[Japanese]
|
JVNDB-2024-000057
|
Multiple vulnerabilities in UNIVERSAL PASSPORT RX
|
UNIVERSAL PASSPORT RX provided by Japan System Techniques Co., Ltd. contains multiple vulnerabilities listed below.
- Cross-site scripting (CWE-79) - CVE-2023-42427
- Dependency on vulnerable third-party component (CWE-1395)
Known vulnerability in Primefaces library used in the product
- Cross-site scripting (CWE-79) - CVE-2023-51436
CVE-2023-42427
Japan System Techniques Co., Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Japan System Techniques Co., Ltd. coordinated under the Information Security Early Warning Partnership.
Known vulnerability in Primefaces library
Morita Keiichi and Watanabe Kosuke of Tokyo Denki University reported to Japan System Techniques Co., Ltd. that this vulnerability still exists in the product and coordinated. Japan System Techniques Co., Ltd. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
CVE-2023-51436
MATSUMOTO Yuuki of Tokyo University of Information Sciences reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-42427
|
CVSS V3 Severity:
Base Metrics
4.8 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-51436
|
|
Japan System Techniques Co., Ltd.
- UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.7 (CVE-2023-42427, Dependency on vulnerable third-party component)
- UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.8 (CVE-2023-51436)
|
|
- An arbitrary script may be executed on the web browser of the user who is using the product (CVE-2023-42427, CVE-2023-51436)
- A remote attacker may execute an arbitrary code on the system due to the known vulnerability in Primefaces library used in the product
|
CVE-2023-42427 and Dependency on vulnerable third-party component
According to the developer, they have notified "CVE-2023-42427" and "Dependency on vulnerable third-party component" to the users and the updating of the affected products have been completed.
CVE-2023-51436
[Update the Software or Apply the Patch]
The developer addressed the all vulnerabilities in the following version:
- UNIVERSAL PASSPORT RX version 1.0.9
For more information, contact the developer.
|
Japan System Techniques Co., Ltd.
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2023-42427
- CVE-2023-51436
|
- JVN : JVN#43215077
|
- [2024/06/03]
Web page was published
|