札幌市内で情報システム関連の企画提案・開発・構築・運用および顧問業務を行っております

CMSの脆弱性情報

  • HOME »
  • CMSの脆弱性情報

2020年7月14日〜8月15日迄の間に1件1つの脆弱性が公表されています。

  1. JVN#05502028
    2020/07/22
    WordPress
    クロスサイトリクエストフォージェリの脆弱性
    https://jvn.jp/jp/JVN05502028/
    Social Sharing Plugin

プラグインは要注意ですね。

ちなみにWordPressに関してはJVNに上がっていない情報も仕入れたので貼っておきます。こちらは2020年7月分になります。

WordPress Plugin Vulnerabilities

  • Quiz And Survey Master < 7.0.0 – Authenticated Stored Cross-Site Scripting (XSS)
  • Gallery PhotoBlocks < 1.2.0 – Authenticated Cross-Site Scripting (XSS)
  • Comments – wpDiscuz 7.0.0 – 7.0.4 – Unauthenticated Arbitrary File Upload
  • WooCommerce Subscriptions < 2.6.3 – Unauthenticated Stored Cross-Site Scripting (XSS)
  • JobSearch < 1.5.6 – Unauthenticated Reflected XSS
  • Social Sharing Plugin < 1.2.10 – Cross-Site Request Forgery in Settings
  • TC Custom JavaScript < 1.2.2 – Unauthenticated Stored Cross-Site Scripting (XSS)
  • JobSearch < 1.5.5 – Unauthenticated Reflected Cross-Site Scripting
  • Email Subscribers & Newsletters < 4.5.1 – Authenticated SQL injection in es_newsletters_settings_callback()
  • Email Subscribers & Newsletters < 4.5.1 – Cross-site Request Forgery in send_test_email()
  • All in One SEO Pack < 3.6.2 – Authenticated Stored Cross-Site Scripting
  • Email Verification for WooCommerce < 1.8.2 – Loose Comparison to Authentication Bypass
  • SendPress Newsletter < 1.20.7.13 – Authenticated Stored Cross-Site Scripting (XSS)
  • Form Maker by 10Web < 1.13.40 – Authenticated Reflected XSS
  • Newsletter < 6.7.7 – Authenticated Stored Cross-Site Scripting
  • WP-Live Chat by 3CX < 8.2.0 – Authenticated Stored Cross-Site Scripting
  • SRS Simple Hits Counter <= 1.0.4 – Unauthenticated Blind SQL Injection
  • Powie’s WHOIS Domain Check < 0.9.33 – Authenticated Stored Cross-Site Scripting
  • Wise Chat < 2.8.4 – CSV Injection
  • Knight Lab Timeline < 3.7.0.0 – Outdated TimelineJS library could Lead to Stored XSS
  • KingComposer < 2.9.5 – Unauthenticated Reflected Cross-Site Scripting
  • Adning Advertising < 1.5.6 – Unauthenticated Arbitrary File Upload/Deletion
  • Security & Malware scan by CleanTalk < 2.51 – Security Nonce Leak leading to Unauthorised AJAX call
  • JobSearch < 1.5.3 – Multiple Cross-Site Scripting Issues
  • Testimonials Widget <= 3.5.1 – Multiple Authenticated Stored (XSS)
  • Payment Form For Paypal Pro < 1.1.65 – Unauthenticated SQL Injection
  • WPForms < 1.6.0.2 – Authenticated Stored Cross-Site Scripting (XSS)

WordPress Theme Vulnerabilities

  • JobCareer < 3.5 – Multiple Cross-Site Scripting (XSS)
  • Reality < 2.5.6 – Multiple Reflected Cross-Site Scripting (XSS)
  • Real Estate 7 < 3.0.4 – Unauthenticated Reflected XSS
  • CarePlus <= 1.2 – Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Careerfy < 4.4.0 – Unauthenticated Reflected XSS
  • Careerfy < 4.3.0 – Unauthenticated Reflected Cross-Site Scripting
  • Golo < 1.3.3 – Unauthenticated Reflected XSS
  • Jetapo < 1.1 – Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Workio – Job Board < 1.0.3 – Unauthenticated Reflected XSS
  • Workup – Job Board < 2.1.6 – Unauthenticated Reflected XSS
  • Findgo – Directory Listing < 1.3.32 – Unauthenticated Reflected and Authenticated Stored XSS
  • Prolisting – Directory Listing < 1.27 – Unauthenticated Reflected XSS
  • Kormosala – Job Board < 1.0.23 – Unauthenticated Reflected XSS
  • Findus – Directory Listing < 1.1.15 – Authenticated Persistent XSS
  • InJob < 3.4.1 – Authenticated Reflected Cross-Site Scripting (XSS)
  • Travel Booking < 2.8.4 – Unauthenticated Cross-Site Scripting (XSS)
  • Travel Booking < 2.8.4 – Unauthenticated SQL Injection
  • Monalisa < 2.1.3 – Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Careerfy < 4.1.0 – Multiple Cross-Site Scripting (XSS) Issues
  • CareerUp < 2.3.1 – Unauthenticated Reflected Cross-Site Scripting

結構ありますね。日々、アップデートが来ていないかの確認は必要かと思います。

前回の情報はこちら

お気軽にお問い合わせください

PAGETOP
Powered by WordPress & BizVektor Theme by Vektor,Inc. technology.