[Japanese]

JVNDB-2007-000559

Yayoi Kaikei improper handling of credential information

Overview

Yayoi Kaikei Quick Navigator sends user credentials unencrypted.

Yayoi Kaikei Quick Navigator makes the user log into the vendor's server, and sends the user credentials unencrypted.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Yayoi Co., Ltd
  • Yayoi-Kaikei 05 & Yayoi Aoiro Shinkoku (blue return) 05
  • Yayoi-Kaikei 06 & Yayoi Aoiro Shinkoku (blue return) 06 (including R2)
  • Yayoi-Kaikei 07 & Yayoi Aoiro Shinkoku (blue return) 07 (excluding R2)
  • Yayoi-Hanbai 06
  • Yayoi-Hanbai 07 (product version 10.0.1 only)

Impact

By monitoring the communication between Quick Navigator and the vendor's server, an attacker can obtain the customer number and the phone number to impersonate the user on vendor's server.
Solution

[Update the Software]
Updated versions of the software are available which communicate with the vendor's server over SSL.

Workarounds
Do not use Quick Navigator.

For more information, refer to the vendor's website.
Vendor Information

Yayoi Co., Ltd
CWE (What is CWE?)

CVE (What is CVE?)

References

  1. JVN : JVN#43615794
Revision History

  • [2008/05/21]
      Web page published

Date Public2007/07/31
Date First Published2008/05/21
Date Last Updated2008/05/21