Published:2023/09/05  Last Updated:2023/09/05

JVN#78113802
Multiple vulnerabilities in F-RevoCRM

Overview

F-RevoCRM provided by Thinkingreed Inc. contains multiple vulnerabilities.

Products Affected

CVE-2023-41149

  • F-RevoCRM version7.3.7 and version7.3.8
CVE-2023-41150
  • F-RevoCRM 7.3 series prior to version7.3.8

Description

F-RevoCRM provided by Thinkingreed Inc. contains multiple vulnerabilities listed below.

  • OS Command Injection (CWE-78) - CVE-2023-41149
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5
  • Cross-site scripting vulnerability (CWE-79) - CVE-2023-41150
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5

Impact

  • An attacker who can access the product may execute an arbitrary OS command on the server where the product is running - CVE-2023-41149
  • An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-41150

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Thinkingreed Inc. Vulnerable 2023/09/05 Thinkingreed Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-41149
CVE-2023-41150
JVN iPedia JVNDB-2023-000091

Update History

2023/09/05
Fixed typo under the section [Overview], [Description] and [Vendor Status]