Published:2005/09/29  Last Updated:2008/05/21

Vulnerability in multiple web browsers allowing request spoofing attacks


Multiple web browsers contain a vulnerability in the processing of XmlHttpRequest objects. XmlHttpRequest objects available in JavaScript provide a function to communicate with a server without reloading a web page.

In general, JavaScript only allows communication within the same domain of the web page; however, an attacker could bypass this restriction by exploiting this vulnerability.

Products Affected

  • For more information, refer to the vendors' websites.



Authentication information or cookie information could be leaked.


Vendor Status

Vendor Status Last Update Vendor Notes
JustSystems Corporation Not Vulnerable 2005/09/29
Allied Telesis K.K. Not Vulnerable 2005/09/29
B.U.G., Inc. Not Vulnerable 2005/10/05
Century Systems Co., Ltd. Not Vulnerable 2005/09/29
Cybozu, Inc. Not Vulnerable 2005/09/29
FUJITSU LIMITED Not Vulnerable 2005/11/10
Hitachi Not Vulnerable 2005/09/29
Lunascape Co.,Ltd. Vulnerable 2005/09/29
Microsoft Co.,Ltd. Not Vulnerable 2005/09/29
NEC Corporation Not Vulnerable 2005/09/29
Orangesoft Inc. Not Vulnerable 2005/09/29
Turbolinux, Inc. Unknown 2005/09/29
SOURCENEXT CORPORATION Not Vulnerable 2005/09/29
RICOH COMPANY, LTD. Not Vulnerable 2005/10/06


JPCERT/CC Addendum


Yutaka Oiwa of Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST), Japan reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
JVN iPedia JVNDB-2005-000530

Update History