Published:2020/09/25  Last Updated:2020/09/25

JVNVU#93741515
CMONOS.JP vulnerable to cross-site scripting

Overview

CMONOS.JP contains a cross-site scripting vulnerability.

Products Affected

  • CMONOS.JP ver2.0.20191009 and earlier

Description

CMONOS.JP provided CMONOS Co. Ltd. is a content management system (CMS).
CMONOS.JP contains a stored cross-site scripting vulnerability (CWE-79).

Impact

An arbitrary script may be executed on the user's web browser.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The vulnerability was fixed in ver2.0.20200916.

Vendor Status

Vendor Link
CMONOS Co. Ltd. Download
CMONOS.JP version history

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score: 6.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

stypr of Flatt Security Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5631
JVN iPedia