2023-08-31

Contributor: Michael Heinzl
Product: VI Web Client
Affected versions: prior to 7.9.6
Fixed version: 7.9.6
References: 
　　Release Note
　　Download
　　JVN#60140221
Vulnerabilities:

• CVE-2023-38574　(CVSS v3: 4.7 )
  Open redirect vulnerability in VI Web Client prior to 7.9.6 allows a remote unauthenticated attacker to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL.
• CVE-2023-39938 (CVSS v3: 6.1)
  Reflected cross-site scripting vulnerability in VI Web Client prior to 7.9.6 allows a remote unauthenticated attacker to inject an arbitrary script.
• CVE-2023-40535 (CVSS v3: 5.4)
  Stored cross-site scripting vulnerability in View setting page of VI Web Client prior to 7.9.6 allows a remote authenticated attacker to inject an arbitrary script.
• CVE-2023-40705 (CVSS v3: 5.4)
  Stored cross-site scripting vulnerability in Map setting page of VI Web Client prior to 7.9.6 allows a remote authenticated attacker to inject an arbitrary script.