Published:2016/11/25  Last Updated:2016/11/25

JVN#05493467
Simple keitai chat vulnerable to cross-site scripting

Overview

Simple keitai chat contains cross-site scripting vulnerabilities.

Products Affected

  • Simple keitai chat 2.0 and earlier

Description

Simple keitai chat provided by LEMON-S PHP contains reflected and stored cross-site scripting vulnerabilities (CWE-79).

Impact

An arbitrary script may be executed on the user's web browser.

Solution

Do not use Simple keitai chat
Simple keitai chat is no longer being developed or maintained. It is recommended to stop using Simple keitai chat.

Vendor Status

Vendor Status Last Update Vendor Notes
LEMON-S PHP Vulnerable 2016/11/25

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score: 6.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:N
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-7817
JVN iPedia JVNDB-2016-000232