ID

VAR-200703-0528


CVE

CVE-2007-1504


TITLE

Interstage Application Server cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2007-000218

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Servlet Service in Fujitsu Interstage Application Server (IJServer) 8.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving web.xml and HTTP 404 and 500 status codes. The Servlet Service for Interstage Business Application and the Servlet Service for Interstage Management Console (may be referred to as "Servlet Service for Interstage Operation Management" in certain versions) included in the Interstage product series from Fujitsu contain a cross-site scripting vulnerability. As of March 19, 2007, Fujitsu has announced workarounds for this issue. For more information, refer to the vendor's website.An arbitrary script may be executed on the user's web browser. iNTERSTAGE Application Server Standard Edition is prone to a cross-site scripting vulnerability. SOLUTION: The vendor recommends setting error pages for both HTTP status codes 404 and 500 (see vendor advisory for details). The vendor is reportedly working on patches. PROVIDED AND/OR DISCOVERED BY: Daiki Fukumori, Secure Sky Technology. ORIGINAL ADVISORY: Fujitsu: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200701e.html http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_200701.html http://software.fujitsu.com/jp/security/vulnerabilities/jvn-83832818.html OTHER REFERENCES: JVN: http://jvn.jp/jp/JVN%2383832818/index.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.98

sources: NVD: CVE-2007-1504 // JVNDB: JVNDB-2007-000218 // BID: 81875 // PACKETSTORM: 55139

AFFECTED PRODUCTS

vendor:fujitsumodel:interstage application serverscope:eqversion:7.0.1

Trust: 1.6

vendor:fujitsumodel:interstage application serverscope:eqversion:8.0.2

Trust: 1.6

vendor:fujitsumodel:interstage application serverscope:eqversion:7.0

Trust: 1.6

vendor:fujitsumodel:interstage apworksscope:eqversion:6.0

Trust: 1.6

vendor:fujitsumodel:interstage application serverscope:eqversion:8.0.0

Trust: 1.6

vendor:fujitsumodel:interstage application serverscope:eqversion:6.0

Trust: 1.0

vendor:fujitsumodel:interstage application serverscope:eqversion:5.0

Trust: 1.0

vendor:fujitsumodel:interstage application serverscope:eqversion:3.0

Trust: 1.0

vendor:fujitsumodel:interstage application serverscope:eqversion:5.0.1

Trust: 1.0

vendor:fujitsumodel:interstage application serverscope:eqversion:4.0

Trust: 1.0

vendor:fujitsumodel:interstage application framework suitescope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage apworksscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage business application serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage job workload serverscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage security directorscope: - version: -

Trust: 0.8

vendor:fujitsumodel:interstage apworks enterprise editionscope:eqversion:6.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard editionscope:eqversion:7.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard editionscope:eqversion:5.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard editionscope:eqversion:4.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard editionscope:eqversion:3.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:8.0.2

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:8.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:5.0.1

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:7.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:6.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:5.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:4.0

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprise editionscope:eqversion:3.0

Trust: 0.3

vendor:fujitsumodel:interstage application server standard jscope:eqversion:8.0.2

Trust: 0.3

vendor:fujitsumodel:interstage application server standard jscope:eqversion:8.0.0

Trust: 0.3

vendor:fujitsumodel:interstage application server plusscope:eqversion:7.0.1

Trust: 0.3

vendor:fujitsumodel:interstage application server enterprisescope:eqversion:7.0.1

Trust: 0.3

vendor:fujitsumodel:interstage application server plusscope:eqversion:7.0

Trust: 0.3

vendor:fujitsumodel:interstage application server web jscope:eqversion:5.0

Trust: 0.3

vendor:fujitsumodel:interstage application server web jscope:eqversion:4.0

Trust: 0.3

sources: BID: 81875 // JVNDB: JVNDB-2007-000218 // CNNVD: CNNVD-200703-433 // NVD: CVE-2007-1504

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-1504
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2007-000218
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200703-433
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2007-1504
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2007-000218
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

sources: JVNDB: JVNDB-2007-000218 // CNNVD: CNNVD-200703-433 // NVD: CVE-2007-1504

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2007-1504

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200703-433

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 55139 // CNNVD: CNNVD-200703-433

CONFIGURATIONS

sources: JVNDB: JVNDB-2007-000218

PATCH

title:Cross-site scripting (XSS) vulnerabilities in Interstage Application Serverurl:http://www.fujitsu.com/global/support/software/security/products-f/interstage-200701e.html

