerabilities in Navigate CMS
|
|
Navigate CMS is an open source Contents Management System (CMS) provided by Naviwebs S.C.
Navigate CMS contains multiple vulnerabilities listed below.
* Reflected cross-site scripting in the Help feature (CWE-79)
* Reflected cross-site scripting (CWE-79) - CVE-2021-36454
* SQL injection (CWE-89) - CVE-2021-36455
Duong Xuan Hiep (Hydrasky) of VNCERT/CC reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC in order to notify users of the solutions via JVN.
|
|
CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2021-36455
|
CVSS V3 Severity:
Base Metrics:6.1 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-36454
|
|
|
Naviwebs S.C.
- Navigate CMS version 2.9.3 and earlier
|
|
|
An arbitrary script may be executed on the user's web browser.
An unauthorized user may obtain, modify, and/or delete information stored in the database.
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
|
|
Naviwebs S.C.
|
|
- Cross-site Scripting(CWE-79) [Other]
- SQL Injection(CWE-89) [Other]
|
|
- CVE-2021-36454
- CVE-2021-36455
|
|
- JVN : JVNVU#95261759
|
|
- [2021/08/20]
Web page was published
|
