[Japanese]

JVNDB-2022-000007

Multiple vulnerabilities in TransmitMail

Overview

TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below.

* Directory traversal vulnerability due to the improper validation of external input values (CWE-22) - CVE-2022-22146
* Cross-site scripting (CWE-79) - CVE-2022-21193

ishiyuriniwa reported these vulnerabilities to TAGAWA Takao and coordinated.
TAGAWA Takao reported these vulnerabilities to IPA to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-22146

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-21193
Affected Products


TAGAWA Takao
  • TransmitMail 2.5.0 to 2.6.1

Impact

* A remote attacker may obtain arbitrary files on the server - CVE-2022-22146
* An arbitrary script may be executed on the web browser of the user who is accessing a website that uses the product - CVE-2022-21193
Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

TAGAWA Takao
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-22146
  2. CVE-2022-21193
References

  1. JVN : JVN#70100915
  2. National Vulnerability Database (NVD) : CVE-2022-22146
  3. National Vulnerability Database (NVD) : CVE-2022-21193
Revision History

  • [2022/01/25]
      Web page was published

Date Public2022/01/25
Date First Published2022/01/25
Date Last Updated2022/01/25