JVN#67334580
hisa_cart information disclosure vulnerability
Overview
hisa_cart from Hisanaga Electric Co.Ltd contains an information disclosure vulnerability.
Products Affected
- hisa_cart v1.29 and earlier
Description
hisa_cart from Hisanaga Electric Co.Ltd is a shopping cart module for XOOPS. hisa_cart contains a vulnerability allowing the disclosure of users' information.
Impact
A remote attacker could obtain information of registered users.
Solution
Update the Software
An update is being distributed to registered users.
Update to the latest version according to the information provided by the vendor.
It is recommended that users should not use hisa_cart v1.29 and earlier.
Vendor Status
| Vendor | Link |
| Hisanaga Electric Co.Ltd |
Security information (in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2008.10.17
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | None - the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | Low - little to no expertise and/or luck required to exploit (cross-site scripting) |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2008-4635 |
| JVN iPedia |
JVNDB-2008-000068 |