JVNDB-2011-000006

Cross-site scripting vulnerability in multiple Rocomotion products

Multiple products provided by Rocomotion contain a cross-site scripting vulnerablility.

Multiple products (P board etc.) provided by Rocomotion contain a cross-site scripting vulnerablility.

Saeki Tominaga of KINOTROPE INC. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Rocomotion

• P board 1.19
• P board with G 1.14
• P board R 1.18
• P board R with G 1.18
• P board RI 1.19
• P board RI with G 1.17
• P board RI with GBO 1.13
• P diary R 1.14
• P forum 1.31
• P link 1.12
• P link compact 1.05
• P up board 1.39
• P up board with G 1.28
• P up board with GBO 1.19
• P up board I with G 1.18
• P up board random 1.29
• P up board random 2 1.03
• PM bbs 1.08
• PM forum 1.19
• PM up bbs 1.09
• pplog 3.32
• pplog2 3.38

An arbitrary script may be executed on the user's web browser.

[Update the Software]
Update to the latest version according to the information provided by the developer.

This issue has been resolved in the following versions.

* P board 1.19
* P board with G 1.14
* P board R 1.18
* P board R with G 1.18
* P board RI 1.19
* P board RI with G 1.17
* P board RI with GBO 1.13
* P diary R 1.14
* P forum 1.31
* P link 1.12
* P link compact 1.05
* P up board 1.39
* P up board with G 1.28
* P up board with GBO 1.19
* P up board I with G 1.18
* P up board random 1.29
* P up board random 2 1.03
* PM bbs 1.08
* PM forum 1.19
* PM up bbs 1.09
* pplog 3.32
* pplog2 3.38

Rocomotion

• Rocomotion : 12949466953653 (Japanese)

1. Cross-site Scripting(CWE-79) [IPA Evaluation]

1. CVE-2010-3931

1. JVN : JVN#09115481
2. National Vulnerability Database (NVD) : CVE-2010-3931
3. Secunia Advisory : SA42957
4. SecurityFocus : 45838
5. ISS X-Force Database : 64745
6. OPEN SOURCE VULNERABILITY DATABASE (OSVDB) : 70495

• [2011/01/18]
    Web page published