[Japanese]

JVNDB-2007-000729

Aipo session fixation vulnerability

Overview

Aipo, groupware from Aimluck, Inc., contains a session fixation vulnerability.

Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-blogging. Aipo contains a session fixation vulnerability which may allow an attacker to impersonate a user when the user logs into AIPO with the session ID sent by the attacker.
CVSS Severity (What is CVSS?)

Base Metrics: 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Aimluck,Inc
  • Aipo version V3.0.1.0 and earlier
  • Aipo ASP V3.0.1.0 and earlier
Impact

This vulnerability may allow an attacker to impersonate a user. As a result, the attacker may be able to perform operations authorized by the privilege of the user to disclose or alter information.
Solution

[Update the Software]

The vendor has released an updated program addressing this vulnerability. It is recommended that users apply the updated program. For more information, refer to the vendor's website.
Vendor Information

Aimluck,Inc
References

  1. JVN : JVN#70075625
  2. National Vulnerability Database (NVD) : CVE-2007-5154
  3. Common Vulnerabilities and Exposures (CVE) : CVE-2007-5154
  4. Secunia Advisory : SA27004
  5. SecurityFocus : 25843
  6. ISS X-Force Database : 36850
  7. Common Weakness Enumeration (CWE) : Race Condition (CWE-362) [NVD Evaluation]
Revision History

[2008/05/21]
  Web page published

Date Public2007/09/28
Date First Published2008/05/21
Date Last Updated2008/05/21