|
[Japanese]
|
JVNDB-2022-000078
|
bingo!CMS vulnerable to authentication bypass
|
|
bingo!CMS provided by Shift Tech Inc. contains an authentication bypass vulnerability (CWE-288) in some of the management functions.
Shift Tech Inc. states that attacks exploiting this vulnerability have been observed.
Shift Tech Inc. reported this vulnerability to IPA to notify users of its solution through JVN.
JPCERT/CC and Shift Tech Inc. coordinated under the Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 7.5 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
Shift Tech Inc.
- bingo!CMS version 1.7.4.1 and earlier
|
|
|
Accessing a specific URL directly may allow a remote unauthenticated attacker to upload an arbitrary file without authentication.
As a result, an arbitrary script may be executed and/or a file may be altered.
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
This vulnerability has been addressed in version 1.7.4.2.
|
|
Shift Tech Inc.
|
|
- Improper Authentication(CWE-287) [IPA Evaluation]
|
|
- CVE-2022-42458
|
|
- JVN : JVN#74592196
- National Vulnerability Database (NVD) : CVE-2022-42458
- IPA SECURITY ALERTS : Security Updates Available for bingo!CMS (JVN#74592196) (in Japanese)
- JPCERT : JPCERT-AT-2022-0026
|
|
- [2022/10/11]
Web page was published
- [2024/05/30]
References : Content was added
|
