JVN#60419863
Geeklog Forum Plugin vulnerable to cross-site scripting
Overview
Geeklog Forum Plugin contains a cross-site scripting vulnerability.
Products Affected
- Geeklog Forum Plugin 2.7 and earlier
Description
Geeklog Forum Plugin is a plugin for Geeklog, an open source contents management system. Geeklog Forum Plugin contains a cross-site scripting vulnerability.
Impact
An arbitrary script could be executed on the user's web browser.
Solution
Update the Software
Apply the latest update provided by the developer.
For more information, refer to the developer's website.
Vendor Status
| Vendor | Link |
| Blaine Lang |
Forum Plugin Version 2.7.1 - Security Fix |
| Geeklog |
Forum Plugin Version 2.7.1 - Security Fix |
| Geeklog Japanese |
Forum Plugin Version 2.7.1 - Security Fix |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2008.07.25
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | Low - little to no expertise and/or luck required to exploit (cross-site scripting) |
|
Credit
NetAgent Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Technology Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2008-3316 |
| JVN iPedia |
JVNDB-2008-000045 |