製品・ソフトウェアに関する情報

JVN脆弱性詳細

WordPress 用 Disqus Comment System プラグインにおけるクロスサイトリクエストフォージェリの脆弱性

Title	WordPress 用 Disqus Comment System プラグインにおけるクロスサイトリクエストフォージェリの脆弱性
Summary	WordPress 用 Disqus Comment System プラグインには、クロスサイトリクエストフォージェリの脆弱性が存在します。
Possible impacts	第三者により、管理者の認証をハイジャックされ、manage.php の wp-admin/edit-comments.php の (1) disqus_replace、(2) disqus_public_key、(3) disqus_secret_key パラメータを介して、クロスサイトスクリプティング (XSS) 攻撃を実行される、あるいは reset パラメータを介して、プラグインオプションを (4) リセット、または (5) 削除される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 24, 2014, midnight
Registration Date	Aug. 21, 2014, 2:37 p.m.
Last Update	Aug. 21, 2014, 2:37 p.m.

CVSS2.0 : 警告
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected System

Disqus

Disqus Comment System 2.76 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-5347	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5347
National Vulnerability Database (NVD)
2	CVE-2014-5347	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5347

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-352	https://jvndb.jvn.jp/ja/cwe/CWE-352.html

ベンダー情報

No	Name	URL
Disqus
1	Top Page	https://www.disqus.com/
WordPress Plugin Directory
2	Disqus Comment System	http://wordpress.org/plugins/disqus-comment-system/other_notes/

その他

No	Name	URL
関連文書
1	Multiple Vulnerabilities in Disqus WordPress Plugin	https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin/

Change Log

No	Changed Details	Date of change
0	[2014年08月21日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-5347

Summary	Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) disqus_replace, (2) disqus_public_key, or (3) disqus_secret_key parameter to wp-admin/edit-comments.php in manage.php or that (4) reset or (5) delete plugin options via the reset parameter to wp-admin/edit-comments.php.
Publication Date	Aug. 20, 2014, 4:55 a.m.
Registration Date	Jan. 26, 2021, 3:14 p.m.
Last Update	Nov. 21, 2024, 11:11 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:disqus:disqus_comment_system:2.55:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.68:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.45:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.52:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.69:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.46:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.40:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.48:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.49:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.67:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.74:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.65:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.60:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.43:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system::::::wordpress::*		2.75
cpe:2.3:a:disqus:disqus_comment_system:2.72:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.50:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.42:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.63:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.54:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.70:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.66:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.62:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.71:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.61:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.64:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.53:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.51:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.44:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.41:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.47:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.73:::::wordpress::

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/127847/WordPress-Disqus-2.7.5-CSRF-Cross-Site-Scripting.html
2	http://packetstormsecurity.com/files/127847/WordPress-Disqus-2.7.5-CSRF-Cross-Site-Scripting.html
3	http://packetstormsecurity.com/files/127852/Disqus-2.7.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html	Exploit
4	http://packetstormsecurity.com/files/127852/Disqus-2.7.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html	Exploit
5	http://seclists.org/fulldisclosure/2014/Aug/35
6	http://seclists.org/fulldisclosure/2014/Aug/35
7	http://www.exploit-db.com/exploits/34336	Exploit
8	http://www.exploit-db.com/exploits/34336	Exploit
9	http://www.securityfocus.com/bid/69205
10	http://www.securityfocus.com/bid/69205
11	https://exchange.xforce.ibmcloud.com/vulnerabilities/95288
12	https://exchange.xforce.ibmcloud.com/vulnerabilities/95288
13	https://exchange.xforce.ibmcloud.com/vulnerabilities/95289
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/95289
15	https://gist.github.com/nikcub/cb5dc7a5464276c8424a
16	https://gist.github.com/nikcub/cb5dc7a5464276c8424a
17	https://wordpress.org/plugins/disqus-comment-system/other_notes	Patch
18	https://wordpress.org/plugins/disqus-comment-system/other_notes	Patch
19	https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin	Exploit
20	https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin	Exploit

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-352	クロスサイト・リクエスト・フォージェリ（CSRF）	https://cwe.mitre.org/data/definitions/352.html
2	CWE-352	同一生成元ポリシー違反	https://cwe.mitre.org/data/definitions/346.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:disqus:disqus_comment_system:2.55:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.68:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.45:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.52:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.69:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.46:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.40:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.48:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.49:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.67:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.74:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.65:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.60:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.43:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system::::::wordpress::*		2.75
cpe:2.3:a:disqus:disqus_comment_system:2.72:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.50:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.42:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.63:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.54:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.70:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.66:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.62:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.71:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.61:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.64:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.53:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.51:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.44:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.41:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.47:::::wordpress::
cpe:2.3:a:disqus:disqus_comment_system:2.73:::::wordpress::