Trust: 0.8

sources: JVNDB: JVNDB-2007-000218

EXTERNAL IDS

db:NVDid:CVE-2007-1504

Trust: 2.7

db:SECUNIAid:24508

Trust: 2.5

db:BIDid:23020

Trust: 1.9

db:XFid:33099

Trust: 1.7

db:VUPENid:ADV-2007-0996

Trust: 1.6

db:OSVDBid:34276

Trust: 1.6

db:JVNid:JVN83832818

Trust: 0.8

db:JVNDBid:JVNDB-2007-000218

Trust: 0.8

db:JVNid:JVN#83832818

Trust: 0.6

db:CNNVDid:CNNVD-200703-433

Trust: 0.6

db:BIDid:81875

Trust: 0.3

db:PACKETSTORMid:55139

Trust: 0.1

sources: BID: 81875 // JVNDB: JVNDB-2007-000218 // PACKETSTORM: 55139 // CNNVD: CNNVD-200703-433 // NVD: CVE-2007-1504

REFERENCES

url:http://www.fujitsu.com/global/support/software/security/products-f/interstage-200701e.html

Trust: 2.0

url:http://software.fujitsu.com/jp/security/vulnerabilities/jvn-83832818.html

Trust: 2.0

url:http://jvn.jp/jp/jvn%2383832818/index.html

Trust: 2.0

url:http://www.securityfocus.com/bid/23020

Trust: 1.9

url:http://xforce.iss.net/xforce/xfdb/33099

Trust: 1.7

url:http://secunia.com/advisories/24508

Trust: 1.6

url:http://osvdb.org/34276

Trust: 1.6

url:http://www.frsirt.com/english/advisories/2007/0996

Trust: 1.4

url:http://www.vupen.com/english/advisories/2007/0996

Trust: 1.0

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/33099

Trust: 1.0

url:http://secunia.com/advisories/24508/

Trust: 0.9

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-1504

Trust: 0.8

url:http://jvn.jp/en/jp/jvn83832818/index.html

Trust: 0.8

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2007-1504

Trust: 0.8

url:http://secunia.com/product/13689/

Trust: 0.1

url:http://secunia.com/hardcore_disassembler_and_reverse_engineer/

Trust: 0.1

url:http://secunia.com/product/13693/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/product/13692/

Trust: 0.1

url:http://secunia.com/product/13696/

Trust: 0.1

url:http://secunia.com/product/13695/

Trust: 0.1

url:http://secunia.com/product/13687/

Trust: 0.1

url:http://secunia.com/about_secunia_advisories/

Trust: 0.1

url:http://secunia.com/product/13688/

Trust: 0.1

url:http://secunia.com/secunia_vacancies/

Trust: 0.1

url:http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_200701.html

Trust: 0.1

url:http://secunia.com/product/13685/

Trust: 0.1

url:http://secunia.com/product/13686/

Trust: 0.1

url:http://secunia.com/product/13694/

Trust: 0.1

url:http://secunia.com/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/disassembling_og_reversing/

Trust: 0.1

url:http://secunia.com/product/13690/

Trust: 0.1

sources: BID: 81875 // JVNDB: JVNDB-2007-000218 // PACKETSTORM: 55139 // CNNVD: CNNVD-200703-433 // NVD: CVE-2007-1504

CREDITS

Apple

Trust: 0.6

sources: CNNVD: CNNVD-200703-433

SOURCES

db:BIDid:81875
db:JVNDBid:JVNDB-2007-000218
db:PACKETSTORMid:55139
db:CNNVDid:CNNVD-200703-433
db:NVDid:CVE-2007-1504

LAST UPDATE DATE

2024-08-14T13:07:12.476000+00:00


SOURCES UPDATE DATE

db:BIDid:81875date:2007-03-19T00:00:00
db:JVNDBid:JVNDB-2007-000218date:2008-05-21T00:00:00
db:CNNVDid:CNNVD-200703-433date:2007-03-21T00:00:00
db:NVDid:CVE-2007-1504date:2017-11-21T15:44:56.823

SOURCES RELEASE DATE

db:BIDid:81875date:2007-03-19T00:00:00
db:JVNDBid:JVNDB-2007-000218date:2008-05-21T00:00:00
db:PACKETSTORMid:55139date:2007-03-20T02:46:32
db:CNNVDid:CNNVD-200703-433date:2006-06-01T00:00:00
db:NVDid:CVE-2007-1504date:2007-03-19T22:19:00