Published:2019/05/31  Last Updated:2019/05/31

JVN#88962935
Multiple vulnerabilities in WordPress Plugin "Zoho SalesIQ"

Overview

WordPress Plugin "Zoho SalesIQ" provided by Zoho SalesIQ Team contains multiple vulnerabilities.

Products Affected

  • Zoho SalesIQ 1.0.8 and earlier

Description

WordPress Plugin "Zoho SalesIQ" provided by Zoho SalesIQ Team contains multiple vulnerabilities listed below.

  • Cross-site Scripting (CWE-79) - CVE-2019-5962
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • Cross-site Request Forgery (CWE-352) - CVE-2019-5963
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Impact

  • An arbitrary script may be executed on the logged in user's web browser - CVE-2019-5962
  • Accessing a specially crafted page may lead a logged in user to perform unintended operations - CVE-2019-5963

Solution

Update the plugin
Update the plugin according to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Kouhei Ikeda of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-5962
CVE-2019-5963
JVN iPedia JVNDB-2019-000030