[Japanese]

JVNDB-2024-000057

Multiple vulnerabilities in UNIVERSAL PASSPORT RX

Overview

UNIVERSAL PASSPORT RX provided by Japan System Techniques Co., Ltd. contains multiple vulnerabilities listed below.

  • Cross-site scripting (CWE-79) - CVE-2023-42427

  • Dependency on vulnerable third-party component (CWE-1395)

    Known vulnerability in Primefaces library used in the product

  • Cross-site scripting (CWE-79) - CVE-2023-51436


CVE-2023-42427
Japan System Techniques Co., Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Japan System Techniques Co., Ltd. coordinated under the Information Security Early Warning Partnership.

Known vulnerability in Primefaces library
Morita Keiichi and Watanabe Kosuke of Tokyo Denki University reported to Japan System Techniques Co., Ltd. that this vulnerability still exists in the product and coordinated. Japan System Techniques Co., Ltd. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.

CVE-2023-51436
MATSUMOTO Yuuki of Tokyo University of Information Sciences reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-42427


CVSS V3 Severity:
Base Metrics 4.8 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-51436
Affected Products


Japan System Techniques Co., Ltd.
  • UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.7 (CVE-2023-42427, Dependency on vulnerable third-party component)
  • UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.8 (CVE-2023-51436)

Impact

  • An arbitrary script may be executed on the web browser of the user who is using the product (CVE-2023-42427, CVE-2023-51436)

  • A remote attacker may execute an arbitrary code on the system due to the known vulnerability in Primefaces library used in the product
Solution

CVE-2023-42427 and Dependency on vulnerable third-party component

According to the developer, they have notified "CVE-2023-42427" and "Dependency on vulnerable third-party component" to the users and the updating of the affected products have been completed.



CVE-2023-51436

[Update the Software or Apply the Patch]

The developer addressed the all vulnerabilities in the following version:

  • UNIVERSAL PASSPORT RX version 1.0.9


For more information, contact the developer.
Vendor Information

Japan System Techniques Co., Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-42427
  2. CVE-2023-51436
References

  1. JVN : JVN#43215077
Revision History

  • [2024/06/03]
      Web page was published