Published:2019/05/31 Last Updated:2019/05/31
JVN#88962935
Multiple vulnerabilities in WordPress Plugin "Zoho SalesIQ"
Overview
WordPress Plugin "Zoho SalesIQ" provided by Zoho SalesIQ Team contains multiple vulnerabilities.
Products Affected
- Zoho SalesIQ 1.0.8 and earlier
Description
WordPress Plugin "Zoho SalesIQ" provided by Zoho SalesIQ Team contains multiple vulnerabilities listed below.
- Cross-site Scripting (CWE-79) - CVE-2019-5962
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - Cross-site Request Forgery (CWE-352) - CVE-2019-5963
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
Impact
- An arbitrary script may be executed on the logged in user's web browser - CVE-2019-5962
- Accessing a specially crafted page may lead a logged in user to perform unintended operations - CVE-2019-5963
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Zoho SalesIQ Team | Zoho SalesIQ |
| Live Chat Customer Support Software - Zoho SalesIQ |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Kouhei Ikeda of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-5962 |
|
CVE-2019-5963 |
|
| JVN iPedia |
JVNDB-2019-000030 |