|
[Japanese]
|
JVNDB-2026-000052
|
Multiple vulnerabilities in MATCHA series
|
|
MATCHA series provided by ICZ Corporation contains multiple vulnerabilities listed below.- SQL injection (CWE-89) - CVE-2026-24913
- Cross-site scripting (CWE-79) - CVE-2026-27787
- Unrestricted upload of file with dangerous type(CWE-434) - CVE-2026-33273
CVE-2026-24913, CVE-2026-27787
Kenta Chikagawa of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2026-33273
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
|
CVSS v4 Severity
Base Metrics: 8.7 (High) [IPA Score]
- Access Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): Low
- User Interaction (UI): None
Vulnerable System Impact
- Confidentiality Impact (VC): High
- Integrity Impact (VI): High
- Availability Impact (VA): High
Subsequent System Impact
- Confidentiality Impact (SC): None
- Integrity Impact (SI): None
- Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-24913
|
CVSS v3 Severity
Base Metrics: 5.4(Medium) [IPA Score]
- Access Vector : Network
- Attack Complexity : Low
- Privileges Required : Low
- User Interaction : Required
- Scope : Changed
- Confidentiality Impact : Low
- Integrity Impact : Low
- Availability Impact : None
CVSS v4 Severity
Base Metrics: 5.1 (Medium) [IPA Score]
- Access Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): Low
- User Interaction (UI): Passive
Vulnerable System Impact
- Confidentiality Impact (VC): None
- Integrity Impact (VI): None
- Availability Impact (VA): None
Subsequent System Impact
- Confidentiality Impact (SC): Low
- Integrity Impact (SI): Low
- Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-27787
|
CVSS v3 Severity
Base Metrics: 4.7(Medium) [IPA Score]
- Access Vector : Network
- Attack Complexity : Low
- Privileges Required : High
- User Interaction : None
- Scope : Unchanged
- Confidentiality Impact : Low
- Integrity Impact : Low
- Availability Impact : Low
CVSS v4 Severity
Base Metrics: 5.1 (Medium) [IPA Score]
- Access Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): High
- User Interaction (UI): None
Vulnerable System Impact
- Confidentiality Impact (VC): Low
- Integrity Impact (VI): Low
- Availability Impact (VA): Low
Subsequent System Impact
- Confidentiality Impact (SC): None
- Integrity Impact (SI): None
- Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-33273
|
|
|
ICZ Corporation
- MATCHA SNS 1.3.9 and earlier (CVE-2026-27787)
- MATCHA INVOICE 2.6.6 and earlier (CVE-2026-24913, CVE-2026-33273)
|
|
|
- Information stored in the database may be obtained or altered by a user who can log in to the product (CVE-2026-24913)
- An arbitrary script may be executed on the web browser of the user who accessed the website using the product (CVE-2026-27787)
- An arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server (CVE-2026-33273)
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
|
|
ICZ Corporation
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- SQL Injection(CWE-89) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2026-24913
- CVE-2026-27787
- CVE-2026-33273
|
|
- JVN : JVN#33581068
|
|
- [2026/04/08]
Web page was published
|
