JVN#43215077: Multiple vulnerabilities in UNIVERSAL PASSPORT RX

UNIVERSAL PASSPORT RX provided by Japan System Techniques Co., Ltd. contains multiple vulnerabilities listed below.

Cross-site scripting (CWE-79) CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4 CVE-2023-42427Dependency on vulnerable third-party component (CWE-1395)
Known vulnerability in Primefaces library used in the product
Cross-site scripting (CWE-79) CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score 4.8 CVE-2023-51436

Impact

• An arbitrary script may be executed on the web browser of the user who is using the product (CVE-2023-42427, CVE-2023-51436)
• A remote attacker may execute an arbitrary code on the system due to the known vulnerability in Primefaces library used in the product

Solution

CVE-2023-42427 and Dependency on vulnerable third-party component
According to the developer, they have notified “CVE-2023-42427” and “Dependency on vulnerable third-party component” to the users and the updating of the affected products have been completed.

CVE-2023-51436 Update the Software or Apply the Patch
The developer addressed the all vulnerabilities in the following version:

• UNIVERSAL PASSPORT RX version 1.0.9
  For more information, contact the developer.

Products Affected

CVE-2023-42427, Dependency on vulnerable third-party component

• UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.7
  CVE-2023-51436

• UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.8