Published:2020/10/20  Last Updated:2020/10/20

JVNVU#99467898
Local File Inclusion vulnerability in OneThird CMS

Overview

OneThird CMS contains a Local File Inclusion vulnerability.

Products Affected

  • OneThird CMS v1.96c and earlier

Description

OneThird CMS provided SpiQe Software is a content management system (CMS). OneThird CMS contains a Local File Inclusion vulnerability (CWE-98).

Impact

Sensitive information may be obtained or arbitrary code may be executed by an unauthenticated remote attacker.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
The vulnerability was fixed in v1.96d.

Vendor Status

Vendor Link
SpiQe Software About urgent release (v1.96d)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 9.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

stypr of Flatt Security Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5640
JVN iPedia