|
[Japanese]
|
JVNDB-2023-000089
|
Multiple vulnerabilities in i-PRO VI Web Client
|
|
VI Web Client provided by i-PRO Co., Ltd. is Video Insight's video management software. VI Web Client contains multiple vulnerabilities listed below.- Open Redirect (CWE-601) - CVE-2023-38574
- Reflected Cross-site Scripting (CWE-79) - CVE-2023-39938
- View Stored Cross-site Scripting in View setting page (CWE-79) - CVE-2023-40535
- Stored Cross-site Scripting in Map setting page (CWE-79) - CVE-2023-40705
Michael Heinzl reported these vulnerabilities to i-PRO Co., Ltd. and coordinated with them. After the coordination was completed, the developer reported this case to IPA to notify users of the solution through JVN. JPCERT/CC coordinated with the developer for the publication.
|
|
CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-39938
|
CVSS V3 Severity:
Base Metrics
4.7 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
4.3 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-38574
|
CVSS V3 Severity:
Base Metrics
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-40535
|
CVSS V3 Severity:
Base Metrics
5.4 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
3.5 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-40705
|
|
|
i-PRO Co., Ltd.
- VI Web Client prior to 7.9.6
|
|
|
- When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack - CVE-2023-38574
- An arbitrary script may be executed on a logged-in user's web browser - CVE-2023-39938
- When accessing a specially crafted page added by a remote authenticated attacker, an arbitrary script may be executed on a logged-in user's web browser - CVE-2023-40535, CVE-2023-40705
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
These vulnerabilities have been addressed in VI Web Client 7.9.6.
|
|
i-PRO Co., Ltd.
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2023-38574
- CVE-2023-39938
- CVE-2023-40535
- CVE-2023-40705
|
|
- JVN : JVN#60140221
|
|
- [2023/08/31]
Web page was published
|
