[Japanese]

JVNDB-2013-000040

Cross-site scripting vulnerability in the web2py social bookmarking widget

Overview

The social bookmarking widget (share.js) in web2py contains a cross-site scripting vulnerability.

web2py is a framework for creating and designing web applications. The social bookmarking widget in web2py contains a cross-site scripting vulnerability.

Yuji Kosuga of Everforth Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


web2py
  • web2py share.js widget shipped with web2py versions prior to 2.3.1

web2py applications that use the above widget are affected by this vulnerability.
Impact

A user who accesses a site created by web2py which uses share.js may have an arbitrary script executed on its web browser.
Solution

[Update the software and replace the file]
Update to the latest version of web2py and replace share.js that the application uses according to the information provided by the developer.
Vendor Information

web2py
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2013-2311
References

  1. JVN : JVN#10461119
  2. National Vulnerability Database (NVD) : CVE-2013-2311
Revision History

[2013/5/20]
  Web page was published