[Japanese]

JVNDB-2007-000074

phpAdsNew cross-site scripting vulnerability

Overview

phpAdsNew, an open source web advertising management system, contains a cross-site scripting vulnerability.

Note that phpAdsNew is now called "Openads."

The products listed below use the same module as phpAdsNew thus they are also affected by the vulnerability.

- phpPgAds 2.0.9-pr1 and earlier
- Max Media Manager v0.1.29-rc and earlier
- Max Media Manager v0.3.30-alpha and earlier
All users of these products are encouraged to update to the latest versions provided by the developer.

The updated versions of each product are listed below:

- The updated version of phpAdsNew 2.0.9-pr1 is Openads 2.0.10.
- The updated version of phpPgAds 2.0.9-pr1 is Openads for PostgreSQL 2.0.10.
- The updated version of Max Media Manager v0.1.29-rc and v0.3.30-alpha is Openads 2.3.31.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Openads
  • Openads 2.0 - 2.0.10
  • Openads 2.3 - 2.3.31
  • Openads (postgresql) 2.0.10

Impact

An arbitrary script may be executed on the the user's web browser if the user logged into phpAdsNew as the administrator. This may allow cookie information to be leaked or displayed contents to be falsified.
Solution

Vendor Information

Openads
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2007-0477
References

  1. JVN : JVN#07274813
  2. National Vulnerability Database (NVD) : CVE-2007-0477
Revision History

  • [2008/05/21]
      Web page published