JVN#07274813
phpAdsNew cross-site scripting vulnerability
Overview
phpAdsNew, an open source web advertising management system, contains a cross-site scripting vulnerability.
Note that phpAdsNew is now called "Openads."
Products Affected
- phpAdsNew 2.0.9-pr1 and earlier
Description
The products listed below use the same module as phpAdsNew thus they are also affected by the vulnerability.
All users of these products are encouraged to update to the latest versions provided by the developer.
- phpPgAds 2.0.9-pr1 and earlier
- Max Media Manager v0.1.29-rc and earlier
- Max Media Manager v0.3.30-alpha and earlier
The updated versions of each product are listed below:
- The updated version of phpAdsNew 2.0.9-pr1 is Openads 2.0.10.
- The updated version of phpPgAds 2.0.9-pr1 is Openads for PostgreSQL 2.0.10.
- The updated version of Max Media Manager v0.1.29-rc and v0.3.30-alpha is Openads 2.3.31.
Impact
An arbitrary script may be executed on the the user's web browser if the user logged into phpAdsNew as the administrator. This may allow cookie information to be leaked or displayed contents to be falsified.
Solution
Vendor Status
References
JPCERT/CC Addendum
Credit
Daiki Fukumori of Secure Sky Technology, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE | |
| JVN iPedia |
JVNDB-2007-000074 |