Cross-site scripting vulnerability in activeCollab


activeCollab from A51 D.O.O. contains a cross-site scripting vulnerability.

activeCollab from A51 D.O.O. is software for project management. activeCollab contains a cross-site scripting vulnerability.

Daiki Fukumori reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

A51 D.O.O.
  • activeCollab 0.7.1 and earlier


An arbitrary script may be executed on the user's web browser.

[Update the software]
According to the vendor, activeCollab 0.x is no longer being developed or supported, and is recommending users to use activeCollab 2.1. For more information, refer to the vendors website.
Vendor Information

A51 D.O.O.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2009-2041

  1. JVN : JVN#55752635
  2. National Vulnerability Database (NVD) : CVE-2009-2041
Revision History

  • [2009/06/18]
      Web page published