All the vulnerabilites related to Alfasado Inc. - PowerCMS
jvndb-2021-000105
Vulnerability from jvndb
Published
2021-11-24 15:47
Modified
2024-07-26 15:22
Severity ?
Summary
PowerCMS XMLRPC API vulnerable to OS command injection
Details
PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78). Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
Impacted products
Alfasado Inc.PowerCMS
Show details on JVN DB website


{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000105.html",
  "dc:date": "2024-07-26T15:22+09:00",
  "dcterms:issued": "2021-11-24T15:47+09:00",
  "dcterms:modified": "2024-07-26T15:22+09:00",
  "description": "PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78).\r\n\r\nAlfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000105.html",
  "sec:cpe": {
    "#text": "cpe:/a:alfasado:powercms",
    "@product": "PowerCMS",
    "@vendor": "Alfasado Inc.",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "7.5",
      "@severity": "High",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "9.8",
      "@severity": "Critical",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2021-000105",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN17645965/index.html",
      "@id": "JVN#17645965",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20850",
      "@id": "CVE-2021-20850",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20850",
      "@id": "CVE-2021-20850",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-78",
      "@title": "OS Command Injection(CWE-78)"
    }
  ],
  "title": "PowerCMS XMLRPC API vulnerable to OS command injection"
}

jvndb-2023-000126
Vulnerability from jvndb
Published
2023-12-26 16:46
Modified
2024-03-18 17:58
Severity ?
Summary
Multiple vulnerabilities in PowerCMS
Details
PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. <ul><li>Stored cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2023-49117</li><li>Open redirect vulnerability in the members' site (CWE-601) - CVE-2023-50297</li></ul> Alfasado Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
Impacted products
Alfasado Inc.PowerCMS
Show details on JVN DB website


{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000126.html",
  "dc:date": "2024-03-18T17:58+09:00",
  "dcterms:issued": "2023-12-26T16:46+09:00",
  "dcterms:modified": "2024-03-18T17:58+09:00",
  "description": "PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2023-49117\u003c/li\u003e\u003cli\u003eOpen redirect vulnerability in the members\u0027 site (CWE-601) - CVE-2023-50297\u003c/li\u003e\u003c/ul\u003e\r\n\r\nAlfasado Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000126.html",
  "sec:cpe": {
    "#text": "cpe:/a:alfasado:powercms",
    "@product": "PowerCMS",
    "@vendor": "Alfasado Inc.",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "3.5",
      "@severity": "Low",
      "@type": "Base",
      "@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "5.4",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2023-000126",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN32646742/index.html",
      "@id": "JVN#32646742",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-49117",
      "@id": "CVE-2023-49117",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2023-50297",
      "@id": "CVE-2023-50297",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49117",
      "@id": "CVE-2023-49117",
      "@source": "NVD"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50297",
      "@id": "CVE-2023-50297",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "Multiple vulnerabilities in PowerCMS"
}

jvndb-2022-000069
Vulnerability from jvndb
Published
2022-09-02 15:49
Modified
2024-06-13 11:44
Severity ?
Summary
PowerCMS XMLRPC API vulnerable to command injection
Details
PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74). Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited. Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
Impacted products
Alfasado Inc.PowerCMS
Show details on JVN DB website


{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000069.html",
  "dc:date": "2024-06-13T11:44+09:00",
  "dcterms:issued": "2022-09-02T15:49+09:00",
  "dcterms:modified": "2024-06-13T11:44+09:00",
  "description": "PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74).\r\nSending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.\r\nAccording to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.\r\n\r\nAlfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000069.html",
  "sec:cpe": {
    "#text": "cpe:/a:alfasado:powercms",
    "@product": "PowerCMS",
    "@vendor": "Alfasado Inc.",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "7.5",
      "@severity": "High",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "9.8",
      "@severity": "Critical",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2022-000069",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN76024879/index.html",
      "@id": "JVN#76024879",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2022-33941",
      "@id": "CVE-2022-33941",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-33941",
      "@id": "CVE-2022-33941",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "PowerCMS XMLRPC API vulnerable to command injection"
}

jvndb-2019-000066
Vulnerability from jvndb
Published
2019-10-23 16:00
Modified
2019-10-23 16:00
Severity ?
Summary
PowerCMS vulnerable to open redirect
Details
PowerCMS provided by Alfasado Inc. contains an open redirect vulnerability (CWE-601). Hidetomo Hosono of EG Secure Solutions Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Impacted products
Alfasado Inc.PowerCMS
Show details on JVN DB website


{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000066.html",
  "dc:date": "2019-10-23T16:00+09:00",
  "dcterms:issued": "2019-10-23T16:00+09:00",
  "dcterms:modified": "2019-10-23T16:00+09:00",
  "description": "PowerCMS provided by Alfasado Inc. contains an open redirect vulnerability (CWE-601).\r\n\r\nHidetomo Hosono of EG Secure Solutions Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000066.html",
  "sec:cpe": {
    "#text": "cpe:/a:alfasado:powercms",
    "@product": "PowerCMS",
    "@vendor": "Alfasado Inc.",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "2.6",
      "@severity": "Low",
      "@type": "Base",
      "@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
      "@version": "2.0"
    },
    {
      "@score": "4.7",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2019-000066",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN34634458/index.html",
      "@id": "JVN#34634458",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6020",
      "@id": "CVE-2019-6020",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6020",
      "@id": "CVE-2019-6020",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-20",
      "@title": "Improper Input Validation(CWE-20)"
    }
  ],
  "title": "PowerCMS vulnerable to open redirect"
}

cve-2019-6020
Vulnerability from cvelistv5
Published
2019-12-26 15:16
Modified
2024-08-04 20:16
Severity ?
Summary
Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL.
Impacted products
Alfasado Inc.PowerCMS
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T20:16:23.965Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.powercms.jp/news/release-powercms-201910.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://jvn.jp/en/jp/JVN34634458/index.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PowerCMS",
          "vendor": "Alfasado Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x)"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Open Redirect",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-12-26T15:16:50",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.powercms.jp/news/release-powercms-201910.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://jvn.jp/en/jp/JVN34634458/index.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vultures@jpcert.or.jp",
          "ID": "CVE-2019-6020",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PowerCMS",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x)"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Alfasado Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Open Redirect"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.powercms.jp/news/release-powercms-201910.html",
              "refsource": "MISC",
              "url": "https://www.powercms.jp/news/release-powercms-201910.html"
            },
            {
              "name": "http://jvn.jp/en/jp/JVN34634458/index.html",
              "refsource": "MISC",
              "url": "http://jvn.jp/en/jp/JVN34634458/index.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2019-6020",
    "datePublished": "2019-12-26T15:16:50",
    "dateReserved": "2019-01-10T00:00:00",
    "dateUpdated": "2024-08-04T20:16:23.965Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}