[Japanese]

JVNDB-2008-000011

Internet Scanner reporting engine vulnerable to cross-site scripting

Overview

IBM Internet Scanner has a function to generate a report as an HTML file. Internet Scanner's reporting engine does not properly sanitize data before generating this report. This vulnerability may allow an attacker to insert an arbitrary script, which is executed on the user's web browser when the user views the output HTML file.

IBM Internet Scanner has a function to generate a report as an HTML file. Internet Scanner's reporting engine does not properly sanitize data before generating this report. This vulnerability may allow an attacker to insert an arbitrary script, which is executed on the user's web browser when the user views the output HTML file.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


IBM Corporation
  • Internet Scanner 7.0 Service Pack 2 7.2.2005.52 Release

Impact

An arbitrary script may be executed on the user's web browser when the user views the report. An arbitrary file in a client PC could be viewed depending on the content of the script.
Solution

[Update the Software]

Update the software to the latest version according to the information released by the vendor.
For more information, refer to the vendor's website.
Vendor Information

IBM Corporation
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2008-1073
References

  1. JVN : JVN#42381549
  2. National Vulnerability Database (NVD) : CVE-2008-1073
  3. Secunia Advisory : SA29038
  4. SecurityFocus : 28014
  5. SecurityTracker : 1019508
  6. FrSIRT Advisories : FrSIRT/ADV-2008-0681
Revision History

  • [2008/05/21]
      Web page published

Date Public2008/02/21
Date First Published2008/05/21
Date Last Updated2008/05/21