Published:2019/06/07 Last Updated:2019/06/07
JVN#58052567
Multiple vulnerabilities in Joruri Mail
Overview
Joruri Mail contains multiple vulnerabilities.
Products Affected
- Joruri Mail 2.1.4 and earlier
Description
Joruri Mail provided by SiteBridge Inc. contains multiple vulnerabilities listed below.
- Open Redirect (CWE-601) - CVE-2019-5965
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 4.7 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - Session Management (CWE-639) - CVE-2019-5966
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Base Score: 5.4 CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:N Base Score: 5.8
Impact
- When accessing a specially crafted page, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack - CVE-2019-5965
- An attacker who can access the product may impersonate an arbitrary user. As a result, there is a possibility that information may be altered/disclosed - CVE-2019-5966
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| SiteBridge Inc. | Vulnerable | 2019/06/07 | SiteBridge Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-5965 |
|
CVE-2019-5966 |
|
| JVN iPedia |
JVNDB-2019-000031 |