JVN#16933564: LINE MUSIC for Android fails to verify SSL server certificates

LINE MUSIC for Android provided by LINE MUSIC CORPORATION fails to verify SSL server certificates CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information...

JVN#96551318: Mail app for iOS vulnerable to denial-of-service (DoS)

Mail app for iOS provided by Apple contains a denial-of-service DoS vulnerability due to an issue in the handling of a maliciously crafted S/MIME signed message. Impact Mail app may continuously crash when a maliciously crafted S/MIME signed message is listed on it. Solution Update iOS Update iOS...

JVN#60702986: BlueStacks App Player fails to restrict access permissions

BlueStacks App Player fails to restrict access permissions CWE-284. Impact A user with access to the network that is connected to the affected product may gain unauthorized access. Solution Update the Software Windows users should update to the latest version of software according to the...

JVN#84825660: Multiple vulnerabilities in Aterm HC100RC

Aterm HC100RC provided by NEC Corporation contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2018-0634, CVE-2018-0635, CVE-2018-0636, CVE-2018-0637, CVE-2018-0638, CVE-2018-0639 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H...

JVN#58005743: Web Isolation vulnerable to cross-site scripting

Web Isolation provided by Symantec Corporation contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update the software to the latest version according to the information provided by the...

JVN#14323043: Metabase vulnerable to cross-site scripting

Metabase provided by Metabase, Inc. contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged-in user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer...

JVN#21528670: SecureCore Standard Edition vulnerable to authentication bypass

SecureCore Standard Edition provided by Feitian Japan Co., Ltd. contains an authentication bypass vulnerability CWE-287. Impact An attacker may bypass the product's authentication and log in to a Windows PC. Solution Update the Software Update the software to the latest version according to the...

JVN#37376131: Multiple vulnerabilities in ORCA(Online Receipt Computer Advantage)

ORCAOnline Receipt Computer Advantage provided by ORCA Management Organization Co., Ltd contains vulnerabilities listed below. OS command injectionCWE-78 - CVE-2018-0643 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L| Base Score: 4.1 CVSS v2|...

JVN#75738023: WordPress plugin "Event Calendar WD" vulnerable to cross-site scripting

The WordPress plugin "Event Calendar WD" provided by Web-Dorado contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged-in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the...

JVN#26629618: Multiple vulnerabilities in Aterm W300P

Aterm W300P provided by NEC Corporation contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2018-0629, CVE-2018-0630, CVE-2018-0631 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H| Base Score: 6.8 CVSS v2|...

JVN#36343375: Multiple vulnerabilities in YukiWiki

YukiWiki is a Wiki engine. YukiWiki contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2018-0699 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base Score: 4.3 Processing...

JVN#95355683: Multiple vulnerabilities in FileZen

FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface. FileZen contains multiple vulnerabilities listed below. Directory traversal CWE-22 - CVE-2018-0693 Version| Vector| Score ---|---|--- CVSS v3|...

JVN#18716340: Multiple cross-site scripting vulnerabilities in GROWI

GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in the UserGroup Management section of admin page CWE-79 - CVE-2018-0652 Version| Vector| Score ---|---|--- CVSS v3|...

JVN#06813756: DLL planting vulnerability in multiple Yayoi 17 Series products

Multiple Yayoi 17 Series products provided by Yayoi Co., Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the running application. Solution Update the Software Apply the...

JVN#02037158: AttacheCase vulnerable to arbitrary script execution

AttacheCase is an open source file encryption software provided by HiBARA Software. If a setting file AtcCase.ini is specially crafted and it resides in the same folder where ATC file resides, it is leveraged to execute an arbitrary script when ATC file is decrypted. Impact A remote unauthenticat...

JVN#59394343: Multiple vulnerabilities in OpenDolphin

OpenDolphin provided by Life Sciences Computing Corporation contains multiple vulnerabilities listed below. Privilege escalation - CVE-2018-16161 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H| Base Score: 8.8 CVSS v2| AV:N/AC:L/AU:S/C:P/I:P/A:P| Base...

JVN#37288228: +Message App fails to verify SSL server certificates

+Message App fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by the developer. Products Affected SoftBank...

