[Japanese]

JVNDB-2009-000017

XOOPS Cube Legacy cross-site scripting vulnerability

Overview

XOOPS Cube Legacy from XOOPS Cube Project contains a cross-site scripting vulnerability.

XOOPS Cube Legacy from XOOPS Cube Project is an open source contents management system. XOOPS Cube Legacy contains a cross-site scripting vulnerability.

According to the developers, a XOOPS Cube Legacy distribution "Hodajuku distribution" and "additional modules" are not affected by this vulnerability. For more information, refer to the developers' website.

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developers under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


XOOPS
  • XOOPS Cube Legacy 2.1.6 and earlier

Impact

If a user views a specially crafted web page, an arbitrary script may be executed on the user's web browser.
Solution

[Update the Software]
Update to the latest version or apply a patch according to the information provided by the developers.

[Workarounds]
As a workaround to this vulnerability, change the custom template according to the information provided by the developers.
Vendor Information

XOOPS
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

References

  1. JVN : JVN#74747784
  2. JVN iPedia (Japanese) : JVNDB-2009-000017
Revision History

  • [2009/04/07]
      Web page published

Date Public2009/04/02
Date First Published2009/04/07
Date Last Updated2009/04/07