JVNDB-2021-002282

Multiple vulnerabilities in Navigate CMS

Navigate CMS is an open source Contents Management System (CMS) provided by Naviwebs S.C.
Navigate CMS contains multiple vulnerabilities listed below.

* Reflected cross-site scripting in the Help feature (CWE-79)
* Reflected cross-site scripting (CWE-79) - CVE-2021-36454
* SQL injection (CWE-89) - CVE-2021-36455

Duong Xuan Hiep (Hydrasky) of VNCERT/CC reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC in order to notify users of the solutions via JVN.

Naviwebs S.C.

• Navigate CMS version 2.9.3 and earlier

An arbitrary script may be executed on the user's web browser.
An unauthorized user may obtain, modify, and/or delete information stored in the database.

[Update the software]
Update the software to the latest version according to the information provided by the developer.

Naviwebs S.C.

• GitHub : issue#23: Reflected XSS attack on the Help feature in NavigateCMS 2.9
• GitHub : issue#24: Reflected XSS attack with navigate-quickse parameter and affect many modules in NavigateCMS 2.9
• GitHub : issue#25: SQL injection UNION attack with quicksearch parameter in NavigateCMS 2.9
• Navigate CMS : Navigate CMS Update: 2.9.4

1. Cross-site Scripting(CWE-79) [Other]
2. SQL Injection(CWE-89) [Other]

1. CVE-2021-36454
2. CVE-2021-36455

1. JVN : JVNVU#95261759
2. National Vulnerability Database (NVD) : CVE-2021-36454
3. National Vulnerability Database (NVD) : CVE-2021-36455

• [2021/08/20]
    Web page was published