JVN#15709478: The installer of Windows10 Fall Creators Update Modify module for Security Measures tool may insecurely load Dynamic Link Libraries

The installer of Windows10 Fall Creators Update Modify module for Security Measures tool provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be execut...

JVN#73794686: User-friendly SVN vulnerable to cross-site scripting

User-friendly SVN provided by USVN Team contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged-in user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer...

JVN#83701666: Multiple vulnerabilities in multiple I-O DATA network camera products

Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below. Permissions, Privileges, and Access Controls CWE-264 - CVE-2018-0661 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L| Base Score: 6.3 CVSS v2|...

JVN#62121133: Multiple directory traversal vulnerabilities in AttacheCase

AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains a directory traversal vulnerability CWE-22 due to a flaw in processing filenames in ATC files. Impact Decrypting a crafted ATC file may result in creation of an arbitrary file or overwriting o...

JVN#00344155: Multiple vulnerabilities in Denbun

Denbun provided by NEOJAPAN Inc. is a WebMail System. Denbun contains multiple vulnerabilities listed below. Hard-coded credentials for user account CWE-798 - CVE-2018-0680 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Base Score: 9.8 CVSS v2|...

JVN#70246549: WordPress plugin "FV Flowplayer Video Player" vulnerable to cross-site scripting

The WordPress plugin "FV Flowplayer Video Player" provided by Foliovision contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the plugin Update the plugin according to the information provided by the developer...

JVN#63556416: QNAP Photo Station vulnerable to cross-site scripting

Photo Station provided by QNAP Systems, Inc. contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer...

JVN#69967692: Multiple script injection vulnerabilities in multiple Yamaha network devices

The management screen of multiple network devices provided by Yamaha Corporation contains multiple script injection vulnerabilities CWE-74. Impact In the case where multiple administrators manage an affected device, an administrator with malicious intent may embed an arbitrary script into the...

JVN#14451678: NoMachine App for Android vulnerable to environment variables alteration

NoMachine App for Android contains an information alteration vulnerability. Impact A remote attacker may alter environemt variables of the NoMachine App. As a result, arbitrary code may be executed. Solution Update the Software Update to the latest version of software according to the information...

JVN#39171169: Installer of ChatWork Desktop App for Windows may insecurely load Dynamic Link Libraries

Installer of ChatWork Desktop App for Windows provided by ChatWork Co,. LTD. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use t...

JVN#59624986: Multiple vulnerabilities in INplc

INplc provided by MICRONET CORPORATION contains multiple vulnerabilities listed below. DLL preloading vulnerability CWE-427 - CVE-CVE-2018-0667 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H| Base Score: 7.8 CVSS v2| AV:N/AC:M/AU:N/C:P/I:P/A:P| Base Score...

JVN#06372244: Multiple vulnerabilities in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE

EC-CUBE Payment Module and GMO-PG Payment Module PG Multi-Payment Service, which are additional modules for EC-CUBE, provided by GMO Payment Gateway, Inc. contain multiple vulnerabilities listed below. Cross-site scripting vulnerability in the management screen CWE-79 - CVE-2018-0657 Version|...

JVN#41452671: The installers of multiple Canon IT Solutions Inc. software programs may insecurely load Dynamic Link Libraries

The installers of multiple software programs provided by Canon IT Solutions Inc. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Us...

JVN#00401783: Multiple OS command injection vulnerabilities in Aterm WG1200HP

Aterm WG1200HP provided by NEC Corporation contains multiple OS command injection vulnerabilities CWE-78. Impact A user who can access the product with administrative privileges may execute an arbitrary OS command. Solution Update the Firmware Apply the latest firmware update according to the...

JVN#36623716: Music Center for PC improperly verifies software update files

Music Center for PC provided by Sony Video & Sound Products Inc. contains an issue in software update process CWE-669. As a result, under a man-in-the-middle attack, a specially crafted executable file may be downloaded and executed. Impact Under a man-in-the-middle attack, a specially crafted fi...

JVN#37943805: Confluence Server vulnerable to script injection

User Macros of Confluence Server provided by Atlassian Pty Ltd. contains a script injection vulnerability CWE-74. Impact When the administrator embeds a malicious script into User Macros, the embedded script may be executed on the user's web browser. Solution Update the Software Update to the...

