Sign-up

ID

VAR-200703-0528


CVE

CVE-2007-1504


TITLE

Interstage Application Server cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2007-000218

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Servlet Service in Fujitsu Interstage Application Server (IJServer) 8.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving web.xml and HTTP 404 and 500 status codes. The Servlet Service for Interstage Business Application and the Servlet Service for Interstage Management Console (may be referred to as "Servlet Service for Interstage Operation Management" in certain versions) included in the Interstage product series from Fujitsu contain a cross-site scripting vulnerability. As of March 19, 2007, Fujitsu has announced workarounds for this issue. For more information, refer to the vendor's website.An arbitrary script may be executed on the user's web browser. iNTERSTAGE Application Server Standard Edition is prone to a cross-site scripting vulnerability. SOLUTION: The vendor recommends setting error pages for both HTTP status codes 404 and 500 (see vendor advisory for details). The vendor is reportedly working on patches. PROVIDED AND/OR DISCOVERED BY: Daiki Fukumori, Secure Sky Technology. ORIGINAL ADVISORY: Fujitsu: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200701e.html http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_200701.html http://software.fujitsu.com/jp/security/vulnerabilities/jvn-83832818.html OTHER REFERENCES: JVN: http://jvn.jp/jp/JVN%2383832818/index.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.98

sources: NVD: CVE-2007-1504 // JVNDB: JVNDB-2007-000218 // BID: 81875 // PACKETSTORM: 55139

AFFECTED PRODUCTS

vendor:fujitsumodel:interstage application serverscope:eqversion:7.0.1

Trust: 1.6

vendor:fujitsumodel:interstage application serverscope:eqversion:8.0.2

Trust: 1.6

vendor:fujitsumodel:interstage application serverscope:eqversion:7.0

Trust: 1.6

vendor:fujitsumodel:interstage apworksscope:eqversion:6.0

Trust: 1.6

vendor:fujitsumodel:interstage application serverscope:eqversion:8.0.0

Trust: 1.6

vendor:fujitsumodel:interstage application serverscope:eqversion:6.0

Trust: 1.0

vendor:fujitsumodel:interstage application serverscope:eqversion:5.0

Trust: 1.0

vendor:fujitsumodel:interstage application serverscope:eqversion:3.0

Trust: 1.0

vendor:fujitsumodel:interstage application serverscope:eqversion:5.0.1

Trust: 1.0

vendor:fujitsumodel:interstage application serverscope:eqversion:4.0

Trust: 1.0

vendor:fujitsumodel:interstage application framework suitescope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage apworksscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage business application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage job workload serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage security directorscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage apworks enterprise editionscope:eqversion:6.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard editionscope:eqversion:7.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard editionscope:eqversion:5.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard editionscope:eqversion:4.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard editionscope:eqversion:3.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:8.0.2

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:8.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:5.0.1

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:7.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:6.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:5.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:4.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:3.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard jscope:eqversion:8.0.2

Trust: 0.3

vendor:fujitsumodel:interstage application server standard jscope:eqversion:8.0.0

Trust: 0.3

vendor:fujitsumodel:interstage application server plusscope:eqversion:7.0.1

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprisescope:eqversion:7.0.1

Trust: 0.3

vendor:fujitsumodel:interstage application server plusscope:eqversion:7.0

Trust: 0.3

vendor:fujitsumodel:interstage application server web jscope:eqversion:5.0

Trust: 0.3

vendor:fujitsumodel:interstage application server web jscope:eqversion:4.0

Trust: 0.3

sources: BID: 81875 // JVNDB: JVNDB-2007-000218 // CNNVD: CNNVD-200703-433 // NVD: CVE-2007-1504

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-1504
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2007-000218
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200703-433
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2007-1504
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2007-000218
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

sources: JVNDB: JVNDB-2007-000218 // CNNVD: CNNVD-200703-433 // NVD: CVE-2007-1504

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2007-1504

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200703-433

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 55139 // CNNVD: CNNVD-200703-433

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-000218

PATCH
title:Cross-site scripting (XSS) vulnerabilities in Interstage Application Serverurl:http://www.fujitsu.com/global/support/software/security/products-f/interstage-200701e.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-000218

