製品・ソフトウェアに関する情報

JVN脆弱性詳細

SOGo の Web Calendar におけるクロスサイトスクリプティングの脆弱性

Title	SOGo の Web Calendar におけるクロスサイトスクリプティングの脆弱性
Summary	SOGo の Web Calendar には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	リモートの攻撃者により、(1) appointment の title、または (2) contact フィールドを介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 4, 2014, midnight
Registration Date	March 7, 2017, 5:12 p.m.
Last Update	March 7, 2017, 5:12 p.m.

Affected System

Inverse inc.

SOGo 2.2.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-9905	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9905
National Vulnerability Database (NVD)
2	CVE-2014-9905	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9905

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
GitHub
1	Decode HTML entities in JSON of calendar module	https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501
2	Escape HTML in CSS dialogs	https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625
3	Escape HTML in JSON of calendar module	https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9
4	Escape HTML in JSON of contacts module	https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765
MantisBT
5	0002598	https://sogo.nu/bugs/view.php?id=2598

Change Log

No	Changed Details	Date of change
0	[2017年03月07日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-9905

Summary	Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields.
Publication Date	Feb. 18, 2017, 2:59 a.m.
Registration Date	Jan. 26, 2021, 3:23 p.m.
Last Update	Nov. 21, 2024, 11:21 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:alinto:sogo::::::::			2.1.1

Related information, measures and tools

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2016/07/09/3	Mailing List Patch VDB Entry
2	http://www.openwall.com/lists/oss-security/2016/07/09/3	Mailing List Patch VDB Entry
3	https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9	Patch
4	https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9	Patch
5	https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501	Patch
6	https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501	Patch
7	https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765	Patch
8	https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765	Patch
9	https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625	Patch
10	https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625	Patch
11	https://sogo.nu/bugs/view.php?id=2598	Vendor Advisory
12	https://sogo.nu/bugs/view.php?id=2598	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html