製品・ソフトウェアに関する情報

JVN脆弱性詳細

Open Journal Systems におけるクロスサイトスクリプティングの脆弱性

Title	Open Journal Systems におけるクロスサイトスクリプティングの脆弱性
Summary	Open Journal Systems には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者、またはリモート認証されたユーザにより、下記の項目を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。 (1) iBrowser プラグイン内の lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php の editor パラメータ (2) iBrowser プラグイン内の lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php の callback パラメータ (3) index.php の authors[][url] パラメータ (4) lib/pkp/classes/core/String.inc.php 内の stripUnsafeHtml 関数の Bio Statement Submission フィールド (5) lib/pkp/classes/core/String.inc.php 内の stripUnsafeHtml 関数の Abstract of Submission フィールド
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 16, 2012, midnight
Registration Date	Sept. 11, 2012, 10:09 a.m.
Last Update	Sept. 11, 2012, 10:09 a.m.

Affected System

Public Knowledge Project

Open Journal Systems 2.3.7 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-1469	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1469
National Vulnerability Database (NVD)
2	CVE-2012-1469	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1469

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
PKP
1	OJS 2.3.7 Release Notes	http://pkp.sfu.ca/ojs/RELEASE-2.3.7
2	OJS 2.3.7 Released	http://pkp.sfu.ca/support/forum/viewtopic.php?f=2&t=8431
3	Open Journal Systems	http://pkp.sfu.ca/?q=ojs

Change Log

No	Changed Details	Date of change
0	[2012年09月11日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-1469

Summary	Multiple cross-site scripting (XSS) vulnerabilities in Open Journal Systems before 2.3.7 allow remote attackers and remote authenticated users to inject arbitrary web script or HTML via the (1) editor or (2) callback parameters to lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php in the iBrowser plugin, (3) authors[][url] parameter to index.php, or (4) Bio Statement or (5) Abstract of Submission fields to the stripUnsafeHtml function in lib/pkp/classes/core/String.inc.php.
Publication Date	Sept. 7, 2012, 6:55 a.m.
Registration Date	Jan. 28, 2021, 2:55 p.m.
Last Update	Nov. 21, 2024, 10:37 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:pkp:open_journal_systems::::::::			2.3.6

Related information, measures and tools

No	URL	タグ
1	http://archives.neohapsis.com/archives/bugtraq/2012-03/0102.html	Exploit
2	http://archives.neohapsis.com/archives/bugtraq/2012-03/0102.html	Exploit
3	http://pkp.sfu.ca/ojs/RELEASE-2.3.7
4	http://pkp.sfu.ca/ojs/RELEASE-2.3.7
5	http://pkp.sfu.ca/support/forum/viewtopic.php?f=2&t=8431
6	http://pkp.sfu.ca/support/forum/viewtopic.php?f=2&t=8431
7	http://secunia.com/advisories/48449	Vendor Advisory
8	http://secunia.com/advisories/48449	Vendor Advisory
9	http://secunia.com/advisories/48464	Vendor Advisory
10	http://secunia.com/advisories/48464	Vendor Advisory
11	http://www.osvdb.org/80255
12	http://www.osvdb.org/80255
13	http://www.osvdb.org/80256
14	http://www.osvdb.org/80256
15	http://www.osvdb.org/80257
16	http://www.osvdb.org/80257
17	https://exchange.xforce.ibmcloud.com/vulnerabilities/74225
18	https://exchange.xforce.ibmcloud.com/vulnerabilities/74225
19	https://exchange.xforce.ibmcloud.com/vulnerabilities/74226
20	https://exchange.xforce.ibmcloud.com/vulnerabilities/74226
21	https://exchange.xforce.ibmcloud.com/vulnerabilities/74227
22	https://exchange.xforce.ibmcloud.com/vulnerabilities/74227
23	https://exchange.xforce.ibmcloud.com/vulnerabilities/74228
24	https://exchange.xforce.ibmcloud.com/vulnerabilities/74228
25	https://www.htbridge.com/advisory/HTB23079	Exploit
26	https://www.htbridge.com/advisory/HTB23079	Exploit

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html