|
[Japanese]
|
JVNDB-2024-000114
|
Multiple vulnerabilities in baserCMS
|
|
baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below.- Stored cross-site scripting vulnerability due to inappropriate Slug handling on Article Edit (CWE-79) - CVE-2024-46996
- Stored cross-site scripting vulnerability on Edit Email Form Settings (CWE-79) - CVE-2024-46998
- Reflected cross-site scripting vulnerability due to inadequate error page generation process (CWE-81) - CVE-2024-46995
- Stored cross-site scripting vulnerability due to inappropriate input data handling on Article Edit and Content List (CWE-79) - CVE-2024-46994
CVE-2024-46996
Ayato Shitomi of Fore-Z co.ltd and Rikuto Tauchi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-46998
Ayato Shitomi of Fore-Z co.ltd reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-46995
Yusuke Uchida reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-46994
Kyohei Ota of LEON TECHNOLOGY,Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-46995
|
CVSS V3 Severity:
Base Metrics:5.4 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-46996
|
CVSS V3 Severity:
Base Metrics:5.4 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-46998
|
CVSS V3 Severity:
Base Metrics:5.4 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-46994
|
|
|
baserCMS Users Community
- baserCMS versions prior to 5.1.3 (baserCMS 5 series)
- baserCMS versions prior to 4.8.2 (baserCMS 4 series)
|
|
|
- If crafted data is input to the product, an arbitrary script may be executed on the web browser of the user who is accessing the administrative page of the product. Also if a page containing crafted data is published, an arbitrary script may be executed on the web browser of the non-authenticated user viewing the page (CVE-2024-46996, CVE-2024-46998)
- If a user accesses a crafted page while logged in to the affected product, an arbitrary script may be executed on the web browser of the user (CVE-2024-46995, CVE-2024-46994)
|
|
[Update the Software]
Update to the latest version according to the information provided by the developer.
The developer has released the versions listed below that addresses the vulnerabilities.- baserCMS 5.1.3 (baserCMS 5 series)
- baserCMS 4.8.2 (baserCMS 4 series)
|
|
baserCMS Users Community
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2024-46996
- CVE-2024-46998
- CVE-2024-46995
- CVE-2024-46994
|
|
- JVN : JVN#00876083
|
|
- [2024/10/25]
Web page was published
|
