JVN#31701509
Multiple vulnerabilities in MicroEngine Mailform
Overview
MicroEngine Mailform provided by MicroEngine Inc. contains multiple vulnerabilities.
Products Affected
- MicroEngine Mailform version 1.1.0 to 1.1.8
Description
MicroEngine Mailform provided by MicroEngine Inc. contains multiple vulnerabilities listed below.
- Unrestricted upload of file with dangerous type (CWE-434) - CVE-2023-27397
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 3.7 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3 - Path traversal (CWE-22) - CVE-2023-27507
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 3.7 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
Impact
If the product's file upload function and server save option are enabled, a remote attacker may save an arbitrary file on the server and execute it.
Solution
Update the Software
Update to version 1.1.9 or later according to the information provided by the developer.
Apply workarounds
The developer also provides the workaround information regarding this issue.
For more information, refer to the information provided by the developer.
Vendor Status
| Vendor | Link |
| MicroEngine Inc. | Multiple Vulnerabilities in MicroEngine Mailform (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. and hibiki moriyama of STNet, Incorporated reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-27397 |
|
CVE-2023-27507 |
|
| JVN iPedia |
JVNDB-2023-000043 |