JVN#12583112: Cybozu Garoon vulnerable to directory traversal

Cybozu Garoon provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing of the session information. Impact A user who can login to the product may obtain or alter arbitrary files on the server. Solution Apply the Patch Apply the patch according to th...

JVN#85760090: Multiple vulnerabilities in WordPress plugin "LearnPress"

WordPress LMS plugin "LearnPress" contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2018-16173 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base Score: 2.6 Open...

JVN#89550319: Movable Type vulnerable to cross-site scripting

Movable Type provided by Six Apart, Ltd. is a content management system. Movable Type contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information...

JVN#71329812: WL-330NUL vulnerable to cross-site request forgery

WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in the management screen, unintended operations may be performed on the device. Solution Update the...

JVN#55813866: Explzh vulnerable to directory traversal

Explzh is a file compression/extraction software supporting multiple file formats. Explzh contains a directory traversal vulnerability CWE-22. Explzh is not vulnerable to relative path traversal but to absolute path traversal. Therefore, an attacker may create new files or overwrite existing file...

JVN#68528150: Multiple FXC network devices vulnerable to cross-site scripting

Multiple network devices provided by FXC Inc. contain a stored cross-site scripting vulnerability CWE-79. Impact If an attacker with administrative rights logs in the Management GUI and embeds a specially crafted script, then that script may be executed on another administrator's web browser...

JVN#77885134: The installer of Baidu Browser may insecurely load Dynamic Link Libraries

Baidu Browser provided by Baidu, Inc. is a Web browser. The installer of Baidu Browser contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer...

JVN#62423700: Movable Type plugin MTAppjQuery vulnerable to PHP code execution

MTAppjQuery provided by bit part LLC is a plugin for Movable Type. An older version PHP library Uploadify is incorporated in MTAppjQuery v1.8.1 and earlier versions and the older versions of Uploadify contains unrestricted upload of arbitrary file CWE-434, which may lead to arbitrary PHP code...

JVN#49995005: OpenAM (Open Source Edition) vulnerable to session management

OpenAM Open Source Edition contains a vulnerability in session management. Impact A user who can login to the product may change the security questions and reset the login password. Solution Apply the Patch Patch for this vulnerability has been released by OpenAM Consortium. Apply the patch...

JVN#75700242: The installer of Digital Paper App may insecurely load Dynamic Link Libraries

Digital Paper App provided by Sony Corporation is document management software exclusively for Sony Digital Paper. The installer of Digital Paper App contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be...

JVN#52574492: The installers of multiple Logicool software programs may insecurely load Dynamic Link Libraries

The installers of multiple software programs provided by Logicool Co. Ltd contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries（CWE-427）. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the...

JVN#77409513: DHC Online Shop App for Android fails to verify SSL server certificates

DHC Online Shop App for Android provided by DHC Corporation fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provid...

JVN#84967039: Installer of Glary Utilities may insecurely load Dynamic Link Libraries

Installer of Glary Utilities provided by Glarysoft Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the latest installer U...

JVN#83739174: Cybozu Mailwise vulnerable to directory traversal

Cybozu Mailwise provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing parameter of the HTTP request. Impact A remote attacker may delete arbitrary files on the server. Solution Update the Software Update to the latest version according to the...

JVN#15232217: Multiple directory traversal vulnerabilities in Cybozu Office

Cybozu Office provided by Cybozu, Inc. contains multiple directory traversal vulnerabilities below. Directory traversal vulnerability due to a flaw in processing parameter of the HTTP request CWE-22 - CVE-2018-0703 Version| Vector| Score ---|---|--- CVSS v3|...

JVN#16697622: Cybozu Dezie vulnerable to directory traversal

Cybozu Dezie provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing parameter of the HTTP request. Impact A remote attacker may delete arbitrary files on the server. Solution Update the Software Update to the latest version according to the...

JVN#43172719: Multiple vulnerabilities in Hikari Denwa router/Home GateWay

Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5985 Version| Vector| Score ---|---|--- CVSS v3|...