PT-2014-76: Cross-Site Scripting in Kasseler CMS

The specialists of the Positive Research center have detected a Cross-Site Scripting vulnerability in Kasseler CMS. Cross-site scripting in the engine.php page allows remote attackers to inject arbitrary HTML tags including JavaScript scripts, etc. to a page processed by user's browser. How to fi...

PT-2013-76: Local File Inclusion in LiveStreet CMS

The specialists of the Positive Research center have detected a Local File Inclusion vulnerability in LiveStreet CMS. Insufficient validation of user input in the install\index.php script allows remote attackers to include files located on the attacked server and thus execute a PHP code. It may...

PT-2016-35: XML External Entity Injection in Liebert SiteScan

The specialists of the Positive Research center have detected an XML External Entity Injection vulnerability in Liebert SiteScan. Vulnerability in Liebert SiteScan allows attackers to obtain sensitive information via a specially crafted XML request. How to fix Update your software up to the lates...

MGASA-2013-0288 Updated glpi package fixes security vulnerabilities

Multiple security vulnerabilities due to improper sanitation of user input in GLPI before versions 0.83.9 CVE-2013-2226, 0.83.91 CVE-2013-2225, and 0.84.2 CVE-2013-5696. This update provides GLPI version 0.83.91, with a patch from GLPI 0.84.2, to fix these issues...

PT-2013-65: Sensitive Information Disclosure in Jetty

The specialists of the Positive Research center have detected a Sensitive Information Disclosure vulnerability in Jetty on Windows. The system does not consider that NTFS allows users to address files with extended syntax, while matching the requested resource URL with locations defined in web...

Yafuoku! contains an issue where it fails to verify SSL server certificates

Overview Yafuoku! provided by Yahoo Japan Corporation contains an issue where it fails to verify SSL server certificates. Zachary Mathis of Proactive Defense Kobe Digital Labo reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

PT-2013-47: Directory Traversal in Oracle Containers for J2EE

The specialists of the Positive Research center have detected a Directory Traversal vulnerability in Oracle Containers for J2EE when running on Windows. Oracle Containers for J2EE does not properly handle a Request-URI sent by the client. An attacker can apply to an arbitrary script outside of th...

PT-2013-49: Null Byte Injection in Oracle Containers for J2EE

The specialists of the Positive Research center have detected a Null Byte Injection vulnerability in Oracle Containers for J2EE. Oracle Containers for J2EE does not properly handle a null byte in the path when transferring a request to another static page or a JSP script via pageContext.forward o...

Pizza Hut Japan Official Order App for Android. contains an issue where it fails to verify SSL server certificates

Overview Pizza Hut Japan Official Order App for Android. contains an issue where it fails to verify SSL server certificates. Shunsuke Taniguchi of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impac...

Sleipnir for Windows vulnerable to address bar spoofing

Overview Sleipnir for Windows contains an issue in displaying colors and the padlock icon on the address bar, which may result in the address bar being spoofed. Keita Haga of keitahaga.com reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Earl...

ArtIME Japanese Input vulnerable to information disclosure

Overview ArtIME Japanese Input contains an issue in the access permissions for the certain files. ArtIME Japanese Input is a Japanese Input Method Editor IME for Android devices. ArtIME Japanese Input contains an issue in the access permissions for the certain files. Gaku Mochizuki of Mitsui Buss...

NEC Universal RAID Utility fails to restrict access permissions

Overview NEC Universal RAID Utility contains an issue where access permissions are not restricted. NEC Universal RAID Utility is a software to manage a RAID controller. NEC Universal RAID Utility contains an issue where access permissions are not restricted. SAKURA Internet Inc. reported this...

Chinese Government targets Uyghur group by malware attack

An old vulnerability in Word for OS X is being used in increasing levels of attacks, probably government-sponsored hacking programs against Uyghur group, including Tibetans, NGOs and human rights organizations. A number of attacks have been seen directed at the World Uyghur Congress, a Munich-bas...

JVN#91387819: mora Downloader may insecurely load executable files

mora Downloader contains an issue in the file search path when loading files, which may insecurely load executables or other files. Impact An attacker may execute arbitrary code with the privilege of the running application. Solution Update the software Update to the latest version according to t...

PT-2013-11: XML External Entities Injection in Oracle Siebel CRM

The specialists of the Positive Research center have detected an XML External Entities Injection vulnerability in Oracle Siebel CRM. The vulnerability is possible during import of XML files in CRM Siebel. An attacker is able to read an arbitrary file on the target system. How to fix Update your...

Weathernews Touch for Android stores location information in the system log file

Overview Weathernews Touch for Android contains a vulnerability that stores location information in the system log file. Weathernews Touch provided by Weathernews Inc. is a weather forecast application. Weathernews Touch for Android contains a vulnerability that stores location information in the...

JVN#52197991: Documents Pro (formerly Files HD) vulnerable to directory traversal

Documents Pro provided by Olive Toast Software Ltd. is a document viewer for iOS devices. Documents Pro contains a directory traversal vulnerability. Impact A guest user may view, delete or perform other actions on files that it does not have privileges to. Solution Update the software Update to...

Loctouch for Android information management vulnerability

Overview Loctouch for Android contains an information management vulnerability. Loctouch provided by NHN Japan, is an application that logs location information. Loctouch for Android contains an information management vulnerability. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported...

KENT-WEB ACCESS REPORT vulnerable to cross-site scripting

Overview ACCESS REPORT provided by KENT-WEB contains a cross-site scripting vulnerability. ACCESS REPORT provided by KENT-WEB is a software to analyze web access logs. ACCESS REPORT contains a cross-site scripting vulnerability. This is caused by a particular method in which tags are embedded int...

PT-2013-36: XML External Entity Injection in Wonderware Win-XML Exporter

Positive Research Center experts have discovered "XML External Entity Injection" vulnerability in Wonderware Win-XML Exporter. If an attacker manages to make a victim open a project that contains specially crafted XML, Wonderware Win-XML Exporter will automatically send the contents of local or...