製品・ソフトウェアに関する情報

JVN脆弱性詳細

FreePBX 用 Digium Addons モジュールにおけるクロスサイトスクリプティングの脆弱性

Title	FreePBX 用 Digium Addons モジュールにおけるクロスサイトスクリプティングの脆弱性
Summary	FreePBX 用 Digium Addons モジュール (digiumaddoninstaller) には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 30, 2015, midnight
Registration Date	Sept. 4, 2017, 5:29 p.m.
Last Update	Sept. 4, 2017, 5:29 p.m.

Affected System

Digium

Digium Addons 2.11.0.7 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-2690	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2690
National Vulnerability Database (NVD)
2	CVE-2015-2690	https://nvd.nist.gov/vuln/detail/CVE-2015-2690

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Bitbucket
1	FreePBX _ digiumaddoninstaller _ 2aad006024b - FreePBX GIT	https://git.freepbx.org/projects/FREEPBX/repos/digiumaddoninstaller/commits/2aad006024b74c9ff53943d3e68527a3dffac855

Change Log

No	Changed Details	Date of change
0	[2017年09月04日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2015-2690

Summary	Multiple cross-site scripting (XSS) vulnerabilities in views/add-license-form.php in the Digium Addons module (digiumaddoninstaller) before 2.11.0.7 for FreePBX allow remote attackers to inject arbitrary web script or HTML via the (1) add_license_key, (2) add_license_first_name, (3) add_license_last_name, (4) add_license_company, (5) add_license_address1, (6) add_license_address2, (7) add_license_city, (8) add_license_state, (9) add_license_post_code, (10) add_license_country, (11) add_license_phone, or (12) add_license_email parameter in an add-license-form page to admin/config.php.
Publication Date	Aug. 3, 2017, 4:29 a.m.
Registration Date	Jan. 26, 2021, 2:48 p.m.
Last Update	Nov. 21, 2024, 11:27 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:digium:addons_module:2.11.0.6:::::freepbx::

Related information, measures and tools

No	URL	タグ
1	http://git.freepbx.org/projects/FREEPBX/repos/digiumaddoninstaller/commits/2aad006024b74c9ff53943d3e68527a3dffac855	Issue Tracking Patch Third Party Advisory
2	http://git.freepbx.org/projects/FREEPBX/repos/digiumaddoninstaller/commits/2aad006024b74c9ff53943d3e68527a3dffac855	Issue Tracking Patch Third Party Advisory
3	http://packetstormsecurity.com/files/131591/FreePBX-12.0.43-Cross-Site-Scripting.html	Exploit Third Party Advisory VDB Entry
4	http://packetstormsecurity.com/files/131591/FreePBX-12.0.43-Cross-Site-Scripting.html	Exploit Third Party Advisory VDB Entry
5	http://www.securityfocus.com/archive/1/535333/100/1100/threaded
6	http://www.securityfocus.com/archive/1/535333/100/1100/threaded
7	http://www.securityfocus.com/bid/74279	Third Party Advisory VDB Entry
8	http://www.securityfocus.com/bid/74279	Third Party Advisory VDB Entry
9	https://www.htbridge.com/advisory/HTB23253	Exploit Third Party Advisory
10	https://www.htbridge.com/advisory/HTB23253	Exploit Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html