[Japanese]

JVNDB-2014-002800

Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option

Overview

Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option contains cross-site scripting and cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities can not be exploited, unless logging in these products.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 3.5 (Low) [Vendor Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Hitachi, Ltd
  • Hitachi Tuning Manager
  • JP1/Performance Management - Manager Web Option

Please refer to HS14-013 provided by Hitachi for more details.
Impact

A remote attackers could insert to malicious scripts during display of the web page.
Solution

Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Vendor Information

Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS14-013
CWE (What is CWE?)

  1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-4188
  2. CVE-2014-4189
References

  1. National Vulnerability Database (NVD) : CVE-2014-4188
  2. National Vulnerability Database (NVD) : CVE-2014-4189
Revision History

  • [2014/06/12]
      Web page was published
    [2014/06/19]
      CVE : CVE-IDs were added
      References : Contents were added
    [2015/03/03]
      CVSS Severity was modified