|
[Japanese]
|
JVNDB-2022-000065
|
Multiple vulnerabilities in Exment
|
|
Exment provided by Kajitori Co.,Ltd contains multiple vulnerabilities listed below.
* Reflected cross-site scripting (CWE-79) - CVE-2022-38080
* SQL injection (CWE-89) - CVE-2022-37333
* Stored cross-site scripting (CWE-79) - CVE-2022-38089
CVE-2022-38080, CVE-2022-37333
Hibiki Moriyama of STNet, Incorporated reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2022-38089
Yuya Chudo of N.F.Laboratories Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-37333
|
CVSS V3 Severity:
Base Metrics
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
2.1 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-38080
|
CVSS V3 Severity:
Base Metrics
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
3.5 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-38089
|
|
|
Kajitori Corporation
- exceedone/exment (PHP8) v5.0.2 and earlier
- exceedone/exment (PHP7) v4.4.2 and earlier
- exceedone/laravel-admin (PHP8) v3.0.0 and earlier
- exceedone/laravel-admin (PHP7) v2.2.2 and earlier
|
|
|
* An arbitrary script may be executed on the web browser of the user who is accessing the website using the product - CVE-2022-38080, CVE-2022-38089
* Information in the database may be obtained or altered - CVE-2022-37333
|
|
[Update the Software]
Update Exment and laravel-admin to the latest version according to the information provided by the developer.
The developer has released the below versions that contain the fixes for these vulnerabilities.
* For PHP8: exceedone/exment v5.0.3 and exceedone/laravel-admin v3.0.1
* For PHP7: exceedone/exment v4.4.3 and exceedone/laravel-admin v2.2.3
[Apply Workaround]
The developer provides the workaround to mitigate the impacts of these vulnerabilities to the users who cannot update the affected product to the latest version.
For details of the workaround, refer to the information provided by the developer.
|
|
Kajitori Corporation
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- SQL Injection(CWE-89) [IPA Evaluation]
|
|
- CVE-2022-38080
- CVE-2022-37333
- CVE-2022-38089
|
|
- JVN : JVN#46239102
- National Vulnerability Database (NVD) : CVE-2022-37333
- National Vulnerability Database (NVD) : CVE-2022-38080
- National Vulnerability Database (NVD) : CVE-2022-38089
|
|
- [2022/08/24]
Web page was published
- [2024/06/14]
References : Contents were added
|
