[Japanese]

JVNDB-2007-000225

NewsGlue and Ikinari Jijyoutsuu arbitrary script execution vulnerability

Overview

NewsGlue and Ikinari Jijyoutsuu are RSS readers. An arbitrary script embedded in RSS feeds could be executed in either of the RSS readers, as they fail to handle the output of RSS information properly.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.4 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Glue Software Corporation
  • NewsGlue 1.3.3 and earlier
SOURCENEXT CORPORATION
  • IKINARI JIJYOU version 1.0.0 and 1.0.1

Impact

An arbitrary script could be executed in NewsGlue or Ikinari Jijyoutsuu. Arbitrary files on client PCs could be accessed by an attacker.
Solution

Vendor Information

Glue Software Corporation SOURCENEXT CORPORATION
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2007-1610
  2. CVE-2007-1611
References

  1. JVN : JVN#64227086
  2. National Vulnerability Database (NVD) : CVE-2007-1610
  3. National Vulnerability Database (NVD) : CVE-2007-1611
  4. Secunia Advisory : SA24603
  5. SecurityFocus : 23094
  6. ISS X-Force Database : 33166
  7. FrSIRT Advisories : FrSIRT/ADV-2007-1074
Revision History

  • [2008/05/21]
      Web page published

Date Public2007/03/22
Date First Published2008/05/21
Date Last Updated2008/05/21