SNS Advisory No.99
Cybozu Garoon RSS Reader Arbitrary Script Execution Vulnerability
Discovered on:27 Apr 2007
Released on:3 Jul 2008
Severity:
Medium
Overview:
Cybozu Garoon RSS reader has a vulnerability that allows attackers to execute arbitrary script code in the user's Web browser that recognizes RSS feeds due to an error in processing to display the feeds.
Description:
Cybozu Garoon is a Web-based groupware application suite.
Garoon's built-in RSS reader has a vulnerability that allows attackers to inject malicious script code due to an error in processing to output particular data included in the RSS feed.
If the user is tricked into subscribing to a malicious RSS feed, arbitrary script code could be executed in the user's Web browser when the feed is updated and sensitive information including cookies could be obtained.
Affected Products and Versions:
Cybozu Garoon 2.0.0 - 2.1.3
Solution:
The vulnerability can be fixed by updating the software to Cybozu Garoon 2.5.0 or later.
Discovered by:
Yoshiki Kawata (LAC)
Thanks to:
This LAC Advisory is released in coordination with Information-technology Promotion Agency, Japan (IPA) and Japan Computer Emargency Response Team Coordination Center (JPCERT/CC.)
Disclaimer:
The information contained in this advisory may be revised without prior notice and is provided as is. Users shall take their own risk when taking any actions following reading this advisory. Little eArth Corporation Co., Ltd. shall not be held responsible for any claims, losses or damages caused by the use of information provided here.
This advisory is available at the following URL:
http://www.lac.co.jp/english/advisory/99_e.html
Reference
Category Menu
