[Japanese]

JVNDB-2011-000063

Aipo vulnerable to SQL injection

Overview

Aipo contains a SQL injection vulnerability.

Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-office blogging. Aipo contains a SQL injection vulnerability.

Tsuyoshi Yamaguchi of Digiplate, inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


Aimluck,Inc
  • Aipo versions prior to 5.1.1
  • Aipo ASP versions prior to 5.1.1

Impact

Users who can login and do not have access privileges to information in Aipo may view or alter information.

The developer has confirmed that a third party without login credentials cannot view or alter information.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.

This issue has been resolved in Aipo Version 5.1.1.
Vendor Information

Aimluck,Inc
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-1342
References

  1. JVN : JVN#31506102
  2. National Vulnerability Database (NVD) : CVE-2011-1342
Revision History

[2011/08/16]
  Web page published