bingo!CMS vulnerable to authentication bypass


bingo!CMS provided by Shift Tech Inc. contains an authentication bypass vulnerability (CWE-288) in some of the management functions.
Shift Tech Inc. states that attacks exploiting this vulnerability have been observed.

Shift Tech Inc. reported this vulnerability to IPA to notify users of its solution through JVN.
JPCERT/CC and Shift Tech Inc. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Shift Tech Inc.
  • bingo!CMS version and earlier


Accessing a specific URL directly may allow a remote unauthenticated attacker to upload an arbitrary file without authentication.
As a result, an arbitrary script may be executed and/or a file may be altered.

[Update the software]
Update the software to the latest version according to the information provided by the developer.
This vulnerability has been addressed in version
Vendor Information

Shift Tech Inc.
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-42458

  1. JVN : JVN#74592196
  2. IPA SECURITY ALERTS : Security Updates Available for bingo!CMS (JVN#74592196) (in Japanese)
  3. JPCERT : JPCERT-AT-2022-0026
Revision History

  • [2022/10/11]
      Web page was published