ASP.NET vulnerable to cross-site scripting


ASP.NET may create web applications for mobile devices that contain a cross-site scripting vulnerability.

ASP.NET contains an issue in the handling of session ID's in mobile devices. When "Mobile Controls" are used in ASP.NET to develop web applications for mobile devices, the application may contain a cross-site scripting vulnerability.

Keigo Yamazaki of LAC Co., Ltd reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Microsoft Corporation
  • Microsoft .NET Framework

Web applications for mobile devices that use "Mobile Controls" in ASP.NET may be affected by this vulnerability. For more information, refer to the "Vendor Status" section.

An arbitrary script may be executed on the user's web browser.

[Countermeasure for developers of web applications using ASP.NET]
Developers of web applications using ASP.NET should refer to the "Vendor Status" section for mitigation of this vulnerability.
Vendor Information

Microsoft Corporation
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)


  1. JVN : JVN#87908726
Revision History

  • [2011/07/15]
      Web page published