JVN#73083905: Multiple vulnerabilities in WBCE CMS

2017-02-28T00:00:00
ID JVN:73083905
Type jvn
Reporter Japan Vulnerability Notes
Modified 2017-02-28T00:00:00

Description

## Description

WBCE CMS provided by WBCE Team is an open-source Contents Management System (CMS). WBCE CMS contains multiple vulnerabilities listed below.

  • Cross-site scripting (CWE-79) - CVE-2017-2118 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Base Score: 6.1
    ---|---|---
    CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6
  • Directory traversal (CWE-22) - CVE-2017-2119 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N | Base Score: 5.8
    ---|---|---
    CVSS v2 | AV:N/AC:L/Au:N/C:P/I:N/A:N | Base Score: 5.0
  • SQL injection (CWE-89) - CVE-2017-2120 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L | Base Score: 4.7
    ---|---|---
    CVSS v2 | AV:N/AC:L/Au:S/C:P/I:P/A:P | Base Score: 6.5

## Impact

  • An arbitrary script may be executed on the user's web browser - CVE-2017-2118
  • An arbitrary local file on the server may be accessed by a remote attacker - CVE-2017-2119
  • An unexpected SQL command may be executed by a WBCE CMS administrator - CVE-2017-2120 Note that an arbitrary local file outside of WBCE CMS may be deleted by an administrator of WBCE CMS (CVE-2017-2119).

## Solution

Update the software
Update to the latest version according to the information provided by the developer.

Apply the Patch
The patch for WBCE CMS 1.1.3 to 1.1.10 is available.
Apply the patch according to the information provided by the developer.

## Products Affected

  • WBCE CMS 1.1.10 and earlier