製品・ソフトウェアに関する情報

JVN脆弱性詳細

WordPress 用 Caldera Forms プラグインにおけるクロスサイトスクリプティングの脆弱性

Title	WordPress 用 Caldera Forms プラグインにおけるクロスサイトスクリプティングの脆弱性
Summary	WordPress 用 Caldera Forms プラグインには、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 14, 2018, midnight
Registration Date	June 15, 2018, 6:15 p.m.
Last Update	June 15, 2018, 6:15 p.m.

Affected System

Caldera Labs

Caldera Forms 1.6.0-rc.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-7747	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7747
National Vulnerability Database (NVD)
2	CVE-2018-7747	https://nvd.nist.gov/vuln/detail/CVE-2018-7747

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Caldera Labs
1	Caldera Forms 1.6 Is Here!	https://calderaforms.com/2018/03/caldera-forms-1-6-is-here/
2	Security Disclosure	https://calderaforms.com/updates/caldera-forms-1-6-0/#security
WordPress Plugin Directory
3	Caldera Forms	https://wordpress.org/plugins/caldera-forms/#developers

Change Log

No	Changed Details	Date of change
1	[2018年06月15日] 掲載	June 15, 2018, 6:15 p.m.

NVD Vulnerability Information

CVE-2018-7747

Summary	Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported form.
Publication Date	April 21, 2018, 6:29 a.m.
Registration Date	March 1, 2021, 7:39 p.m.
Last Update	Nov. 21, 2024, 1:12 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:calderalabs:caldera_forms::::::wordpress::*			1.5.9

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/147257/WordPress-Caldera-Forms-1.5.9.1-Cross-Site-Scripting.html	Third Party Advisory VDB Entry
2	http://packetstormsecurity.com/files/147257/WordPress-Caldera-Forms-1.5.9.1-Cross-Site-Scripting.html	Third Party Advisory VDB Entry
3	https://calderaforms.com/2018/03/caldera-forms-1-6-is-here/	Release Notes
4	https://calderaforms.com/2018/03/caldera-forms-1-6-is-here/	Release Notes
5	https://calderaforms.com/updates/caldera-forms-1-6-0/#security	Release Notes Vendor Advisory
6	https://calderaforms.com/updates/caldera-forms-1-6-0/#security	Release Notes Vendor Advisory
7	https://wordpress.org/plugins/caldera-forms/#developers	Product Release Notes
8	https://wordpress.org/plugins/caldera-forms/#developers	Product Release Notes
9	https://www.exploit-db.com/exploits/44489/	Third Party Advisory VDB Entry
10	https://www.exploit-db.com/exploits/44489/	Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html