CVE-2023-39448: JVN#82758000: Multiple vulnerabilities in SHIRASAGI

Published:2023/09/04 Last Updated:2023/09/04

Overview

SHIRASAGI contains multiple vulnerabilities.

Products Affected

• SHIRASAGI versions prior to v1.18.0

Description

SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below.

• Reflected cross-site scripting (CWE-79) - CVE-2023-36492

  CVSS v3

  CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

  Base Score: 6.1

  CVSS v2

  AV:N/AC:H/Au:N/C:N/I:P/A:N

  Base Score: 2.6

• Stored cross-site scripting (CWE-79) - CVE-2023-38569

  CVSS v3

  CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

  Base Score: 5.4

  CVSS v2

  AV:N/AC:M/Au:S/C:N/I:P/A:N

  Base Score: 3.5

• Path traversal (CWE-22) - CVE-2023-39448

  CVSS v3

  CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

  Base Score: 4.3

  CVSS v2

  AV:N/AC:L/Au:S/C:N/I:P/A:N

  Base Score: 4.0

Impact

• A remote attacker may execute an arbitrary script on the web browser of the user who is logging in to the product - CVE-2023-36492, CVE-2023-38569
• A user of the product may alter or create arbitrary files on the server, resulting in arbitrary code execution - CVE-2023-39448

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
The developer has released the version listed below that addresses the vulnerabilities.

• SHIRASAGI v1.18.0

For more information, refer to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2023-36492, CVE-2023-38569
Taiga Shirakura of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2023-39448
Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information