Published:2023/09/05 Last Updated:2023/09/05
JVN#78113802
Multiple vulnerabilities in F-RevoCRM
Overview
F-RevoCRM provided by Thinkingreed Inc. contains multiple vulnerabilities.
Products Affected
CVE-2023-41149
- F-RevoCRM version7.3.7 and version7.3.8
- F-RevoCRM 7.3 series prior to version7.3.8
Description
F-RevoCRM provided by Thinkingreed Inc. contains multiple vulnerabilities listed below.
- OS Command Injection (CWE-78) - CVE-2023-41149
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8 CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5 - Cross-site scripting vulnerability (CWE-79) - CVE-2023-41150
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4 CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
Impact
- An attacker who can access the product may execute an arbitrary OS command on the server where the product is running - CVE-2023-41149
- An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-41150
Solution
Apply the Patch
Apply the patch according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Thinkingreed Inc. | Vulnerable | 2023/09/05 | Thinkingreed Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-41149 |
|
CVE-2023-41150 |
|
| JVN iPedia |
JVNDB-2023-000091 |
Update History
- 2023/09/05
- Fixed typo under the section [Overview], [Description] and [Vendor Status]