JVN#37230341
Multiple vulnerabilities in Access analysis CGI An-Analyzer

Overview

Access analysis CGI An-Analyzer contains multiple vulnerabilities.

Products Affected

• Access analysis CGI An-Analyzer released in 2019 June 24 and earlier

Description

Access analysis CGI An-Analyzer provided by ANGLERSNET Co,.Ltd. contains multiple vulnerabilities listed below.

• OS command injection in the Management Page (CWE-78) - CVE-2019-5987

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	Base Score: 6.3
  CVSS v2	AV:N/AC:L/Au:S/C:P/I:P/A:P	Base Score: 6.5

• Stored cross-site scripting in the Management Page (CWE-79) - CVE-2019-5988

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:L/Au:N/C:N/I:P/A:N	Base Score: 5.0

• DOM-based cross-site scripting in the Analysis Object Page (CWE-79) - CVE-2019-5989

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

• Information disclosure (CWE-200) - CVE-2019-5990

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N	Base Score: 4.3
  CVSS v2	AV:N/AC:M/Au:N/C:P/I:N/A:N	Base Score: 4.3

Impact

• An attacker who can login the product may execute arbitrary OS command. - CVE-2019-5987
• An arbitrary script may be executed on the user's web browser. - CVE-2019-5988, CVE-2019-5989
• A remote attacker may obtain an login password from HTTP referer. - CVE-2019-5990

Solution

Apply an update file and fix the Analysis script
Download to latest script provided by the developer, update the file with extension .cgi, and then fix the Analysis script.
For more information, refer to the developer's website.