[Japanese]

JVNDB-2007-000400

Advance-Flow cross-site scripting vulnerability

Overview

Advance-Flow is an electronic authorization system. Advance-Flow contains a cross-site scripting vulnerability in its application form.

Advance-Flow provided by OSK Co. LTD contains a cross-site scripting vulnerability, as it does not properly handle output data. Some application forms are not affected by this vulnerability and some are, depending on the contents of the application forms.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


OSK Co., LTD
  • Advance-Flow Ver 4.41 and earlier
  • Advance-Flow Forms Ver 4.41 and earlier

Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Update the Software]

Apply the updates provided by the vendor.

Fixed versions:
-Advance-Flow Ver 4.42 or later
-Advance-Flow Forms Ver 4.42 or later
Vendor Information

OSK Co., LTD
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-2811
References

  1. JVN : JVN#92832583
  2. National Vulnerability Database (NVD) : CVE-2007-2811
  3. JPCERT REPORT : JPCERT-WR-2007-1901
  4. Secunia Advisory : SA25338
  5. SecurityFocus : 24071
  6. FrSIRT Advisories : FrSIRT/ADV-2007-1884
Revision History

  • [2008/05/21]
      Web page published