Published:2021/06/30  Last Updated:2021/06/30

JVN#15185184
IkaIka RSS Reader vulnerable to cross-site scripting

Overview

IkaIka RSS Reader contains a cross-site scripting vulnerability.

Products Affected

  • IkaIka RSS Reader all versions

Description

IkaIka RSS Reader contains a cross-site scripting vulnerability (CWE-79), due to the improper processing of RSS registration.

Impact

If a malicious RSS feed is loaded into the product, an arbitrary script may be executed on the web browser where the product is running.

Solution

Do not use IkaIka RSS Reader
Please stop use of IkaIka RSS Reader.
The developer has stopped distributing the product.

Vendor Status

Vendor Status Last Update Vendor Notes
IKaIKa Software Co.,LTD. Vulnerable 2021/06/30

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Base Score: 5.4
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:N
Base Score: 5.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20752
JVN iPedia JVNDB-2021-000058