|
[Japanese]
|
JVNDB-2023-000005
|
Multiple vulnerabilities in MAHO-PBX NetDevancer series
|
|
There are multiple vulnerabilities in the Management screen of MAHO-PBX NetDevancer series provided by Mahoroba Kobo, Inc.
OS Command Injection (CWE-78) - CVE-2023-22279
OS Command Injection (CWE-78) - CVE-2023-22280
Cross-Site Request Forgery (CWE-352) - CVE-2023-22286
Reflected Cross-site Scripting (CWE-79) - CVE-2023-22296
Masamu Asato of GMO Cyber Security by IERAE reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 10.0 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2023-22279
|
CVSS V3 Severity:
Base Metrics
7.2 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
9.0 (High)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Complete
-
Integrity Impact: Complete
-
Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2023-22280
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-22286
|
CVSS V3 Severity:
Base Metrics
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-22296
|
|
|
Mahoroba Kobo, Inc.
- MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00
- MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00
- MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00
|
|
|
- An arbitrary OS command may be executed by a remote attacker - CVE-2023-22279
- An arbitrary OS command may be executed by an attacker who can log in to the product - CVE-2023-22280
- If a user views a malicious page while logged in, unintended operations may be performed - CVE-2023-22286
- An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-22296
|
|
[Update the Software]
Update the software to the latest version according to the information provided by the developer.
|
|
Mahoroba Kobo, Inc.
|
|
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
- OS Command Injection(CWE-78) [IPA Evaluation]
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2023-22279
- CVE-2023-22280
- CVE-2023-22286
- CVE-2023-22296
|
|
- JVN : JVN#99957889
|
|
- [2023/01/11]
Web page was published
|
