[Japanese]

JVNDB-2024-000095

Multiple Alps System Integration products and the OEM products vulnerable to cross-site request forgery

Overview

Multiple Alps System Integration products and the OEM products contain a cross-site request forgery vulnerability (CWE-352).

Yoshiaki komeyama of KOBELCO SYSTEMS CORPORATION reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
Affected Products


Alps System Integration Co., Ltd.
  • InterSafe CATS
  • InterSafe GatewayConnection
  • InterSafe LogDirector
  • InterSafe LogNavigator
  • InterSafe MobileSecurity
  • InterSafe WebFilter
MOTEX Inc.
  • LANSCOPE Endpoint Manager Web Filtering
QualitySoft Corporation
  • URL Filtering
Trend Micro, Inc.
  • InterScan WebManager
AXSEED,Inc.
  • SPPM BizBrowser
  • SPPM Secure Filtering
JMA Systems Corporation
  • KAITO Secure Browser
Hammock Corporation
  • AssetView F
MIROKU JYOHO SERVICE CO., LTD. (MJS)
  • MJS Web Filtering

For more details, refer to the information provided by the developer.
Impact

If a user views a malicious page while logged in, unintended operations may be performed.
Solution

[Update the software or apply the workaround]
Update the software to the latest version or apply the workaround according to the information provided by the developer.

Note that the vulnerability in the following products was addressed. Therefore, no action is required from the users.


Alps System Integration Co., Ltd.


  • InterSafe GatewayConnection (Measures completion date: July 20, 2024)

  • InterSafe CATS (Measures completion date: July 4, 2024)

  • InterSafe MobileSecurity (Measures completion date: August 31, 2024)


MIROKU JYOHO SERVICE CO., LTD.


  • MJS WebFiltering (Measures completion date: July 4, 2024)


Hammock Corporation


  • AssetView F (Measures completion date: July 4, 2024)


MOTEX Inc.


  • LANSCOPE EndpointManager WebFiltering (Measures completion date: July 4, 2024)


AXSEED,Inc.


  • SPPM BizBrowser (Measures completion date: June 18, 2024)

  • SPPM Secure Filtering (Measures completion date: July 20, 2024)


QualitySoft Corporation


  • URL Filtering (Measures completion date: July 4, 2024)


JMA Systems Corporation


  • KAITO SecureBrowser (Measures completion date: July 4, 2024)



For more details, refer to the information provided by the developer.
Vendor Information

Alps System Integration Co., Ltd. MOTEX Inc. Trend Micro, Inc.
CWE (What is CWE?)

  1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-45504
References

  1. JVN : JVN#05579230
Revision History

  • [2024/09/09]
      Web page was published
  • [2024/09/11]
      Vendor Information : Content was added 

Date Public2024/09/09
Date First Published2024/09/09
Date Last Updated2024/09/09