Refine your search
3 vulnerabilities found for OpenPNE by OpenPNE
jvndb-2014-000009
Vulnerability from jvndb
Published
2014-01-24 12:36
Modified
2014-01-28 18:02
Summary
OpenPNE vulnerable to PHP Object Injection
Details
OpenPNE contains an issue in processing Cookie headers, which may result in a PHP Object Injection vulnerability.
Egidio Romano of Secunia reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000009.html",
"dc:date": "2014-01-28T18:02+09:00",
"dcterms:issued": "2014-01-24T12:36+09:00",
"dcterms:modified": "2014-01-28T18:02+09:00",
"description": "OpenPNE contains an issue in processing Cookie headers, which may result in a PHP Object Injection vulnerability.\r\n\r\nEgidio Romano of Secunia reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000009.html",
"sec:cpe": {
"#text": "cpe:/a:tejimaya:openpne",
"@product": "OpenPNE",
"@vendor": "OpenPNE",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2014-000009",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN69986880/index.html",
"@id": "JVN#69986880",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5350",
"@id": "CVE-2013-5350",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5350",
"@id": "CVE-2013-5350",
"@source": "NVD"
},
{
"#text": "http://www.ipa.go.jp/security/ciadr/vul/20140124-jvn.html",
"@id": "Security Alert for OpenPNE vulnerable to PHP Object Injection (JVN#69986880)",
"@source": "IPA SECURITY ALERTS"
},
{
"#text": "https://secunia.com/advisories/54043/",
"@id": "Secunia Advisory SA54043 OpenPNE PHP Object Injection Vulnerability",
"@source": "Related Information"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "OpenPNE vulnerable to PHP Object Injection"
}
jvndb-2013-000038
Vulnerability from jvndb
Published
2013-05-13 13:39
Modified
2013-06-19 09:56
Summary
OpenPNE vulnerable to cross-site scripting
Details
The management screen in OpenPNE contains an issue in the processing of data input into the "mobile version color scheme configuration" item, which may result in a cross-site scripting vulnerability.
ASAI Ken reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000038.html",
"dc:date": "2013-06-19T09:56+09:00",
"dcterms:issued": "2013-05-13T13:39+09:00",
"dcterms:modified": "2013-06-19T09:56+09:00",
"description": "The management screen in OpenPNE contains an issue in the processing of data input into the \"mobile version color scheme configuration\" item, which may result in a cross-site scripting vulnerability.\r\n\r\nASAI Ken reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000038.html",
"sec:cpe": {
"#text": "cpe:/a:tejimaya:openpne",
"@product": "OpenPNE",
"@vendor": "OpenPNE",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2013-000038",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN18501376/",
"@id": "JVN#18501376",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2309",
"@id": "CVE-2013-2309",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2309",
"@id": "CVE-2013-2309",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "OpenPNE vulnerable to cross-site scripting"
}
jvndb-2010-000006
Vulnerability from jvndb
Published
2010-03-12 15:29
Modified
2010-03-12 15:29
Summary
OpenPNE authentication bypass vulnerability
Details
OpenPNE contains an authentication bypass vulnerability.
OpenPNE is an open source SNS (Social Networking Service) software. OpenPNE provides an "IP address range limitation" function to provide access to certain pages only to mobile devices. OpenPNE has an issue with the IP address range limitation function that may lead to an authentication bypass vulnerability. As a result, the "simple login" function for mobile phones may allow a remote attacker to bypass authentication.
Note that products are affected by this vulnerability only when mobile device support and IP address range limitation are both enabled.
According to the developer, in all versions of OpenPNE 1.6 and later, the IP adress range limitation function is either not implemented or not enabled by default. The developer has released information regarding this issue. For more information, refer to the information provided by the developer.
Hiromitsu Takagi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-000006.html",
"dc:date": "2010-03-12T15:29+09:00",
"dcterms:issued": "2010-03-12T15:29+09:00",
"dcterms:modified": "2010-03-12T15:29+09:00",
"description": "OpenPNE contains an authentication bypass vulnerability.\r\n\r\nOpenPNE is an open source SNS (Social Networking Service) software. OpenPNE provides an \"IP address range limitation\" function to provide access to certain pages only to mobile devices. OpenPNE has an issue with the IP address range limitation function that may lead to an authentication bypass vulnerability. As a result, the \"simple login\" function for mobile phones may allow a remote attacker to bypass authentication. \r\n\r\nNote that products are affected by this vulnerability only when mobile device support and IP address range limitation are both enabled.\r\n\r\nAccording to the developer, in all versions of OpenPNE 1.6 and later, the IP adress range limitation function is either not implemented or not enabled by default. The developer has released information regarding this issue. For more information, refer to the information provided by the developer.\r\n\r\nHiromitsu Takagi reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-000006.html",
"sec:cpe": {
"#text": "cpe:/a:tejimaya:openpne",
"@product": "OpenPNE",
"@vendor": "OpenPNE",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2010-000006",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN06874657/index.html",
"@id": "JVN#06874657",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1040",
"@id": "CVE-2010-1040",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1040",
"@id": "CVE-2010-1040",
"@source": "NVD"
},
{
"#text": "http://www.ipa.go.jp/security/english/vuln/201003_openpne_en.html",
"@id": "Security Alert for OpenPNE Vulnerability",
"@source": "IPA SECURITY ALERTS"
},
{
"#text": "http://secunia.com/advisories/38857",
"@id": "SA38857",
"@source": "SECUNIA"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "OpenPNE authentication bypass vulnerability"
}