[Japanese]

JVNDB-2024-000039

Multiple vulnerabilities in a-blog cms

Overview

a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below.

* Stored cross-site scripting vulnerability in Entry editing pages (CWE-79) - CVE-2024-30419
* Server-side request forgery (CWE-918) - CVE-2024-30420
* Directory traversal (CWE-22) - CVE-2024-31394
* Stored cross-site scripting vulnerability in Schedule labeling pages (CWE-79) - CVE-2024-31395
* Code injection (CWE-94) - CVE-2024-31396

Rikuto Tauchi of sangi reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.6 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-31396

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-30419

CVSS V3 Severity:
Base Metrics 4.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-30420

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-31394

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-31395
Affected Products


appleple inc.
  • a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 (CVE-2024-30419, CVE-2024-31394, CVE-2024-31395)
  • a-blog cms Ver.3.0.x series versions prior to Ver.3.0.32 (CVE-2024-30419, CVE-2024-31394, CVE-2024-31395)
  • a-blog cms Ver.2.11.x series versions prior to Ver.2.11.61 (CVE-2024-30419, CVE-2024-31394, CVE-2024-31395)
  • a-blog cms Ver.2.10.x series versions prior to Ver.2.10.53 (CVE-2024-30419, CVE-2024-31394, CVE-2024-31395)
  • a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 (CVE-2024-30420, CVE-2024-31396)
  • a-blog cms Ver.3.0.x series versions prior to Ver.3.0.32 (CVE-2024-30420, CVE-2024-31396)

CVE-2024-30419, CVE-2024-31394, CVE-2024-31395
According to the developer, a-blog cms Ver.2.9 and earlier versions, which are now unsupported, are affected by the vulnerabilities as well.
Impact

* A user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product (CVE-2024-30419)
* A user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public (CVE-2024-30420)
* A user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server (CVE-2024-31394)
* A user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page (CVE-2024-31395)
* A user with an administrator or higher privilege who can log in to the product may execute an arbitrary command on the server (CVE-2024-31396)
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.

[Apply the workaround]
For CVE-2024-30420, CVE-2024-31394, CVE-2024-31395, and CVE-2024-31396 vulnerabilities, the developer also recommends applying workarounds to mitigate the impacts of these vulnerabilities.

For more information, refer to the information provided by the developer.
Vendor Information

appleple inc.
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
  3. Code Injection(CWE-94) [IPA Evaluation]
  4. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-30419
  2. CVE-2024-30420
  3. CVE-2024-31394
  4. CVE-2024-31395
  5. CVE-2024-31396
References

  1. JVN : JVN#70977403
Revision History

  • [2024/04/10]
      Web page was published

Date Public2024/04/10
Date First Published2024/04/10
Date Last Updated2024/04/10