JVN#31506102
Aipo vulnerable to SQL injection
Overview
Aipo contains a SQL injection vulnerability.
Products Affected
- Aipo versions prior to 5.1.1
- Aipo for ASP versions prior to 5.1.1
Description
Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-office blogging. Aipo contains a SQL injection vulnerability.
Impact
Users who can login and do not have access privileges to information
in Aipo may view or alter information.
The developer has confirmed
that a third party without login credentials cannot view or alter information.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
This issue has been resolved in Aipo Version 5.1.1.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2011.08.16
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | self-registration, perhaps valid e-mail |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Tsuyoshi Yamaguchi of Digiplate, inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2011-1342 |
| JVN iPedia |
JVNDB-2011-000063 |