Published:2020/10/20 Last Updated:2020/10/20
JVNVU#99467898
Local File Inclusion vulnerability in OneThird CMS
Overview
OneThird CMS contains a Local File Inclusion vulnerability.
Products Affected
- OneThird CMS v1.96c and earlier
Description
OneThird CMS provided SpiQe Software is a content management system (CMS). OneThird CMS contains a Local File Inclusion vulnerability (CWE-98).
Impact
Sensitive information may be obtained or arbitrary code may be executed by an unauthenticated remote attacker.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
The vulnerability was fixed in v1.96d.
Vendor Status
| Vendor | Link |
| SpiQe Software | About urgent release (v1.96d) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score:
9.8
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
stypr of Flatt Security Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC, and JPCERT/CC coordinated with the developer for the publication.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-5640 |
| JVN iPedia |
|