Published:2018/02/01  Last Updated:2018/02/01

JVN#91393903
Multiple vulnerabilities in epg search result viewer(kkcald)

Overview

epg search result viewer(kkcald) provided by kkcal contains multiple vulnerabilities.

Products Affected

  • epg search result viewer(kkcald) 0.7.21 and earlier (CVE-2018-0508, CVE-2018-0509)
  • epg search result viewer(kkcald) 0.7.19 and earlier (CVE-2018-0510)

Description

epg search result viewer(kkcald) provided by kkcal contains multiple vulnerabilities listed below.

  • Cross-site Scripting (CWE-79) - CVE-2018-0508
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:M/AU:N/C:N/I:P/A:N Base Score: 4.3
  • Cross-site request forgery (CWE-352) - CVE-2018-0509
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:M/AU:N/C:N/I:P/A:N Base Score: 4.3
  • Buffer overflow (CWE-121) - CVE-2018-0510
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Base Score: 6.3
    CVSS v2 AV:N/AC:M/AU:N/C:P/I:P/A:P Base Score: 6.8

Impact

  • An arbitrary script may be executed on the logged-in user's web browser - CVE-2018-0508
  • If a user views a malicious page while logged in, unintended operations may be performed - CVE-2018-0509
  • A remote attacker may perform an unintended operation or execute a DoS (denial of service) attack - CVE-2018-0510

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
kkcal Vulnerable 2018/02/01 kkcal website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-0508
CVE-2018-0509
CVE-2018-0510
JVN iPedia JVNDB-2018-000006