[Japanese]

JVNDB-2011-000006

Cross-site scripting vulnerability in multiple Rocomotion products

Overview

Multiple products provided by Rocomotion contain a cross-site scripting vulnerablility.

Multiple products (P board etc.) provided by Rocomotion contain a cross-site scripting vulnerablility.

Saeki Tominaga of KINOTROPE INC. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


Rocomotion
  • P board 1.19
  • P board with G 1.14
  • P board R 1.18
  • P board R with G 1.18
  • P board RI 1.19
  • P board RI with G 1.17
  • P board RI with GBO 1.13
  • P diary R 1.14
  • P forum 1.31
  • P link 1.12
  • P link compact 1.05
  • P up board 1.39
  • P up board with G 1.28
  • P up board with GBO 1.19
  • P up board I with G 1.18
  • P up board random 1.29
  • P up board random 2 1.03
  • PM bbs 1.08
  • PM forum 1.19
  • PM up bbs 1.09
  • pplog 3.32
  • pplog2 3.38

Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.

This issue has been resolved in the following versions.

* P board 1.19
* P board with G 1.14
* P board R 1.18
* P board R with G 1.18
* P board RI 1.19
* P board RI with G 1.17
* P board RI with GBO 1.13
* P diary R 1.14
* P forum 1.31
* P link 1.12
* P link compact 1.05
* P up board 1.39
* P up board with G 1.28
* P up board with GBO 1.19
* P up board I with G 1.18
* P up board random 1.29
* P up board random 2 1.03
* PM bbs 1.08
* PM forum 1.19
* PM up bbs 1.09
* pplog 3.32
* pplog2 3.38
Vendor Information

Rocomotion
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2010-3931
References

  1. JVN : JVN#09115481
  2. National Vulnerability Database (NVD) : CVE-2010-3931
  3. Secunia Advisory : SA42957
  4. SecurityFocus : 45838
  5. ISS X-Force Database : 64745
  6. OPEN SOURCE VULNERABILITY DATABASE (OSVDB) : 70495
Revision History

[2011/01/18]
  Web page published