Published:2023/09/04 Last Updated:2023/09/04
JVN#82758000
Multiple vulnerabilities in SHIRASAGI
Overview
SHIRASAGI contains multiple vulnerabilities.
Products Affected
- SHIRASAGI versions prior to v1.18.0
Description
SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below.
- Reflected cross-site scripting (CWE-79) - CVE-2023-36492
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - Stored cross-site scripting (CWE-79) - CVE-2023-38569
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4 CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5 - Path traversal (CWE-22) - CVE-2023-39448
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
Impact
- A remote attacker may execute an arbitrary script on the web browser of the user who is logging in to the product - CVE-2023-36492, CVE-2023-38569
- A user of the product may alter or create arbitrary files on the server, resulting in arbitrary code execution - CVE-2023-39448
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
The developer has released the version listed below that addresses the vulnerabilities.
- SHIRASAGI v1.18.0
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
CVE-2023-36492, CVE-2023-38569
Taiga Shirakura of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-39448
Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-36492 |
|
CVE-2023-38569 |
|
|
CVE-2023-39448 |
|
| JVN iPedia |
JVNDB-2023-000088 |