JVN#73169744
Multiple vulnerabilities in multiple PHP Factory products

Overview

Multiple products provided by PHP Factory contain multiple vulnerabilities.

Products Affected

CVE-2020-5615

• [Calendar01] free edition ver1.0.0
• [Calendar02] free edition ver1.0.0

• [Calendar01] free edition ver1.0.0
• [Calendar02] free edition ver1.0.0
• [PKOBO-News01] free edition ver1.0.3 and earlier
• [PKOBO-vote01] free edition ver1.0.1 and earlier
• [Telop01] free edition ver1.0.0
• [Gallery01] free edition ver1.0.3 and earlier
• [CalendarForm01] free edition ver1.0.3 and earlier
• [Link01] free edition ver1.0.0

Description

Multiple products provided by PHP Factory contain multiple vulnerabilities listed below.

• Cross-site Request Forgery (CWE-352) - CVE-2020-5615

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	Base Score: 4.3
  CVSS v2	AV:N/AC:H/Au:N/C:N/I:P/A:N	Base Score: 2.6

• Authentication bypass (CWE-287) - CVE-2020-5616

  CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N	Base Score: 4.8
  CVSS v2	AV:N/AC:H/Au:N/C:P/I:P/A:N	Base Score: 4.0

Impact

• If a user views a malicious page while logged in, unintended operations may be performed - CVE-2020-5615
• A remote attacker under certain conditions may log in to the product with administrative privileges - CVE-2020-5616

Solution

Update the software - CVE-2020-5615
Update the software to the latest version according to the information provided by the developer.

Add code to the affected file - CVE-2020-5616
Add code to the affected file according to the information provided by the developer.