EXTERNAL IDS
db:NVDid:CVE-2007-1504
Trust: 2.7
db:SECUNIAid:24508
Trust: 2.5
db:BIDid:23020
Trust: 1.9
db:XFid:33099
Trust: 1.7
db:VUPENid:ADV-2007-0996
Trust: 1.6
db:OSVDBid:34276
Trust: 1.6
db:JVNid:JVN83832818
Trust: 0.8
db:JVNDBid:JVNDB-2007-000218
Trust: 0.8
db:JVNid:JVN#83832818
Trust: 0.6
db:CNNVDid:CNNVD-200703-433
Trust: 0.6
db:BIDid:81875
Trust: 0.3
db:PACKETSTORMid:55139
Trust: 0.1
sources:
            
            
            BID: 81875 // 
            
            
            
            JVNDB: JVNDB-2007-000218 // 
            
            
            
            PACKETSTORM: 55139 // 
            
            
            
            CNNVD: CNNVD-200703-433 // 
            
            
            
            NVD: CVE-2007-1504

REFERENCES
url:http://www.fujitsu.com/global/support/software/security/products-f/interstage-200701e.html
Trust: 2.0
url:http://software.fujitsu.com/jp/security/vulnerabilities/jvn-83832818.html
Trust: 2.0
url:http://jvn.jp/jp/jvn%2383832818/index.html
Trust: 2.0
url:http://www.securityfocus.com/bid/23020
Trust: 1.9
url:http://xforce.iss.net/xforce/xfdb/33099
Trust: 1.7
url:http://secunia.com/advisories/24508
Trust: 1.6
url:http://osvdb.org/34276
Trust: 1.6
url:http://www.frsirt.com/english/advisories/2007/0996
Trust: 1.4
url:http://www.vupen.com/english/advisories/2007/0996
Trust: 1.0
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/33099
Trust: 1.0
url:http://secunia.com/advisories/24508/
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-1504
Trust: 0.8
url:http://jvn.jp/en/jp/jvn83832818/index.html
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2007-1504
Trust: 0.8
url:http://secunia.com/product/13689/
Trust: 0.1
url:http://secunia.com/hardcore_disassembler_and_reverse_engineer/
Trust: 0.1
url:http://secunia.com/product/13693/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/product/13692/
Trust: 0.1
url:http://secunia.com/product/13696/
Trust: 0.1
url:http://secunia.com/product/13695/
Trust: 0.1
url:http://secunia.com/product/13687/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:http://secunia.com/product/13688/
Trust: 0.1
url:http://secunia.com/secunia_vacancies/
Trust: 0.1
url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_200701.html
Trust: 0.1
url:http://secunia.com/product/13685/
Trust: 0.1
url:http://secunia.com/product/13686/
Trust: 0.1
url:http://secunia.com/product/13694/
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/disassembling_og_reversing/
Trust: 0.1
url:http://secunia.com/product/13690/
Trust: 0.1
sources:
            
            
            BID: 81875 // 
            
            
            
            JVNDB: JVNDB-2007-000218 // 
            
            
            
            PACKETSTORM: 55139 // 
            
            
            
            CNNVD: CNNVD-200703-433 // 
            
            
            
            NVD: CVE-2007-1504

CREDITS
Apple
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200703-433

SOURCES
db:BIDid:81875
db:JVNDBid:JVNDB-2007-000218
db:PACKETSTORMid:55139
db:CNNVDid:CNNVD-200703-433
db:NVDid:CVE-2007-1504

LAST UPDATE DATE
2024-08-14T13:07:12.476000+00:00

SOURCES UPDATE DATE
db:BIDid:81875date:2007-03-19T00:00:00
db:JVNDBid:JVNDB-2007-000218date:2008-05-21T00:00:00
db:CNNVDid:CNNVD-200703-433date:2007-03-21T00:00:00
db:NVDid:CVE-2007-1504date:2017-11-21T15:44:56.823

SOURCES RELEASE DATE
db:BIDid:81875date:2007-03-19T00:00:00
db:JVNDBid:JVNDB-2007-000218date:2008-05-21T00:00:00
db:PACKETSTORMid:55139date:2007-03-20T02:46:32
db:CNNVDid:CNNVD-200703-433date:2006-06-01T00:00:00
db:NVDid:CVE-2007-1504date:2007-03-19T22:19:00