Headline
CVE-2022-42486: 2022/11/24 baserCMS における複数のクロスサイトスクリプティングの脆弱性
Stored cross-site scripting vulnerability in User group management of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.
baserCMSに複数のクロスサイトスクリプティングの脆弱性があります。
管理画面を不特定多数のユーザーに利用させている場合に対応が必要となる脆弱性です。
対象となる方は、早急に新バージョンへアップデートをお願いします。
公開日
2022/11/24
影響を受けるシステム
- baserCMS 4.7.1 およびそれ以前のバージョン
脆弱性
悪意のある JavaScript コードを実行すると、ページの表示が変更されたり、Cookie 情報が漏洩したりする可能性があります。
- お気に入り登録 (CVE-2022-39325)
- アクセス制限設定 (CVE-2022-41994)
- ユーザーグループ管理 (CVE-2022-42486)
対策方法****最新バージョンにアップデートする
最新バージョンにアップデートすることで対応する事ができます。
次のページより最新バージョンのダウンロードを行い、リリースノートに基づきバージョンアップ作業を行います。
- baserCMS ダウンロード
謝辞
この脆弱性情報公表にあたり、報告者である 株式会社CARTA HOLDINGSの小武 裕也氏、及び、三井物産セキュアディレクション株式会社の井餘田 笙悟氏に謝辞を申し上げます。
===================================================
There is a cross-site scripting vulnerability on the management system of baserCMS.
This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users.
If you are eligible, please update to the new version as soon as possible.
Target
baserCMS 4.7.1 and earlier versions
Vulnerability
Execution of malicious JavaScript code may alter the display of the page or leak cookie information.
- In Favorite registration (CVE-2022-39325)
- In Permission Settings (CVE-2022-41994)
- In User group management (CVE-2022-42486)
Countermeasures
Update to the latest version of baserCMS
Please refer to the following page to reference for more information.
https://basercms.net/security/JVN_53682526
Credits
Shogo Iyota@Mitsui Bussan Secure Directions, Inc.
YUYA KOTAKE@CARTA HOLDINGS, INC.
Related news
Stored cross-site scripting vulnerability in Permission Settings of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.
Stored cross-site scripting vulnerability in User group management of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.
There is a cross-site scripting vulnerability on the management system of baserCMS. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible. ### Target baserCMS 4.7.1 and earlier versions ### Vulnerability Execution of malicious JavaScript code may alter the display of the page or leak cookie information. - In Favorite registration (CVE-2022-39325) - In Permission Settings (CVE-2022-41994) - In User group management (CVE-2022-42486) ### Countermeasures Update to the latest version of baserCMS ### Credits - Shogo Iyota@Mitsui Bussan Secure Directions, Inc. - YUYA KOTAKE@CARTA HOLDINGS, INC.
BaserCMS is a content management system with a japanese language focus. In affected versions there is a cross-site scripting vulnerability on the management system of baserCMS. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. Users of baserCMS are advised to upgrade as soon as possible. There are no known workarounds for this vulnerability.
BaserCMS is a content management system with a japanese language focus. In affected versions there is a cross-site scripting vulnerability on the management system of baserCMS. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. Users of baserCMS are advised to upgrade as soon as possible. There are no known workarounds for this vulnerability.
BaserCMS is a content management system with a japanese language focus. In affected versions there is a cross-site scripting vulnerability on the management system of baserCMS. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. Users of baserCMS are advised to upgrade as soon as possible. There are no known workarounds for this vulnerability.