[Japanese]

JVNDB-2011-000062

Aipo vulnerable to cross-site request forgery

Overview

Aipo contains a cross-site request forgery vulnerability.

Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-office blogging. Aipo contains a cross-site request forgery vulnerability.

Masako Ohno reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


Aimluck,Inc
  • Aipo versions prior to 4.0.4.0
  • Aipo ASP versions prior to 4.0.4.0

Impact

If an administrative user views a malicious page while logged into Aipo, data stored within Aipo may be altered.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.

This issue has been resolved in Aipo Version 4.0.4.0.
Vendor Information

Aimluck,Inc
CWE (What is CWE?)

  1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-1341
References

  1. JVN : JVN#72854072
  2. National Vulnerability Database (NVD) : CVE-2011-1341
Revision History

[2011/08/16]
  Web page published