Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:70977403
HistoryApr 10, 2024 - 12:00 a.m.

JVN#70977403: Multiple vulnerabilities in a-blog cms

2024-04-1000:00:00
Japan Vulnerability Notes
jvn.jp
2
cross-site scripting
server-side request forgery
directory traversal
code injection
cvss
arbitrary script
arbitrary files
arbitrary command
software update
workaround
product version.

7.5 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below.

Stored cross-site scripting vulnerability in Entry editing pages (CWE-79) CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4 CVE-2024-30419Server-side request forgery (CWE-918)CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N Base Score 4.4 CVE-2024-30420Directory traversal (CWE-22)CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Base Score 6.5 CVE-2024-31394Stored cross-site scripting vulnerability in Schedule labeling pages (CWE-79)CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4 CVE-2024-31395Code injection (CWE-94) CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.6 CVE-2024-31396

Impact

  • A user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product (CVE-2024-30419)
  • A user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public (CVE-2024-30420)
  • A user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server (CVE-2024-31394)
  • A user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page (CVE-2024-31395)
  • A user with an administrator or higher privilege who can log in to the product may execute an arbitrary command on the server (CVE-2024-31396)

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Apply the workaround
For CVE-2024-30420, CVE-2024-31394, CVE-2024-31395, and CVE-2024-31396 vulnerabilities, the developer also recommends applying workarounds to mitigate the impacts of these vulnerabilities.

For more information, refer to the information provided by the developer.

Products Affected

CVE-2024-30419, CVE-2024-31394, CVE-2024-31395

  • a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12
  • a-blog cms Ver.3.0.x series versions prior to Ver.3.0.32
  • a-blog cms Ver.2.11.x series versions prior to Ver.2.11.61
  • a-blog cms Ver.2.10.x series versions prior to Ver.2.10.53
    According to the developer, a-blog cms Ver.2.9 and earlier versions, which are now unsupported, are affected by the vulnerabilities as well.

CVE-2024-30420, CVE-2024-31396

  • a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12
  • a-blog cms Ver.3.0.x series versions prior to Ver.3.0.32

Related

nvd 5
cvelist 5
cve 5
vulnrichment 3
nvd
nvd
CVE-2024-30419
2024-05-22 05:15:52
CVE-2024-31396
2024-05-22 05:15:53
CVE-2024-31395
2024-05-22 05:15:53
cvelist
cvelist
CVE-2024-30419
2024-05-22 04:35:09
CVE-2024-30420
2024-05-22 04:35:26
CVE-2024-31396
2024-05-22 04:35:42
cve
cve
CVE-2024-30419
2024-05-22 05:15:52
CVE-2024-31396
2024-05-22 05:15:53
CVE-2024-30420
2024-05-22 05:15:52
vulnrichment
vulnrichment
CVE-2024-30419
2024-05-22 04:35:09
CVE-2024-31395
2024-05-22 04:35:37
CVE-2024-31394
2024-05-22 04:35:31

7.5 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON
Related for JVN:70977403
nvd5cvelist5cve5vulnrichment3