製品・ソフトウェアに関する情報

JVN脆弱性詳細

InterWorx-CP Server Admin Level におけるクロスサイトスクリプティングの脆弱性

Title	InterWorx-CP Server Admin Level におけるクロスサイトスクリプティングの脆弱性
Summary	InterWorx Hosting Control Panel (InterWorx-CP) Server Admin Level (NodeWorx) には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、(1) index.php への PATH_INFO を介して、任意の Web スクリプトまたは HTML を挿入される、およびリモート認証されたユーザにより、以下への PATH_INFO を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。 (2) nodeworx.php (3) users.php (4) lang.php (5) themes.php (6) setup.php (7) siteworx.php (8) packages.php (9) backup.php (10) import.php (11) scriptworx.php (12) resellers.php (13) reseller-packages.php (14) http.php (15) mail.php (16) ftp.php (17) mysql.php (18) sshd.php (19) nfs.php (20) cron.php (21) ip.php (22) firewall.php (23) updates.php (24) rrd.php (25) cluster.php
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 28, 2007, midnight
Registration Date	Sept. 25, 2012, 4:59 p.m.
Last Update	Sept. 25, 2012, 4:59 p.m.

Affected System

InterWorx

interworx-cp 3.0.2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2007-4588	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4588
National Vulnerability Database (NVD)
2	CVE-2007-4588	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4588

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
InterWorx
1	Top Page	http://www.interworx.com/

Change Log

No	Changed Details	Date of change
0	[2012年09月25日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2007-4588

Summary	Multiple cross-site scripting (XSS) vulnerabilities in InterWorx Hosting Control Panel (InterWorx-CP) Server Admin Level (NodeWorx) 3.0.2 (1) allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php; and allow remote authenticated users to inject arbitrary web script or HTML via the PATH_INFO to (2) nodeworx.php, (3) users.php, (4) lang.php, (5) themes.php, (6) setup.php, (7) siteworx.php, (8) packages.php, (9) backup.php, (10) import.php, (11) scriptworx.php, (12) resellers.php, (13) reseller-packages.php, (14) http.php, (15) mail.php, (16) ftp.php, (17) mysql.php, (18) sshd.php, (19) nfs.php, (20) cron.php, (21) ip.php, (22) firewall.php, (23) updates.php, (24) rrd.php, or (25) cluster.php.
Publication Date	Aug. 29, 2007, 10:17 a.m.
Registration Date	Jan. 29, 2021, 2:19 p.m.
Last Update	Oct. 16, 2018, 6:36 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:interworx:web_control_panel:3.0.2:::::::*

Related information, measures and tools

No	URL	refsource
1	http://interworx.com/forums/showthread.php?t=2501	CONFIRM
2	http://osvdb.org/36739	OSVDB
3	http://osvdb.org/36740	OSVDB
4	http://osvdb.org/36742	OSVDB
5	http://osvdb.org/36743	OSVDB
6	http://osvdb.org/36744	OSVDB
7	http://osvdb.org/36745	OSVDB
8	http://osvdb.org/36746	OSVDB
9	http://osvdb.org/36747	OSVDB
10	http://osvdb.org/36748	OSVDB
11	http://osvdb.org/36749	OSVDB
12	http://osvdb.org/36750	OSVDB
13	http://osvdb.org/36751	OSVDB
14	http://osvdb.org/36752	OSVDB
15	http://osvdb.org/36753	OSVDB
16	http://osvdb.org/36755	OSVDB
17	http://osvdb.org/36756	OSVDB
18	http://osvdb.org/36757	OSVDB
19	http://osvdb.org/36758	OSVDB
20	http://osvdb.org/36759	OSVDB
21	http://osvdb.org/36761	OSVDB
22	http://osvdb.org/36762	OSVDB
23	http://osvdb.org/36763	OSVDB
24	http://osvdb.org/36764	OSVDB
25	http://osvdb.org/36765	OSVDB
26	http://osvdb.org/36766	OSVDB
27	http://secunia.com/advisories/26586	SECUNIA
28	http://securityreason.com/securityalert/3070	SREASON
29	http://www.hackerscenter.com/archive/view.asp?id=27884	MISC
30	http://www.securityfocus.com/archive/1/477848/100/0/threaded	BUGTRAQ
31	http://www.securityfocus.com/bid/25451	BID
32	https://exchange.xforce.ibmcloud.com/vulnerabilities/36297	XF
33	https://exchange.xforce.ibmcloud.com/vulnerabilities/36301	XF

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html