JVN#74538317
Multiple vulnerabilities in Exment
Overview
Exment provided by Kajitori Co.,Ltd contains multiple vulnerabilities.
Products Affected
- Exment v6.1.4 and earlier
- Exment v5.0.11 and earlier
Description
Exment provided by Kajitori Co.,Ltd contains multiple vulnerabilities listed below.
Impact
- A logged-in user with the permission of table management may obtain and/or alter the information of the unauthorized tables (CVE-2024-46897)
- When accessing the edit screen containing custom columns (column type: images or files), an arbitrary script may be executed on the web browser of the user (CVE-2024-47793)
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
The developer has released v6.1.5 and v5.0.12 that contain the fixes for these vulnerabilities.
Apply the workaround
The developer provides the workaround information to the users who cannot update the affected product to the latest version immediately.
Refer to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
CVE-2024-46897
masataka sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-47793
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-46897 |
|
CVE-2024-47793 |
|
| JVN iPedia |
JVNDB-2024-000110 |