JVN#40725650: Multiple vulnerabilities in XOOPS module "XooNIps"

Overview

XOOPS module "XooNIps" contains multiple vulnerabilities.

Products Affected

XooNIps 3.48 and earlier

Description

XOOPS module "XooNIps" contains multiple vulnerabilities listed below.

SQL injection (CWE-89) - CVE-2020-5624

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score: 7.3

CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5
Cross-site Scripting (CWE-79) - CVE-2020-5625

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1

CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3

Impact

A remote attacker may obtain and/or alter the information stored in the database - CVE-2020-5624
Arbitrary Script may be executed on the user's web browser - CVE-2020-5625

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Link
Neuroinformatics Unit, Integrative Computational Brain Science Collaboration Division, RIKEN Center for Brain Science	XooNIps Official Site
	Release notice of XooNIps 3.49

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Neuroinformatics Unit, Integrative Computational Brain Science Collaboration Division, RIKEN Center for Brain Science reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2020-5624
	CVE-2020-5625
JVN iPedia	JVNDB-2020-000058

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	Base Score: 7.3
CVSS v2	AV:N/AC:L/Au:N/C:P/I:P/A:P	Base Score: 7.5

CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

JVN#40725650 Multiple vulnerabilities in XOOPS module "XooNIps"