JVN#91393903: Multiple vulnerabilities in epg search result viewer(kkcald)

Overview

epg search result viewer(kkcald) provided by kkcal contains multiple vulnerabilities.

epg search result viewer(kkcald) 0.7.21 and earlier (CVE-2018-0508, CVE-2018-0509)
epg search result viewer(kkcald) 0.7.19 and earlier (CVE-2018-0510)

epg search result viewer(kkcald) provided by kkcal contains multiple vulnerabilities listed below.

Cross-site Scripting (CWE-79) - CVE-2018-0508

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1

CVSS v2 AV:N/AC:M/AU:N/C:N/I:P/A:N Base Score: 4.3
Cross-site request forgery (CWE-352) - CVE-2018-0509

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3

CVSS v2 AV:N/AC:M/AU:N/C:N/I:P/A:N Base Score: 4.3
Buffer overflow (CWE-121) - CVE-2018-0510

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Base Score: 6.3

CVSS v2 AV:N/AC:M/AU:N/C:P/I:P/A:P Base Score: 6.8

An arbitrary script may be executed on the logged-in user's web browser - CVE-2018-0508
If a user views a malicious page while logged in, unintended operations may be performed - CVE-2018-0509
A remote attacker may perform an unintended operation or execute a DoS (denial of service) attack - CVE-2018-0510

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor	Status	Last Update	Vendor Notes
kkcal	Vulnerable	2018/02/01	kkcal website

Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:M/AU:N/C:N/I:P/A:N	Base Score: 4.3

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	Base Score: 4.3
CVSS v2	AV:N/AC:M/AU:N/C:N/I:P/A:N	Base Score: 4.3

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L	Base Score: 6.3
CVSS v2	AV:N/AC:M/AU:N/C:P/I:P/A:P	Base Score: 6.8