[Japanese]

JVNDB-2007-000773

Hitachi Web Server Cross-Site Scripting Vulnerability with Server-Status Page

Overview

When Hitachi Web Server receives a request that contains malicious scripts, they are inserted into the server-satus page the Server automatically creates. This allows the inserted malicious scripts to be executed on the client machines.

The vulnerability does not affect the product if the server-status reporting feature is disabled.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Hitachi, Ltd
  • Cosminexus Application Server Enterprise Version 6
  • Cosminexus Application Server Standard Version 6
  • Cosminexus Application Server Version 5
  • Cosminexus Developer Light Version 6
  • Cosminexus Developer Professional Version 6
  • Cosminexus Developer Standard Version 6
  • Cosminexus Developer Version 5
  • Cosminexus Server - Enterprise Edition
  • Cosminexus Server - Standard Edition
  • Cosminexus Server - Standard Edition Version 4
  • Cosminexus Server - Web Edition
  • Cosminexus Server - Web Edition Version 4
  • Hitachi Web Server
  • uCosminexus Application Server Enterprise
  • uCosminexus Application Server Standard
  • uCosminexus Developer Professional
  • uCosminexus Developer Light
  • uCosminexus Developer Standard
  • uCosminexus Service Architect
  • uCosminexus Service Platform

Please refer to HS07-035 provided by Hitachi for more details.
Impact

An attacker could execute malicious scripts.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS07-035
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-5809
  2. CVE-2006-5752
References

  1. National Vulnerability Database (NVD) : CVE-2007-5809
  2. National Vulnerability Database (NVD) : CVE-2006-5752
  3. Secunia Advisory : SA27421
  4. FrSIRT Advisories : FrSIRT/ADV-2007-3666
Revision History

  • [2008/05/21]
      Web page published
    [2014/05/21]
      References : Contents were added