Aipo vulnerable to SQL injection


Aipo contains a SQL injection vulnerability.

Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-office blogging. Aipo contains a SQL injection vulnerability.

Tsuyoshi Yamaguchi of Digiplate, inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

  • Aipo versions prior to 5.1.1
  • Aipo ASP versions prior to 5.1.1


Users who can login and do not have access privileges to information in Aipo may view or alter information.

The developer has confirmed that a third party without login credentials cannot view or alter information.

[Update the Software]
Update to the latest version according to the information provided by the developer.

This issue has been resolved in Aipo Version 5.1.1.
Vendor Information

CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-1342

  1. JVN : JVN#31506102
  2. National Vulnerability Database (NVD) : CVE-2011-1342
Revision History

  • [2011/08/16]
      Web page published