Vulnerability-Lookup

CVE-2023-49117 (GCVE-0-2023-49117)

Vulnerability from cvelistv5 – Published: 2023-12-26 05:53 – Updated: 2024-08-02 21:46

Summary

PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user's web browser. Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.

Severity ?

No CVSS data available.

CWE

Cross-site scripting (XSS)

Assigner

jpcert

References

URL

FKIE_CVE-2023-49117

Vulnerability from fkie_nvd - Published: 2023-12-26 06:15 - Updated: 2024-11-21 08:32

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
vultures@jpcert.or.jp	https://jvn.jp/en/jp/JVN32646742/	Third Party Advisory
vultures@jpcert.or.jp	https://www.powercms.jp/news/release-powercms-202312.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jvn.jp/en/jp/JVN32646742/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.powercms.jp/news/release-powercms-202312.html	Vendor Advisory

Impacted products

Vendor	Product	Version
alfasado	powercms	*
alfasado	powercms	*
alfasado	powercms	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:alfasado:powercms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "418BFF70-45BC-4F69-85DB-7C935B80CCEE",
              "versionEndExcluding": "4.55",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:alfasado:powercms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4394A42A-9BE5-4927-93D7-74D99542D7D1",
              "versionEndExcluding": "5.25",
              "versionStartIncluding": "5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:alfasado:powercms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AEA525B4-37C1-4D8B-9755-740FD4665D0A",
              "versionEndIncluding": "6.31",
              "versionStartIncluding": "6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user\u0027s web browser. Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability."
    },
    {
      "lang": "es",
      "value": "PowerCMS (Serie 6, Serie 5 y Serie 4) contiene una vulnerabilidad de cross-site scripting almacenado. Si se explota esta vulnerabilidad, se puede ejecutar un script arbitrario en el navegador web de un usuario que haya iniciado sesi\u00f3n. Tenga en cuenta que todas las versiones de PowerCMS Serie 3 y anteriores que no son compatibles (End-of-Life, EOL) tambi\u00e9n se ven afectadas por esta vulnerabilidad."
    }
  ],
  "id": "CVE-2023-49117",
  "lastModified": "2024-11-21T08:32:52.093",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-26T06:15:07.260",
  "references": [
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/jp/JVN32646742/"
    },
    {
      "source": "vultures@jpcert.or.jp",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.powercms.jp/news/release-powercms-202312.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://jvn.jp/en/jp/JVN32646742/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.powercms.jp/news/release-powercms-202312.html"
    }
  ],
  "sourceIdentifier": "vultures@jpcert.or.jp",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-WXVG-WR3R-WMM7

Vulnerability from github – Published: 2023-12-26 06:30 – Updated: 2024-01-04 03:30

Details

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-49117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-26T06:15:07Z",
    "severity": "MODERATE"
  },
  "details": "PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user\u0027s web browser. Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.",
  "id": "GHSA-wxvg-wr3r-wmm7",
  "modified": "2024-01-04T03:30:38Z",
  "published": "2023-12-26T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49117"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN32646742"
    },
    {
      "type": "WEB",
      "url": "https://www.powercms.jp/news/release-powercms-202312.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

JVNDB-2023-000126

Vulnerability from jvndb - Published: 2023-12-26 16:46 - Updated:2024-03-18 17:58

Severity ?

5.4 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

Multiple vulnerabilities in PowerCMS

Details

PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.

Stored cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2023-49117
Open redirect vulnerability in the members' site (CWE-601) - CVE-2023-50297

Alfasado Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN32646742/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-49117
	CVE	https://www.cve.org/CVERecord?id=CVE-2023-50297
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-49117
	NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-50297
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

Alfasado Inc.

