Published:2021/08/19  Last Updated:2021/08/19

JVNVU#95261759
Multiple vulnerabilities in Navigate CMS

Overview

Navigate CMS provided by Naviwebs S.C. contains multiple vulnerabilities.

Products Affected

  • Navigate CMS version 2.9.3 and earlier

Description

Navigate CMS is an open source Contents Management System (CMS) provided by Naviwebs S.C.
Navigate CMS contains multiple vulnerabilities listed below.

  • Reflected cross-site scripting in the Help feature (CWE-79)
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
  • Reflected cross-site scripting (CWE-79) - CVE-2021-36454
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
  • SQL injection (CWE-89) - CVE-2021-36455
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8

Impact

An arbitrary script may be executed on the user's web browser.
An unauthorized user may obtain, modify, and/or delete information stored in the database.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Duong Xuan Hiep (Hydrasky) of VNCERT/CC reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC in order to notify users of the solutions via JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia