Published:2024/09/09  Last Updated:2024/09/10

JVN#05579230
Multiple Alps System Integration products and the OEM products vulnerable to cross-site request forgery

Overview

Multiple Alps System Integration products and the OEM products contain a cross-site request forgery vulnerability.

Products Affected

Alps System Integration Co., Ltd.

  • InterSafe WebFilter
  • InterSafe LogDirector
  • InterSafe GatewayConnection
  • InterSafe LogNavigator
  • InterSafe CATS
  • InterSafe MobileSecurity
Alps System Integration states that the OEM products listed below are affected as well.

Trend Micro Incorporated
  • InterScan WebManager
MIROKU JYOHO SERVICE CO., LTD.
  • MJS WebFiltering
Hammock Corporation
  • AssetView F
MOTEX Inc.
  • LANSCOPE EndpointManager WebFiltering
AXSEED,Inc.
  • SPPM BizBrowser
  • SPPM Secure Filtering
QualitySoft Corporation
  • URL Filtering
JMA Systems Corporation
  • KAITO SecureBrowser
As for the details of the affected products and versions, refer to the information provided by the developer.

Description

Multiple Alps System Integration products and the OEM products contain a cross-site request forgery vulnerability (CWE-352).

Impact

If a user views a malicious page while logged in, unintended operations may be performed.

Solution

Update the software or apply the workaround
Update the software to the latest version or apply the workaround according to the information provided by the developer.

Note that the vulnerability in the following products was addressed. Therefore, no action is required from the users.

Alps System Integration Co., Ltd.

  • InterSafe GatewayConnection (Measures completion date: July 20, 2024)
  • InterSafe CATS (Measures completion date: July 4, 2024)
  • InterSafe MobileSecurity (Measures completion date: August 31, 2024)
MIROKU JYOHO SERVICE CO., LTD.
  • MJS WebFiltering (Measures completion date: July 4, 2024)
Hammock Corporation
  • AssetView F (Measures completion date: July 4, 2024)
MOTEX Inc.
  • LANSCOPE EndpointManager WebFiltering (Measures completion date: July 4, 2024)
AXSEED,Inc.
  • SPPM BizBrowser (Measures completion date: June 18, 2024)
  • SPPM Secure Filtering (Measures completion date: July 20, 2024)
QualitySoft Corporation
  • URL Filtering (Measures completion date: July 4, 2024)
JMA Systems Corporation
  • KAITO SecureBrowser (Measures completion date: July 4, 2024)
For more details, refer to the information provided by the developer.

Vendor Status

Vendor Link
Alps System Integration Co., Ltd. Multiple InterSafe products contain a cross-site request forgery vulnerability (Text in Japanese)
Trend Micro Incorporated Alert/Advisory: Vulnerability of Cross-Site Request Forgery (CSRF) in InterScan WebManager (Text in Japanese)
MOTEX Inc. [For Web Filtering users]Cross-Site Request Forgery Vulnerability (Text in Japanese)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Base Score: 6.5
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Yoshiaki komeyama of KOBELCO SYSTEMS CORPORATION reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-45504
JVN iPedia JVNDB-2024-000095

Update History

2024/09/10
Information under the section [Vendor Status] was updated.