Information from UCHIDA YOKO CO., LTD.
Vulnerability ID:JVN#51394666
Title:Multiple vulnerabilities in wivia 5
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
[Description]
wivia 5 provided by UCHIDA YOKO CO., LTD. contains multiple vulnerabilities listed below.
1.OS Command Injection (CWE-78)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 7.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H Base Score 6.7
2.Cross-site Scripting (CWE-79)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Base Score 5.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
3.Client-Side Enforcement of Server-Side Security (CWE-602)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 6.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score 6.5
[Impact]
1.An arbitrary OS command may be executed by a logged-in administrative user.
2.When a user connects to the affected device with a specific operation, an arbitrary script may be executed on the web browser of the moderator user.
3.An unauthenticated attacker may bypass authentication and operate the affected device as the moderator
user.