Published:2020/08/21 Last Updated:2020/08/21
JVN#88315581
Multiple cross-site scripting vulnerabilities in Exment
Overview
Exment provided by Kajitori Co.,Ltd contains multiple cross-site scripting vulnerabilities.
Products Affected
- Exment prior to version v3.6.0
Description
Exment provided by Kajitori Co.,Ltd contains multiple cross-site scripting vulnerabilities listed below.
- Stored cross-site scripting vulnerability in some input fields (CWE-79) - CVE-2020-5619
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4 CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5 - Stored cross-site scripting vulnerability in upload files (CWE-79) - CVE-2020-5620
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4 CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
Impact
An arbitrary script may be executed on a logged-in user's web browser.
Solution
Update the software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Kajitori Co.,Ltd | Vulnerable | 2020/08/21 | Kajitori Co.,Ltd website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Ryoya Koyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2020-5619 |
|
CVE-2020-5620 |
|
| JVN iPedia |
JVNDB-2020-000054 |