Information from appleple inc.
Vulnerability ID:JVN#14706307
Title:Multiple vulnerabilities in a-blog cms
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
We provide information on this issue at the following URL
https://developer.a-blogcms.jp/blog/news/security-202202.html
A cross-site scripting vulnerability exists in the user name or entry title.
For sites where users with more than untrusted contributor privileges log in, or sites that use the default My Page, action is required.
■ Products Affected
Versions prior to a-blog cms Ver. 3.0.1 (Ver.3.0.x)
Versions prior to a-blog cms Ver. 2.11.42 (Ver.2.11.x)
Versions prior to a-blog cms Ver. 2.10.44 (Ver.2.10.x)
Versions prior to a-blog cms Ver. 2.9.40 (Ver.2.9.x)
Versions prior to a-blog cms Ver. 2.8.75 (Ver.2.8.x)
There is a possibility that the login restriction by IP address can be breached. (Username and password authentication will remain active.)
■ Products Affected
Versions prior to a-blog cms Ver. 2.11.41 (Ver.2.11.x)
Versions prior to a-blog cms Ver. 2.10.43 (Ver.2.10.x)
Versions prior to a-blog cms Ver. 2.9.39 (Ver.2.9.x)
Versions prior to a-blog cms Ver. 2.8.74 (Ver.2.8.x)
■ Solution
A fix version is released for each minor version.
Please update to the newer fixed version from "Products Affected".
