JVN#23558374
Cross-site scripting vulnerability in Access Analyzer CGI Standard Version (Ver. 3.x)
Overview
Access Analyzer CGI Standard Version (Ver. 3.x) from futomi's CGI Cafe contains a cross-site scripting vulnerability.
Products Affected
- Access Analyzer CGI Standard Version, Ver 3.8.1 and earlier
Description
Access Analyzer CGI Standard Version provided by futomi's CGI Cafe is a software to analyze web access logs. Access Analyzer CGI Standard Version (Ver. 3.x) contains a cross-site scripting vulnerability.
Impact
An arbitrary script may be executed on the user's web browser.
Solution
Update the software
Update to Ver. 4.x according to the information provided by the vendor.
Vendor Status
| Vendor | Link |
| futomi's CGI Cafe |
Cross-site scripting vulnerability in Access Analyzer CGI Standard Version (Ver. 3.x) - (Japanese Only) |
References
JPCERT/CC Addendum
This vulnerability was fixed in version 4.0.0 released on November 23, 2007. The most recent version (4.0.2) was released on December 12, 2008.Vulnerability Analysis by JPCERT/CC
Analyzed on 2009.03.16
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | Low - little to no expertise and/or luck required to exploit (cross-site scripting) |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE | |
| JVN iPedia |
JVNDB-2009-000015 |