JVNDB-2024-000110

[Japanese]
JVNDB-2024-000110
Multiple vulnerabilities in Exment
Overview
Exment provided by Kajitori Co.,Ltd contains multiple vulnerabilities listed below. Incorrect Permission Assignment for Critical Resource (CWE-732) - CVE-2024-46897 Stored Cross-site Scripting (CWE-79) - CVE-2024-47793 CVE-2024-46897 masataka sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2024-47793 Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 3.8 (Low) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality Impact: Low Integrity Impact: Low Availability Impact: None The above CVSS base scores have been assigned for CVE-2024-46897
CVSS V3 Severity: Base Metrics 5.4 (Medium) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality Impact: Low Integrity Impact: Low Availability Impact: None The above CVSS base scores have been assigned for CVE-2024-47793
Affected Products

Kajitori Co.,Ltd Exment v6.1.4 and earlier Exment v5.0.11 and earlier
Since Exment v4 and earlier run on no longer supported PHP versions, the developer has not conduct validation/testing against those versions.
Impact
A logged-in user with the permission of table management may obtain and/or alter the information of the unauthorized tables (CVE-2024-46897) When accessing the edit screen containing custom columns (column type: images or files), an arbitrary script may be executed on the web browser of the user (CVE-2024-47793)
Solution
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer has released v6.1.5 and v5.0.12 that contain the fixes for these vulnerabilities. [Apply the workaround] The developer provides the workaround information to the users who cannot update the affected product to the latest version immediately. Refer to the information provided by the developer.
Vendor Information
Kajitori Co.,Ltd Kajitori Co.,Ltd : [Important] Released versions v6.1.5 and v5.0.12, including vulnerability fixes (in Japanese) Kajitori Co.,Ltd : Release notes Kajitori Co.,Ltd : Patch / Vulnerability List Kajitori Co.,Ltd : Vulnerability response Unauthorized changes to custom table settings Kajitori Co.,Ltd : Vulnerability response Cross-site scripting
CWE (What is CWE?)
Cross-site Scripting(CWE-79) [IPA Evaluation] No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)
CVE-2024-46897 CVE-2024-47793
References
JVN : JVN#74538317
Revision History
[2024/10/11] Web page was published


Date Public	2024/10/11
Date First Published	2024/10/11
Date Last Updated	2024/10/11

Multiple vulnerabilities in Exment