Published:2019/12/20 Last Updated:2019/12/20
JVN#10377257
Multiple vulnerabilities in a-blog cms
Overview
a-blog cms contains multiple vulnerabilities.
Products Affected
- a-blog cms prior to Ver.2.10.23 (Ver.2.10.x)
- a-blog cms prior to Ver.2.9.26 (Ver.2.9.x)
- a-blog cms prior to Ver.2.8.64 (Ver.2.8.x)
Description
a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below.
- Reflected cross-site scripting (CWE-79) - CVE-2019-6033
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3 - Script injection due to a flaw in processing cookie (CWE-74) - CVE-2019-6034
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
Impact
An arbitrary script may be executed on the user's web browser.
Solution
Update the Software
Update to the appropriate latest version according to the information provided by the developer.
Apply a workaround
The following workaround may mitigate the impact of this vulnerability.
- Delete following subordinate directory
/ablogcms/php/vendor/pear/http_request2/tests/
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| appleple inc. | Vulnerable | 2019/12/20 | appleple inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2019-6033 |
|
CVE-2019-6034 |
|
| JVN iPedia |
JVNDB-2019-000078 |