Japan Vulnerability NotesJVN:18765463JVN#18765463: Multiple cross-site scripting vulnerabilities in SHIRASAGI
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
56.6%
SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below.
Stored cross-site scripting vulnerability on Schedule function (CWE-79) - CVE-2023-22425
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
| CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Stored cross-site scripting vulnerability on Theme switching function (CWE-79) - CVE-2023-22427
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Base Score: 4.8 |
| CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Impact
- An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-22425
- An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2023-22427
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
The developer addressed the vulnerabilities at the following version:
- SHIRASAGI v1.17.0
Products Affected
- SHIRASAGI v1.16.2 and earlier versions
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
56.6%