JVN#85821104
Active! mail 2003 session ID disclosure vulnerability
Overview
Active! mail 2003 from TransWARE Co. contains a vulnerability in which session IDs may be disclosed.
Products Affected
- Active! mail 2003 Build 2003.0139.0871 and earlier
The above products are affected by this vulnerability when the mobile function is enabled.
Description
Active! mail 2003 from TransWARE Co. is a web-based email software. Active! mail 2003 contains a vulnerability in which session IDs may be disclosed.
Impact
A remote attacker could impersonate a user of Active! mail 2003. As a result, the user's email may be viewed or configurations may be modified.
Solution
Update the Software
Update to the latest version according to the information provided by the vendor.
Vendor Status
| Vendor | Link |
| TransWARE Co. |
AM03SA2009-003 (Japanese Only) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2009.12.08
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | Low-Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Kenichi Maehashi of CIS RAT at Hosei University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2009-4353 |
| JVN iPedia |
JVNDB-2009-000076 |
Update History
- 2009/12/24
- Information under the sections "Vendor Status" and "Other Information" were modified.