Japan Vulnerability NotesJVN:31701509JVN#31701509: Multiple vulnerabilities in MicroEngine Mailform
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.5%
MicroEngine Mailform provided by MicroEngine Inc. contains multiple vulnerabilities listed below.
Unrestricted upload of file with dangerous type (CWE-434) - CVE-2023-27397
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N | Base Score: 3.7 |
| CVSS v2 | AV:N/AC:M/Au:N/C:N/I:P/A:N | Base Score: 4.3 |
Path traversal (CWE-22) - CVE-2023-27507
| Version | Vector | Score |
|---|---|---|
| CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N | Base Score: 3.7 |
| CVSS v2 | AV:N/AC:M/Au:N/C:N/I:P/A:N | Base Score: 4.3 |
Impact
If the product’s file upload function and server save option are enabled, a remote attacker may save an arbitrary file on the server and execute it.
Solution
Update the Software
Update to version 1.1.9 or later according to the information provided by the developer.
Apply workarounds
The developer also provides the workaround information regarding this issue.
For more information, refer to the information provided by the developer.
Products Affected
- MicroEngine Mailform version 1.1.0 to 1.1.8
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.5%