[Japanese]

JVNDB-2014-000147

KENT-WEB Clip Board vulnerable to cross-site scripting

Overview

KENT-WEB Clip Board is a bulletin board software that a user can upload binary files such as image files. Clip Board contains a cross-site scripting vulnerability.

Sen UENO of Tricorder Co. Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


KENT-WEB
  • Clip Board Ver 2.91 and earlier

According to the developer, this issue can only be exploited in environments where Internet Explorer versions 5.01 through 7 are being used without Microsoft Security Bulletin MS07-057 applied.
Impact

An arbitrary script may be executed on the user's web browser.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

KENT-WEB
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-7258
References

  1. JVN : JVN#12798709
  2. National Vulnerability Database (NVD) : CVE-2014-7258
Revision History

  • [2014/12/04]
      Web page was published
    [2014/12/08]
      References : Content was added

Date Public2014/12/04
Date First Published2014/12/04
Date Last Updated2014/12/08