Published: 2020/01/08  Last Updated: 2020/01/08

Information from ThinkingReed inc.

Vulnerability ID:JVN#97325754
Title:F-RevoCRM vulnerable to cross-site scripting

This is a statement from the vendor itself with no modification by JPCERT/CC.

All versions of F-RevoCRM 6.0 to F-RevoCRM 6.5 patch6

An arbitrary script may be executed on the web browser of the user logged in to F-RevoCRM.

Due to this vulnerability, when a malicious link is pressed, unintended operations or information collection may be performed from a web browser.

The following is the degree of impact based on CVSS v3.

・ Severity Critical
Not applicable

・ Severity High
Not applicable

・ Severity Medium
CVSS v3 base value: 6.1
CVSS: 3.0 / AV: N / AC: L / PR: N / UI: R / S: C / C: L / I: L / A: N / BS: 6.1

・ Severity Low
Not applicable

This vulnerability is effective only when logged in to F-RevoCRM. Therefore, when referring to an external site with low reliability, it is possible to avoid it by logging out of F-RevoCRM or using another browser.
In addition, restricting access to inappropriate sites with a proxy server, etc. can also be expected to reduce the impact.

Please update to F-RevoCRM 6.5 patch6.1.
For details on how to upgrade and apply patches, see the Readme that accompanies the programs and patch files published on the member site.

In addition, for customers who have signed a support contract for our Thinking Lead, we will contact you individually and take action.