Action not permitted
Modal body text goes here.
Modal Title
Modal Body
jvndb-2024-000039
Vulnerability from jvndb
Published
2024-04-10 13:55
Modified
2024-04-10 13:55
Severity ?
Summary
Multiple vulnerabilities in a-blog cms
Details
a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below.
* Stored cross-site scripting vulnerability in Entry editing pages (CWE-79) - CVE-2024-30419
* Server-side request forgery (CWE-918) - CVE-2024-30420
* Directory traversal (CWE-22) - CVE-2024-31394
* Stored cross-site scripting vulnerability in Schedule labeling pages (CWE-79) - CVE-2024-31395
* Code injection (CWE-94) - CVE-2024-31396
Rikuto Tauchi of sangi reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN70977403/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-30419 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-30420 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-31394 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-31395 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2024-31396 | |
| Path Traversal(CWE-22) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| Code Injection(CWE-94) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| No Mapping(CWE-Other) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| appleple inc. | a-blog cms |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000039.html",
"dc:date": "2024-04-10T13:55+09:00",
"dcterms:issued": "2024-04-10T13:55+09:00",
"dcterms:modified": "2024-04-10T13:55+09:00",
"description": "a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below.\r\n\r\n * Stored cross-site scripting vulnerability in Entry editing pages (CWE-79) - CVE-2024-30419\r\n * Server-side request forgery (CWE-918) - CVE-2024-30420\r\n * Directory traversal (CWE-22) - CVE-2024-31394\r\n * Stored cross-site scripting vulnerability in Schedule labeling pages (CWE-79) - CVE-2024-31395\r\n * Code injection (CWE-94) - CVE-2024-31396\r\n\r\nRikuto Tauchi of sangi reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000039.html",
"sec:cpe": {
"#text": "cpe:/a:appleple:a-blog_cms",
"@product": "a-blog cms",
"@vendor": "appleple inc.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.6",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000039",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN70977403/index.html",
"@id": "JVN#70977403",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-30419",
"@id": "CVE-2024-30419",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-30420",
"@id": "CVE-2024-30420",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-31394",
"@id": "CVE-2024-31394",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-31395",
"@id": "CVE-2024-31395",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-31396",
"@id": "CVE-2024-31396",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-94",
"@title": "Code Injection(CWE-94)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in a-blog cms"
}
cve-2024-31395
Vulnerability from cvelistv5
Published
2024-05-22 04:35
Modified
2024-10-31 14:53
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | appleple inc. | a-blog cms Ver.3.1.x series |
Version: prior to Ver.3.1.12 |
||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T14:24:22.284116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T14:53:49.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
},
{
"product": "a-blog cms Ver.2.11.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.61"
}
]
},
{
"product": "a-blog cms Ver.2.10.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.53"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver.2.9 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:37.216Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31395",
"datePublished": "2024-05-22T04:35:37.216Z",
"dateReserved": "2024-04-03T02:24:22.988Z",
"dateUpdated": "2024-10-31T14:53:49.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-30419
Vulnerability from cvelistv5
Published
2024-05-22 04:35
Modified
2024-08-02 01:32
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | appleple inc. | a-blog cms Ver.3.1.x series |
Version: prior to Ver.3.1.12 |
||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.1.12",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.0.32",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.11.61",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
},
{
"lessThan": "2.10.53",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T14:36:51.156737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T16:16:04.625Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:07.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
},
{
"product": "a-blog cms Ver.2.11.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.61"
}
]
},
{
"product": "a-blog cms Ver.2.10.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.53"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver.2.9 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:09.652Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-30419",
"datePublished": "2024-05-22T04:35:09.652Z",
"dateReserved": "2024-03-27T03:59:36.078Z",
"dateUpdated": "2024-08-02T01:32:07.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-30420
Vulnerability from cvelistv5
Published
2024-05-22 04:35
Modified
2024-08-19 19:36
Severity ?
EPSS score ?
Summary
Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | appleple inc. | a-blog cms Ver.3.1.x series |
Version: prior to Ver.3.1.12 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:07.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.1.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.32",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30420",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T19:22:17.028297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T19:36:17.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:26.240Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-30420",
"datePublished": "2024-05-22T04:35:26.240Z",
"dateReserved": "2024-03-27T03:59:36.078Z",
"dateUpdated": "2024-08-19T19:36:17.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-31394
Vulnerability from cvelistv5
Published
2024-05-22 04:35
Modified
2024-08-02 01:52
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | appleple inc. | a-blog cms Ver.3.1.x series |
Version: prior to Ver.3.1.12 |
||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31394",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T17:10:48.613952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:37:08.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
},
{
"product": "a-blog cms Ver.2.11.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.61"
}
]
},
{
"product": "a-blog cms Ver.2.10.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.53"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver.2.9 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:31.768Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31394",
"datePublished": "2024-05-22T04:35:31.768Z",
"dateReserved": "2024-04-03T02:24:22.988Z",
"dateUpdated": "2024-08-02T01:52:56.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-31396
Vulnerability from cvelistv5
Published
2024-05-22 04:35
Modified
2024-08-02 01:52
Severity ?
EPSS score ?
Summary
Code injection vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may execute an arbitrary command on the server.
References
Impacted products
| Vendor | Product | Version | |||||
|---|---|---|---|---|---|---|---|
| ▼ | appleple inc. | a-blog cms Ver.3.1.x series |
Version: prior to Ver.3.1.12 |
||||
|
|||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:3.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.1.12",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.0.32",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T17:39:52.677007Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T20:44:24.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Code injection vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may execute an arbitrary command on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:42.765Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31396",
"datePublished": "2024-05-22T04:35:42.765Z",
"dateReserved": "2024-04-03T08:01:33.449Z",
"dateUpdated": "2024-08-02T01:52:56.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.