Search criteria
5 vulnerabilities found for Navigate CMS by Naviwebs S.C.
CVE-2020-37054 (GCVE-0-2020-37054)
Vulnerability from nvd – Published: 2026-01-30 22:07 – Updated: 2026-02-02 20:06
VLAI?
Title
Navigate CMS 2.8.7 - Cross-Site Request Forgery
Summary
Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Naviwebs S.C. | Navigate CMS |
Affected:
2.8.7
|
Credits
Gus Ralph
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37054",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T20:06:31.339252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T20:06:41.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Navigate CMS",
"vendor": "Naviwebs S.C.",
"versions": [
{
"status": "affected",
"version": "2.8.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gus Ralph"
}
],
"datePublic": "2020-06-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T22:07:19.472Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-48548",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48548"
},
{
"name": "Navigate CMS Official Homepage",
"tags": [
"product"
],
"url": "https://www.navigatecms.com/en/home"
},
{
"name": "Navigate CMS SourceForge Page",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/navigatecms"
},
{
"name": "VulnCheck Advisory: Navigate CMS 2.8.7 - Cross-Site Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/navigate-cms-cross-site-request-forgery"
}
],
"title": "Navigate CMS 2.8.7 - Cross-Site Request Forgery",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37054",
"datePublished": "2026-01-30T22:07:19.472Z",
"dateReserved": "2026-01-28T18:18:30.526Z",
"dateUpdated": "2026-02-02T20:06:41.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37053 (GCVE-0-2020-37053)
Vulnerability from nvd – Published: 2026-01-30 22:07 – Updated: 2026-02-02 20:06
VLAI?
Title
Navigate CMS 2.8.7 - ''sidx' SQL Injection
Summary
Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Naviwebs S.C. | Navigate CMS |
Affected:
2.8.7
|
Credits
Gus Ralph
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37053",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T20:06:04.340578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T20:06:13.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Navigate CMS",
"vendor": "Naviwebs S.C.",
"versions": [
{
"status": "affected",
"version": "2.8.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gus Ralph"
}
],
"datePublic": "2020-06-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the \u0027sidx\u0027 parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T22:07:19.052Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-48545",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48545"
},
{
"name": "Navigate CMS Official Homepage",
"tags": [
"product"
],
"url": "https://www.navigatecms.com/en/home"
},
{
"name": "Navigate CMS SourceForge Page",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/navigatecms"
},
{
"name": "VulnCheck Advisory: Navigate CMS 2.8.7 - \u0027\u0027sidx\u0027 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/navigate-cms-sidx-sql-injection"
}
],
"title": "Navigate CMS 2.8.7 - \u0027\u0027sidx\u0027 SQL Injection",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37053",
"datePublished": "2026-01-30T22:07:19.052Z",
"dateReserved": "2026-01-28T18:18:30.525Z",
"dateUpdated": "2026-02-02T20:06:13.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37054 (GCVE-0-2020-37054)
Vulnerability from cvelistv5 – Published: 2026-01-30 22:07 – Updated: 2026-02-02 20:06
VLAI?
Title
Navigate CMS 2.8.7 - Cross-Site Request Forgery
Summary
Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Naviwebs S.C. | Navigate CMS |
Affected:
2.8.7
|
Credits
Gus Ralph
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37054",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T20:06:31.339252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T20:06:41.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Navigate CMS",
"vendor": "Naviwebs S.C.",
"versions": [
{
"status": "affected",
"version": "2.8.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gus Ralph"
}
],
"datePublic": "2020-06-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T22:07:19.472Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-48548",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48548"
},
{
"name": "Navigate CMS Official Homepage",
"tags": [
"product"
],
"url": "https://www.navigatecms.com/en/home"
},
{
"name": "Navigate CMS SourceForge Page",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/navigatecms"
},
{
"name": "VulnCheck Advisory: Navigate CMS 2.8.7 - Cross-Site Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/navigate-cms-cross-site-request-forgery"
}
],
"title": "Navigate CMS 2.8.7 - Cross-Site Request Forgery",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37054",
"datePublished": "2026-01-30T22:07:19.472Z",
"dateReserved": "2026-01-28T18:18:30.526Z",
"dateUpdated": "2026-02-02T20:06:41.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-37053 (GCVE-0-2020-37053)
Vulnerability from cvelistv5 – Published: 2026-01-30 22:07 – Updated: 2026-02-02 20:06
VLAI?
