Aipo session fixation vulnerability


Aipo, groupware from Aimluck, Inc., contains a session fixation vulnerability.

Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-blogging. Aipo contains a session fixation vulnerability which may allow an attacker to impersonate a user when the user logs into AIPO with the session ID sent by the attacker.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

  • Aipo version V3.0.1.0 and earlier
  • Aipo ASP V3.0.1.0 and earlier


This vulnerability may allow an attacker to impersonate a user. As a result, the attacker may be able to perform operations authorized by the privilege of the user to disclose or alter information.

[Update the Software]

The vendor has released an updated program addressing this vulnerability. It is recommended that users apply the updated program. For more information, refer to the vendor's website.
Vendor Information

CWE (What is CWE?)

  1. Race Condition(CWE-362) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-5154

  1. JVN : JVN#70075625
  2. National Vulnerability Database (NVD) : CVE-2007-5154
  3. Secunia Advisory : SA27004
  4. SecurityFocus : 25843
  5. ISS X-Force Database : 36850
Revision History

  • [2008/05/21]
      Web page published