Published:2016/10/07  Last Updated:2016/10/07

JVN#80157683
SetucoCMS multiple vulnerabilities

Overview

SetucoCMS contains multiple vulnerabilities.

Products Affected

  • SetucoCMS

Description

SetucoCMS provided by SetucoCMS Project is a content management system (CMS). SetucoCMS contains multiple vulnerabilities listed below.

  • Cross-site request forgery - CVE-2016-4891
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N Base Score: 4.0
  • Cross-site scripting - CVE-2016-4892
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
  • SQL injection - CVE-2016-4893
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Base Score: 6.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5
  • Denial-of-service (DoS) - CVE-2016-4894
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Base Score: 5.3
    CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:P Base Score: 5.0
  • Code injection - CVE-2016-4895
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Base Score: 6.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5
  • Session management - CVE-2016-4896
    CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Base Score: 4.2
    CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N Base Score: 4.0

Impact

The impact of each vulnerability is as follows.

  • Unintended operations such as setting change may be performed - CVE-2016-4891
  • An arbitrary script may be executed on the user's web browser - CVE-2016-4892
  • An arbitrary SQL command may be executed - CVE-2016-4893
  • A remote attacker may be able to cause a denial-of-service (DoS) - CVE-2016-4894
  • Arbitrary code may be executed - CVE-2016-4895
  • Information may be disclosed or altered - CVE-2016-4896

Solution

Do not use SetucoCMS
SetucoCMS is no longer being developed or maintained.
It is recommended to stop using SetucoCMS.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

The following researchers reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning partnership.

CVE-2016-4891, CVE-2016-4892
Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. and Shoji Baba

CVE-2016-4893, CVE-2016-4894, CVE-2016-4895
Shoji Baba

CVE-2016-4896
Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc.