Published:2022/08/23 Last Updated:2022/08/23
JVNVU#96002401
Multiple vulnerabilities in PukiWiki
Overview
PukiWiki provided by PukiWiki Development Team contains multiple vulnerabilities.
Products Affected
CVE-2022-34486
- PukiWiki versions 1.4.5 to 1.5.3
- PukiWiki versions 1.5.1 to 1.5.3
Description
PukiWiki provided by PukiWiki Development Team contains multiple vulnerabilities listed below.
- Path Traversal (CWE-22) - CVE-2022-34486
CVSS v3 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N Base Score: 7.7 - Reflected Cross-site Scripting (CWE-79) - CVE-2022-27637
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
Impact
- An administrator of the product may execute a malicious script - CVE-2022-34486
- An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2022-27637
Solution
Update the Software
Update the Software to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities have been fixed in version 1.5.4.
Vendor Status
| Vendor | Link |
| PukiWiki Development Team | PukiWiki/Errata (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Harold Kim reported these vulnerabilities to the developer and coordinated. After coordination was completed, this case was reported to JPCERT/CC and JPCERT/CC coordinated with the developer for the publication.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2022-34486 |
|
CVE-2022-27637 |
|
| JVN iPedia |
|