Published:2008/10/17  Last Updated:2008/10/21

JVN#67334580
hisa_cart information disclosure vulnerability

Overview

hisa_cart from Hisanaga Electric Co.Ltd contains an information disclosure vulnerability.

Products Affected

  • hisa_cart v1.29 and earlier

Description

hisa_cart from Hisanaga Electric Co.Ltd is a shopping cart module for XOOPS. hisa_cart contains a vulnerability allowing the disclosure of users' information.

Impact

A remote attacker could obtain information of registered users.

Solution

Update the Software
An update is being distributed to registered users.
Update to the latest version according to the information provided by the vendor.

It is recommended that users should not use hisa_cart v1.29 and earlier.

Vendor Status

Vendor Link
Hisanaga Electric Co.Ltd Security information (in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2008.10.17

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2008-4635
JVN iPedia JVNDB-2008-000068

Update History