Published:2013/05/20  Last Updated:2013/05/20

JVN#10461119
Cross-site scripting vulnerability in the web2py social bookmarking widget

Overview

The social bookmarking widget (share.js) in web2py contains a cross-site scripting vulnerability.

Products Affected

  • share.js widget shipped with web2py versions prior to 2.3.1

web2py applications that use the above widget are affected by this vulnerability.

Description

web2py is a framework for creating and designing web applications. The social bookmarking widget in web2py contains a cross-site scripting vulnerability.

Impact

A user who accesses a site created by web2py which uses share.js may have an arbitrary script executed on its web browser.

Solution

Update the software and replace the file
Update to the latest version of web2py and replace share.js that the application uses according to the information provided by the developer.

Vendor Status

Vendor Link
web2py web2py 2.3.1 is out

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Yuji Kosuga of Everforth Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2013-2311
JVN iPedia JVNDB-2013-000040