Published:2018/05/31  Last Updated:2018/05/31

JVN#27978559
Multiple vulnerabilities in Pixelpost

Overview

Pixelpost contains multiple vulnerabilities.

Products Affected

  • Pixelpost v1.7.3 and earlier

Description

Pixelpost provided by Pixelpost.org contains multiple vulnerabilities listed below.

  • Arbitrary code execution - CVE-2018-0604
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Base Score: 4.7
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5
  • Cross-site scripting (CWE-79) - CVE-2018-0605
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • SQL injection (CWE-89) - CVE-2018-0606
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Base Score: 4.7
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5

Impact

The possible impact of each vulnerability is as follows:

  • A user with administrative privilege may execute arbitrary code - CVE-2018-0604
  • An unauthenticated remote attacker may execute arbitrary scripts on the logged-in user's web browser - CVE-2018-0605
  • A user with administrative privilege may execute arbitrary SQL commands - CVE-2018-0606

Solution

Do not use Pixelpost
Pixelpost is no longer being developed or maintained. It is recommended to stop using Pixelpost.

Vendor Status

Vendor Status Last Update Vendor Notes
Pixelpost.org Vulnerable 2018/05/31

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

ASAI Ken reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-0604
CVE-2018-0605
CVE-2018-0606
JVN iPedia JVNDB-2018-000060