Published:2015/12/07 Last Updated:2015/12/08
JVN#70083512
Web Analytics Service vulnerable to cross-site scripting
Overview
The JavaScript module for using Web Analytics Service which was provided by NTT DATA Smart Sourcing Corporation contains a cross-site scripting vulnerability.
Products Affected
- The JavaScript module for using Web Analytics Service
Description
The JavaScript module for using Web Analytics Service which was provided by NTT DATA Smart Sourcing Corporation contains a cross-site scripting vulnerability (CWE-79) due to a flaw in escaping process.
According to the developer, this script was distributed from 26 November, 2003 to 9 July, 2013.
Impact
An arbitrary script may be executed on the user's web browser.
Solution
Delete the JavaScript
Web Analytics Service has been discontinued. Delete the JavaScript according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| NTT DATA Smart Sourcing Corporation | Vulnerable | 2015/12/07 | NTT DATA Smart Sourcing Corporation website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score:
6.1
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score:
4.3
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2015-7786 |
| JVN iPedia |
JVNDB-2015-000196 |
Update History
- 2015/12/08
- Information under the section "Other Information" was updated.