JVN#97751842: Multiple vulnerabilities in MosP kintai kanri

Overview

MosP kintai kanri provided by esMind, LLC contains multiple vulnerabilities.

Products Affected

MosP kintai kanri V4.6.6 and earlier versions

Description

MosP kintai kanri provided by esMind, LLC contains multiple vulnerabilities listed below.

Path Traversal (CWE-22)
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Base Score 6.5
- CVE-2024-28880
Incorrect Permission Assignment for Critical Resource (CWE-732)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Base Score 6.5
- CVE-2024-29078

Impact

A remote attacker who can log in to the product may obtain sensitive information of the product (CVE-2024-28880)
A remote unauthenticated attacker with access to the product may alter the product settings (CVE-2024-29078)

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor	Status	Last Update	Vendor Notes
esMind, LLC	Vulnerable	2024/05/09	esMind, LLC website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE	CVE-2024-28880
	CVE-2024-29078
JVN iPedia	JVNDB-2024-000043

JVN#97751842 Multiple vulnerabilities in MosP kintai kanri