JVN#10461119
Cross-site scripting vulnerability in the web2py social bookmarking widget
Overview
The social bookmarking widget (share.js) in web2py contains a cross-site scripting vulnerability.
Products Affected
- share.js widget shipped with web2py versions prior to 2.3.1
web2py applications that use the above widget are affected by this vulnerability.
Description
web2py is a framework for creating and designing web applications. The social bookmarking widget in web2py contains a cross-site scripting vulnerability.
Impact
A user who accesses a site created by web2py which uses share.js may have an arbitrary script executed on its web browser.
Solution
Update the software and replace the file
Update to the latest version of web2py and replace share.js that the application uses according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| web2py | web2py 2.3.1 is out |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Yuji Kosuga of Everforth Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2013-2311 |
| JVN iPedia |
JVNDB-2013-000040 |