Cross-site scripting vulnerability in leger (free edition)


leger (free edition) from 'AD2000' contains a cross-site scripting vulnerability.

leger (free edition) from 'AD2000' is a software to manage conference room reservations. leger (free edition) contains a cross-site scripting vulnerability.

The vendor has reported that Ver. 1.6.4 released on May 22, 2009 did not address the vulnerability. The vulernability has been addressed in Ver. 1.6.5 released on May 26, 2009. For more information, refer to the vendor's website.

Tsuyoshi Ishibashi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

AdSystems Co.,Ltd.
  • Meeting Room Reservations (leger) May 22, 2009 edition (Ver.1.6.4) and earlier


An arbitrary script may be executed on the user's web browser.

[Update the Software]
Update to the latest version according to the information provided by the vendor.
Vendor Information

AdSystems Co.,Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2009-2240

  1. JVN : JVN#57036470
  2. National Vulnerability Database (NVD) : CVE-2009-2240
  3. Secunia Advisory : SA35148
  4. SecurityFocus : 35068
Revision History

  • [2009/05/27]
      Web page published