[Japanese]
|
JVNDB-2023-000083
|
Multiple vulnerabilities in LuxCal Web Calendar
|
LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below.
* Cross-site scripting (CWE-79) - CVE-2023-39543
* SQL injection (CWE-89) - CVE-2023-39939
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 7.3 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
CVSS V2 Severity: Base Metrics 7.5 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-39939
|
CVSS V3 Severity:
Base Metrics
6.1 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.3 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-39543
|
|
LuxSoft
- LuxCal Web Calendar (MySQL version) prior to 5.2.3M
- LuxCal Web Calendar (SQLite version) prior to 5.2.3L
|
|
* An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-39543
* A remote attacker may execute arbitrary queries against the database and obtain or alter the information in it - CVE-2023-39939
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer addressed the vulnerabilities in the following versions:
* LuxCal Web Calendar 5.2.3M (MySQL version)
* LuxCal Web Calendar 5.2.3L (SQLite version)
|
LuxSoft
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- SQL Injection(CWE-89) [IPA Evaluation]
|
- CVE-2023-39543
- CVE-2023-39939
|
- JVN : JVN#04876736
- National Vulnerability Database (NVD) : CVE-2023-39543
- National Vulnerability Database (NVD) : CVE-2023-39939
|
- [2023/08/21]
Web page was published
- [2024/03/26]
References : Contents were added
|