Published:2017/02/28 Last Updated:2017/02/28
JVN#73083905
Multiple vulnerabilities in WBCE CMS
Overview
WBCE CMS contains multiple vulnerabilities.
Products Affected
- WBCE CMS 1.1.10 and earlier
Description
WBCE CMS provided by WBCE Team is an open-source Contents Management System (CMS). WBCE CMS contains multiple vulnerabilities listed below.
- Cross-site scripting (CWE-79) - CVE-2017-2118
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - Directory traversal (CWE-22) - CVE-2017-2119
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Base Score: 5.8 CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0 - SQL injection (CWE-89) - CVE-2017-2120
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Base Score: 4.7 CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5
Impact
- An arbitrary script may be executed on the user's web browser - CVE-2017-2118
- An arbitrary local file on the server may be accessed by a remote attacker - CVE-2017-2119
- An unexpected SQL command may be executed by a WBCE CMS administrator - CVE-2017-2120
Solution
Update the software
Update to the latest version according to the information provided by the developer.
Apply the Patch
The patch for WBCE CMS 1.1.3 to 1.1.10 is available.
Apply the patch according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| WBCE Team | Announcements >> WBCE 1.1.11 Security/Maintenance Rel. |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
ASAI Ken reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2017-2118 |
|
CVE-2017-2119 |
|
|
CVE-2017-2120 |
|
| JVN iPedia |
JVNDB-2017-000035 |
|
JVNDB-2017-000036 |
|
|
JVNDB-2017-000037 |