Published:2024/06/03  Last Updated:2024/06/03

JVN#43215077
Multiple vulnerabilities in UNIVERSAL PASSPORT RX

Overview

UNIVERSAL PASSPORT RX provided by Japan System Techniques Co., Ltd. contains multiple vulnerabilities.

Products Affected

CVE-2023-42427, Dependency on vulnerable third-party component

  • UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.7
CVE-2023-51436
  • UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.8

Description

UNIVERSAL PASSPORT RX provided by Japan System Techniques Co., Ltd. contains multiple vulnerabilities listed below.

  • Cross-site scripting (CWE-79)
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
    • CVE-2023-42427
  • Dependency on vulnerable third-party component (CWE-1395)
    Known vulnerability in Primefaces library used in the product

  • Cross-site scripting (CWE-79)
    • CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score 4.8
    • CVE-2023-51436

Impact

  • An arbitrary script may be executed on the web browser of the user who is using the product (CVE-2023-42427, CVE-2023-51436)
  • A remote attacker may execute an arbitrary code on the system due to the known vulnerability in Primefaces library used in the product

Solution

CVE-2023-42427 and Dependency on vulnerable third-party component
According to the developer, they have notified "CVE-2023-42427" and "Dependency on vulnerable third-party component" to the users and the updating of the affected products have been completed.

CVE-2023-51436
Update the Software or Apply the Patch
The developer addressed the all vulnerabilities in the following version:

  • UNIVERSAL PASSPORT RX version 1.0.9
For more information, contact the developer.

Vendor Status

Vendor Link
Japan System Techniques Co., Ltd. UNIVERSAL PASSPORT RX (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2023-42427
Japan System Techniques Co., Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Japan System Techniques Co., Ltd. coordinated under the Information Security Early Warning Partnership.

Known vulnerability in Primefaces library
Morita Keiichi and Watanabe Kosuke of Tokyo Denki University reported to Japan System Techniques Co., Ltd. that this vulnerability still exists in the product and coordinated. Japan System Techniques Co., Ltd. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.

CVE-2023-51436
MATSUMOTO Yuuki of Tokyo University of Information Sciences reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-42427
CVE-2023-51436
JVN iPedia JVNDB-2024-000057