[Japanese]

JVNDB-2014-000099

Advance-Flow vulnerable to SQL injection

Overview

Advance-Flow provided by OSK Co., LTD contains an issue in processing input data, which may result in SQL injection.

Yoshinori Ohta of Business Architects Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


OSK Co., LTD
  • Advance-Flow Ver 4.41 and earlier
  • Advance-Flow Forms Ver 4.41 and earlier

Impact

A user may obtain or alter information on the database.
Solution

[Do not use Advance-Flow]
The developer has stated that the support of Advance-Flow has been discontinued thus recommends users to stop using Advance-Flow.
Note that the successor to Advance-Flow, eValue NS, is not affected by this vulnerability.
Vendor Information

OSK Co., LTD
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-3906
References

  1. JVN : JVN#20812625
  2. National Vulnerability Database (NVD) : CVE-2014-3906
Revision History

  • [2014/08/19]
      Web page was published
    [2014/08/20]
      References : Content was added

Date Public2014/08/19
Date First Published2014/08/19
Date Last Updated2014/08/20