PowerCMS

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000126.html",
  "dc:date": "2024-03-18T17:58+09:00",
  "dcterms:issued": "2023-12-26T16:46+09:00",
  "dcterms:modified": "2024-03-18T17:58+09:00",
  "description": "PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2023-49117\u003c/li\u003e\u003cli\u003eOpen redirect vulnerability in the members\u0027 site (CWE-601) - CVE-2023-50297\u003c/li\u003e\u003c/ul\u003e\r\n\r\nAlfasado Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000126.html",
  "sec:cpe": {
    "#text": "cpe:/a:alfasado:powercms",
    "@product": "PowerCMS",
    "@vendor": "Alfasado Inc.",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "3.5",
      "@severity": "Low",
      "@type": "Base",
      "@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "5.4",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2023-000126",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN32646742/index.html",
      "@id": "JVN#32646742",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-49117",
      "@id": "CVE-2023-49117",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-50297",
      "@id": "CVE-2023-50297",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49117",
      "@id": "CVE-2023-49117",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50297",
      "@id": "CVE-2023-50297",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "Multiple vulnerabilities in PowerCMS"
}

GSD-2023-49117

Vulnerability from gsd - Updated: 2023-12-22 06:01

Details

Aliases

CVE-2023-49117

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-49117"
      ],
      "details": "PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user\u0027s web browser. Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.",
      "id": "GSD-2023-49117",
      "modified": "2023-12-22T06:01:20.157807Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "vultures@jpcert.or.jp",
        "ID": "CVE-2023-49117",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "PowerCMS (PowerCMS 6 Series)",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "6.31 and earlier"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "PowerCMS (PowerCMS 5 Series)",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "5.24 and earlier"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "PowerCMS (PowerCMS 4 Series)",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "4.54 and earlier"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Alfasado Inc."
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user\u0027s web browser. Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-site scripting (XSS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.powercms.jp/news/release-powercms-202312.html",
            "refsource": "MISC",
            "url": "https://www.powercms.jp/news/release-powercms-202312.html"
          },
          {
            "name": "https://jvn.jp/en/jp/JVN32646742/",
            "refsource": "MISC",
            "url": "https://jvn.jp/en/jp/JVN32646742/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:alfasado:powercms:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "418BFF70-45BC-4F69-85DB-7C935B80CCEE",
                    "versionEndExcluding": "4.55",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:alfasado:powercms:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "4394A42A-9BE5-4927-93D7-74D99542D7D1",
                    "versionEndExcluding": "5.25",
                    "versionStartIncluding": "5.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:alfasado:powercms:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "AEA525B4-37C1-4D8B-9755-740FD4665D0A",
                    "versionEndIncluding": "6.31",
                    "versionStartIncluding": "6.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user\u0027s web browser. Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability."
          },
          {
            "lang": "es",
            "value": "PowerCMS (Serie 6, Serie 5 y Serie 4) contiene una vulnerabilidad de cross-site scripting almacenado. Si se explota esta vulnerabilidad, se puede ejecutar un script arbitrario en el navegador web de un usuario que haya iniciado sesi\u00f3n. Tenga en cuenta que todas las versiones de PowerCMS Serie 3 y anteriores que no son compatibles (End-of-Life, EOL) tambi\u00e9n se ven afectadas por esta vulnerabilidad."
          }
        ],
        "id": "CVE-2023-49117",
        "lastModified": "2024-01-04T02:42:06.503",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.3,
              "impactScore": 2.7,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-12-26T06:15:07.260",
        "references": [
          {
            "source": "vultures@jpcert.or.jp",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://jvn.jp/en/jp/JVN32646742/"
          },
          {
            "source": "vultures@jpcert.or.jp",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://www.powercms.jp/news/release-powercms-202312.html"
          }
        ],
        "sourceIdentifier": "vultures@jpcert.or.jp",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-79"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-49117 (GCVE-0-2023-49117)

FKIE_CVE-2023-49117

GHSA-WXVG-WR3R-WMM7

JVNDB-2023-000126

GSD-2023-49117

Tags

Sightings

Nomenclature