JVN#06527859: KinagaCMS vulnerable to cross-site scripting

Overview

KinagaCMS contains multiple cross-site scripting vulnerabilities.

Products Affected

KinagaCMS versions prior to 6.5

Description

KinagaCMS is an opensource Contents Management System (CMS). KinagaCMS uses the old version of Bootstrap thus inherits multiple cross-site scripting vulnerabilities (CWE-79: CVE-2018-14040, CVE-2018-14041, CVE-2019-8331) existed in Bootstrap.

Impact

The information on the system may be obtained or altered.

Solution

Update the Software
Apply the latest version of software according to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
Project Kinaga	Vulnerable	2019/03/15	Project Kinaga website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Score: 6.1

Attack Vector(AV)	Physical (P)	Local (L)	Adjacent (A)	Network (N)
Attack Complexity(AC)	High (H)	Low (L)
Privileges Required(PR)	High (H)	Low (L)	None (N)
User Interaction(UI)	Required (R)	None (N)
Scope(S)	Unchanged (U)	Changed (C)
Confidentiality Impact(C)	None (N)	Low (L)	High (H)
Integrity Impact(I)	None (N)	Low (L)	High (H)
Availability Impact(A)	None (N)	Low (L)	High (H)

CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N

Base Score: 4.3

Access Vector(AV)	Local (L)	Adjacent Network (A)	Network (N)
Access Complexity(AC)	High (H)	Medium (M)	Low (L)
Authentication(Au)	Multiple (M)	Single (S)	None (N)
Confidentiality Impact(C)	None (N)	Partial (P)	Complete (C)
Integrity Impact(I)	None (N)	Partial (P)	Complete (C)
Availability Impact(A)	None (N)	Partial (P)	Complete (C)

Credit

Project Kinaga reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Project Kinaga coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2019-5926
JVN iPedia	JVNDB-2019-000019

JVN#06527859 KinagaCMS vulnerable to cross-site scripting