[Japanese]

JVNDB-2007-000729

Aipo session fixation vulnerability

Overview

Aipo, groupware from Aimluck, Inc., contains a session fixation vulnerability.

Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-blogging. Aipo contains a session fixation vulnerability which may allow an attacker to impersonate a user when the user logs into AIPO with the session ID sent by the attacker.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Aimluck,Inc
  • Aipo version V3.0.1.0 and earlier
  • Aipo ASP V3.0.1.0 and earlier

Impact

This vulnerability may allow an attacker to impersonate a user. As a result, the attacker may be able to perform operations authorized by the privilege of the user to disclose or alter information.
Solution

[Update the Software]

The vendor has released an updated program addressing this vulnerability. It is recommended that users apply the updated program. For more information, refer to the vendor's website.
Vendor Information

Aimluck,Inc
CWE (What is CWE?)

  1. Race Condition(CWE-362) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-5154
References

  1. JVN : JVN#70075625
  2. National Vulnerability Database (NVD) : CVE-2007-5154
  3. Secunia Advisory : SA27004
  4. SecurityFocus : 25843
  5. ISS X-Force Database : 36850
Revision History

  • [2008/05/21]
      Web page published