Published:2011/08/16  Last Updated:2011/08/16

Aipo vulnerable to SQL injection


Aipo contains a SQL injection vulnerability.

Products Affected

  • Aipo versions prior to 5.1.1
  • Aipo for ASP versions prior to 5.1.1


Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-office blogging. Aipo contains a SQL injection vulnerability.


Users who can login and do not have access privileges to information in Aipo may view or alter information.

The developer has confirmed that a third party without login credentials cannot view or alter information.


Update the Software
Update to the latest version according to the information provided by the developer.

This issue has been resolved in Aipo Version 5.1.1.

Vendor Status

Vendor Status Last Update Vendor Notes
Aimluck,Inc. vulnerable 2011/08/16


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2011.08.16

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication self-registration, perhaps valid e-mail
  • Mid-High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures


Tsuyoshi Yamaguchi of Digiplate, inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2011-1342
JVN iPedia JVNDB-2011-000063