製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の WorePress 用 Clockwork SMS プラグイン製品におけるクロスサイトスクリプティングの脆弱性

Title	複数の WorePress 用 Clockwork SMS プラグイン製品におけるクロスサイトスクリプティングの脆弱性
Summary	複数の WorePress 用 Clockwork SMS プラグイン製品には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Dec. 18, 2017, midnight
Registration Date	Jan. 23, 2018, 3:26 p.m.
Last Update	Jan. 23, 2018, 3:26 p.m.

Affected System

Clockwork

Booking Calendar - Clockwork SMS 1.0.5

Clockwork SMS Notifications 2.0.3

Contact Form 7 - Clockwork SMS 2.3.0

Fast Secure Contact Form - Clockwork SMS 2.1.2

Formidable - Clockwork SMS 1.0.2

Gravity Forms - Clockwork SMS 2.2

Two-Factor Authentication - Clockwork SMS 1.0.2

WP e-Commerce - Clockwork SMS 2.0.5

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-17780	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17780
National Vulnerability Database (NVD)
2	CVE-2017-17780	https://nvd.nist.gov/vuln/detail/CVE-2017-17780

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Clockwork
1	Plugins	https://www.clockworksms.com/plugins/
WordPress Plugin Changeset
2	Changes in clockwork-two-factor-authentication/trunk/templates/clockwork-test-message.php [706348:1781424]	https://plugins.trac.wordpress.org/changeset/1781424/clockwork-two-factor-authentication/trunk/templates/clockwork-test-message.php?old=706348&old_path=clockwork-two-factor-authentication%2Ftrunk%2Fte

その他

No	Name	URL
関連文書
1	Clockwork SMS Cross Site Scripting	https://packetstormsecurity.com/files/145469/Clockwork-SMS-Cross-Site-Scripting.html

Change Log

No	Changed Details	Date of change
0	[2018年01月23日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-17780

Summary	The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and WP e-Commerce - Clockwork SMS 2.0.5.
Publication Date	Dec. 20, 2017, 12:29 p.m.
Registration Date	Jan. 26, 2021, 1:19 p.m.
Last Update	Nov. 21, 2024, 12:18 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mediaburst:booking_calendar_sms:1.0.5:::::wordpress::
cpe:2.3:a:mediaburst:clockwork_sms_notfications:2.0.3:::::wordpress::
cpe:2.3:a:mediaburst:contact_form_7_sms:2.3.0:::::wordpress::
cpe:2.3:a:mediaburst:fast_secure_contact_form_sms:2.1.2:::::wordpress::
cpe:2.3:a:mediaburst:formidable:1.0.2:::::wordpress::
cpe:2.3:a:mediaburst:gravity_forms:2.2:::::wordpress::
cpe:2.3:a:mediaburst:two-factor_authentication:1.0.2:::::wordpress::
cpe:2.3:a:mediaburst:wp_e-commerce:2.0.5:::::wordpress::

Related information, measures and tools

No	URL	タグ
1	https://packetstormsecurity.com/files/145469/Clockwork-SMS-Cross-Site-Scripting.html	Exploit Issue Tracking Third Party Advisory VDB Entry
2	https://packetstormsecurity.com/files/145469/Clockwork-SMS-Cross-Site-Scripting.html	Exploit Issue Tracking Third Party Advisory VDB Entry
3	https://plugins.trac.wordpress.org/changeset/1781424/clockwork-two-factor-authentication/trunk/templates/clockwork-test-message.php?old=706348&old_path=clockwork-two-factor-authentication%2Ftrunk%2Ftemplates%2Fclockwork-test-message.php	Issue Tracking Patch Third Party Advisory
4	https://plugins.trac.wordpress.org/changeset/1781424/clockwork-two-factor-authentication/trunk/templates/clockwork-test-message.php?old=706348&old_path=clockwork-two-factor-authentication%2Ftrunk%2Ftemplates%2Fclockwork-test-message.php	Issue Tracking Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mediaburst:booking_calendar_sms:1.0.5:::::wordpress::
cpe:2.3:a:mediaburst:clockwork_sms_notfications:2.0.3:::::wordpress::
cpe:2.3:a:mediaburst:contact_form_7_sms:2.3.0:::::wordpress::
cpe:2.3:a:mediaburst:fast_secure_contact_form_sms:2.1.2:::::wordpress::
cpe:2.3:a:mediaburst:formidable:1.0.2:::::wordpress::
cpe:2.3:a:mediaburst:gravity_forms:2.2:::::wordpress::
cpe:2.3:a:mediaburst:two-factor_authentication:1.0.2:::::wordpress::
cpe:2.3:a:mediaburst:wp_e-commerce:2.0.5:::::wordpress::