Japan Vulnerability NotesJVN:46087986JVN#46087986: Multiple plugins for Geeklog IVYWE edition vulnerable to cross-site scripting
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
53.6%
Geeklog is an open source content management system (CMS). The Geeklog IVYWE edition plugins Assist, dataBox, and userBox each contain a cross-site scripting (CWE-79) vulnerability.
Impact
An arbitrary script may be executed on the web browser of a user who is logged on as an administrator.
Solution
Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
Apply a Workaround
The following workaround may mitigate the affects of this vulnerability.
- Disable the Assist, dataBox and userBox plugins
Products Affected
Geeklog IVYWE edition is affected when the any of the following plugins are enabled:
- Assist plugin versions prior to 1.1.2.test20160906
- dataBox plugin versions prior to 0.0.0.20160906
- userBox plugin versions prior to 0.0.0.20160906
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
53.6%