Published:2010/02/25  Last Updated:2010/02/26

tDiary plugin tb-send.rb vulnerable to cross-site scripting


tDiary plugin tb-send.rb contains a cross-site scripting vulnerability.

Products Affected

  • tDiary 2.2.2(full set) and earlier
  • tDiary 2.2.2(plugins) and earlier
The developer has confirmed that tDiary 2.3.x are not affected by this vulnerability.


tDiary is a weblog software. tDiary plugin tb-send.rb contains a cross-site scripting vulnerability.


An arbitrary script may be executed on some web browsers.


Update the Software
Update according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes Vulnerable 2010/02/25


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2010.02.25

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication Standard - login caused to be created by an administrator
  • Low-Medium
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low-Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Medium-High

Description of each analysis measures


Project VEX of UBsecure, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2010-0726
JVN iPedia JVNDB-2010-000005

Update History