|
[Japanese]
|
JVNDB-2010-000035
|
Cross-site scripting vulnerability in Access Analyzer CGI by futomi's CGI Cafe
|
|
Access Analyzer CGI from futomi's CGI Cafe contains a cross-site scripting vulnerability. This is caused by a particular method in which tags are embedded into the web page.
Access Analyzer CGI provided by futomi's CGI Cafe is a software to analyze web access logs. Access Analyzer CGI contains a cross-site scripting vulnerability. This is caused by a particular method in which tags are embedded into the web page.
According to the developer, users of the Professional version that are using the "Method to load js files for tags within the head tag" as stated in the manual are not affected by this vulnerability.
Katsumi Kobayashi of NRI Secure Technologies, Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
futomi Co.,Ltd.
- Access Analyzer CGI Professional Version
- Access Analyzer CGI Standard Version 4.0.2 and earlier
|
|
|
An arbitrary script may be executed on the user's web browser.
|
|
[Change the method in which tags are embedded]
Use the "Method to load js files for tags within the head tag" that is described in the manual
Note that users of the Standard version require an update to the software prior to making this change.
|
|
futomi Co.,Ltd.
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2010-2366
|
|
- JVN : JVN#35605523
- National Vulnerability Database (NVD) : CVE-2010-2366
- SecurityFocus : 43142
|
|
- [2010/09/10]
Web page published
|
