LAC Advisory

Site Location

Japanese Edition

SNS Advisory No.99
Cybozu Garoon RSS Reader Arbitrary Script Execution Vulnerability
Discovered on:27 Apr 2007
Released on:3 Jul 2008
 
Severity:
Medium
 
Overview:
Cybozu Garoon RSS reader has a vulnerability that allows attackers to execute arbitrary script code in the user's Web browser that recognizes RSS feeds due to an error in processing to display the feeds.
 
Description:
Cybozu Garoon is a Web-based groupware application suite.
 
Garoon's built-in RSS reader has a vulnerability that allows attackers to inject malicious script code due to an error in processing to output particular data included in the RSS feed.
 
If the user is tricked into subscribing to a malicious RSS feed, arbitrary script code could be executed in the user's Web browser when the feed is updated and sensitive information including cookies could be obtained.
 
Affected Products and Versions:
Cybozu Garoon 2.0.0 - 2.1.3
 
Solution:
The vulnerability can be fixed by updating the software to Cybozu Garoon 2.5.0 or later.
 
http://cybozu.co.jp/products/dl/notice/detail/0023.html
 
Discovered by:
Yoshiki Kawata (LAC)
 
Thanks to:
This LAC Advisory is released in coordination with Information-technology Promotion Agency, Japan (IPA) and Japan Computer Emargency Response Team Coordination Center (JPCERT/CC.)
http://jvn.jp/jp/JVN52363223/index.html
http://jvndb.jvn.jp/contents/ja/2008/JVNDB-2008-000035.html
 
Disclaimer:
The information contained in this advisory may be revised without prior notice and is provided as is. Users shall take their own risk when taking any actions following reading this advisory. Little eArth Corporation Co., Ltd. shall not be held responsible  for any claims, losses or damages caused by the use of information provided here.
 
This advisory is available at the following URL:

http://www.lac.co.jp/english/advisory/99_e.html

Japanese Edition

Top of Page


Reference

Category Menu

Contact LAC

  • Corporate Profile
  • Corporate Data
  • LAC's Strengths
  • Services and Solutions
  • Corporate History
  • Group Companies
  • Access Map
  • Contact LAC
  • JSOC
  • LAC Advisory