JVNDB-2016-000232

[Japanese]
JVNDB-2016-000232
Simple keitai chat vulnerable to cross-site scripting
Overview
Simple keitai chat provided by LEMON-S PHP contains reflected and stored cross-site scripting vulnerabilities (CWE-79). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 6.1 (Medium) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality Impact: Low Integrity Impact: Low Availability Impact: None CVSS V2 Severity: Base Metrics 5.0 (Medium) [IPA Score] Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
Affected Products

LEMON-S PHP Simple keitai chat 2.0 and earlier

Impact
An arbitrary script may be executed on the user's web browser.
Solution
[Do not use Simple keitai chat] Simple keitai chat is no longer being developed or maintained. It is recommended to stop using Simple keitai chat.
Vendor Information
LEMON-S PHP LEMON-S PHP : Information from LEMON-S PHP (in Japanese)
CWE (What is CWE?)
Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)
CVE-2016-7817
References
JVN : JVN#05493467 National Vulnerability Database (NVD) : CVE-2016-7817
Revision History
[2016/11/25] Web page was published [2018/01/17] References : Content was added


Date Public	2016/11/25
Date First Published	2016/11/25
Date Last Updated	2018/01/17

Simple keitai chat vulnerable to cross-site scripting