[Japanese]

JVNDB-2007-000434

ADPLAN cross-site scripting vulnerability

Overview

ADPLAN Version 3, web access measurement software provided by Opt, Inc., contains a cross-site scripting vulnerability in the SEO (search engine optimization) module.

ADPLAN Version 3, web access measurement software provided by Opt, Inc., contains a cross-site scripting vulnerability in the SEO (search engine optimization) module.

A website that employs ADPLAN Version 3 service generates a web page using the HTTP header information sent from a client web browser.

However, as the HTTP header information sent from a user's web browser is not handled correctly by ADPLAN Version 3, an arbitrary script could be executed on the user's web browser if the user is forced to visit a site using ADPLAN service through an attack.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


OPT, Inc
  • ADPLAN Version 3's SEO module

Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Update the software]

We recommend users upgrade to the latest version of the software available from the vendor.

This module is only distributed to users of ADPLAN Version 3's SEO service.
Opt, Inc. is privately contacting customers with the availability of a fixed version of the module.

This vulnerability does not exist in ADPLAN Version 4.
Vendor Information

OPT, Inc
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2007-3117
References

  1. JVN : JVN#23891849
  2. National Vulnerability Database (NVD) : CVE-2007-3117
  3. Secunia Advisory : SA25527
  4. SecurityFocus : 24356
Revision History

  • [2008/05/21]
      Web page published