Cross-Site Scripting Vulnerability in Hitachi Web Server Status Information Display Function


A cross-site scripting vulnerability has been found with the Status Information Display function of Hitachi Web Server.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Hitachi, Ltd
  • Cosminexus Application Server Enterprise Version 6
  • Cosminexus Application Server Standard Version 6
  • Cosminexus Application Server Version 5
  • Cosminexus Developer Light Version 6
  • Cosminexus Developer Professional Version 6
  • Cosminexus Developer Standard Version 6
  • Cosminexus Developer Version 5
  • Cosminexus Server - Enterprise Edition
  • Cosminexus Server - Standard Edition
  • Cosminexus Server - Standard Edition Version 4
  • Cosminexus Server - Web Edition
  • Cosminexus Server - Web Edition Version 4
  • Hitachi Web Server
  • uCosminexus Application Server Enterprise
  • uCosminexus Application Server Standard
  • uCosminexus Developer Professional
  • uCosminexus Developer Light
  • uCosminexus Developer Standard
  • uCosminexus Service Architect
  • uCosminexus Service Platform

Please refer to HS08-016 provided by Hitachi for more details.

An attacker could execute a cross-site scripting attack by sending a request that contains malicious scripts.
The vulnerability does not affect the products if the Status Information Display function is being disabled.

Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Vendor Information

Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS08-016
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2007-6388

  1. National Vulnerability Database (NVD) : CVE-2007-6388
  2. JVN iPedia (Japanese) : JVNDB-2008-001513
Revision History

  • [2008/07/30]
      Web page published
      Affected Products : Product was added
      References : Contents were added