Title
Navigate CMS 2.8.7 - ''sidx' SQL Injection
Summary
Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the 'sidx' parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Naviwebs S.C. | Navigate CMS |
Affected:
2.8.7
|
Credits
Gus Ralph
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-37053",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T20:06:04.340578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T20:06:13.908Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Navigate CMS",
"vendor": "Naviwebs S.C.",
"versions": [
{
"status": "affected",
"version": "2.8.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gus Ralph"
}
],
"datePublic": "2020-06-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the \u0027sidx\u0027 parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T22:07:19.052Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-48545",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/48545"
},
{
"name": "Navigate CMS Official Homepage",
"tags": [
"product"
],
"url": "https://www.navigatecms.com/en/home"
},
{
"name": "Navigate CMS SourceForge Page",
"tags": [
"product"
],
"url": "https://sourceforge.net/projects/navigatecms"
},
{
"name": "VulnCheck Advisory: Navigate CMS 2.8.7 - \u0027\u0027sidx\u0027 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/navigate-cms-sidx-sql-injection"
}
],
"title": "Navigate CMS 2.8.7 - \u0027\u0027sidx\u0027 SQL Injection",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2020-37053",
"datePublished": "2026-01-30T22:07:19.052Z",
"dateReserved": "2026-01-28T18:18:30.525Z",
"dateUpdated": "2026-02-02T20:06:13.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
JVNDB-2021-002282
Vulnerability from jvndb - Published: 2021-08-20 14:25 - Updated:2021-08-20 14:25
Severity ?
Summary
Multiple vulnerabilities in Navigate CMS
Details
Navigate CMS is an open source Contents Management System (CMS) provided by Naviwebs S.C.
Navigate CMS contains multiple vulnerabilities listed below.
* Reflected cross-site scripting in the Help feature (CWE-79)
* Reflected cross-site scripting (CWE-79) - CVE-2021-36454
* SQL injection (CWE-89) - CVE-2021-36455
Duong Xuan Hiep (Hydrasky) of VNCERT/CC reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to JPCERT/CC in order to notify users of the solutions via JVN.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-002282.html",
"dc:date": "2021-08-20T14:25+09:00",
"dcterms:issued": "2021-08-20T14:25+09:00",
"dcterms:modified": "2021-08-20T14:25+09:00",
"description": "Navigate CMS is an open source Contents Management System (CMS) provided by Naviwebs S.C.\r\nNavigate CMS contains multiple vulnerabilities listed below.\r\n\r\n * Reflected cross-site scripting in the Help feature (CWE-79)\r\n * Reflected cross-site scripting (CWE-79) - CVE-2021-36454\r\n * SQL injection (CWE-89) - CVE-2021-36455\r\n\r\nDuong Xuan Hiep (Hydrasky) of VNCERT/CC reported these vulnerabilities to the developer and coordinated on his own.\r\nAfter coordination was completed, this case was reported to JPCERT/CC in order to notify users of the solutions via JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-002282.html",
"sec:cpe": {
"#text": "cpe:/a:naviwebs:navigate_cms",
"@product": "Navigate CMS",
"@vendor": "Naviwebs S.C.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.5",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "8.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-002282",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU95261759/index.html",
"@id": "JVNVU#95261759",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36454",
"@id": "CVE-2021-36454",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36455",
"@id": "CVE-2021-36455",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-36454",
"@id": "CVE-2021-36454",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-36455",
"@id": "CVE-2021-36455",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
}
],
"title": "Multiple vulnerabilities in Navigate CMS"
}