JVN#36343375: Multiple vulnerabilities in YukiWiki

Overview

YukiWiki contains multiple vulnerabilities.

Products Affected

YukiWiki 2.1.3 and earlier

Description

YukiWiki is a Wiki engine. YukiWiki contains multiple vulnerabilities listed below.

Cross-site scripting (CWE-79) - CVE-2018-0699

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1

CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
Processing a particular request consumes large amounts of CPU and memory resources (CWE-400) - CVE-2018-0700

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score: 5.3

CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:P Base Score: 5.0

Impact

An arbitrary script may be executed on the user's web browser. - CVE-2018-0699
A remote attacker may be able to cause a denial-of-service (DoS) condition. - CVE-2018-0700

Solution

Do not use YukiWiki
YukiWiki is no longer being developed. It is recommended to stop using YukiWiki.

Vendor Status

Vendor	Link
Hiroshi Yuki	Information on end of YukiWiki

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Tanaka Akira of National Institute of Advanced Industrial Science and Technology (AIST) reported CVE-2018-0700 vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2018-0699
	CVE-2018-0700
JVN iPedia	JVNDB-2018-000109

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	Base Score: 5.3
CVSS v2	AV:N/AC:L/Au:N/C:N/I:N/A:P	Base Score: 5.0

JVN#36343375 Multiple vulnerabilities in YukiWiki