5627 matches found
Multiple NTT EAST Home GateWay/Hikari Denwa routers fail to restrict access permissions
Overview Multiple Home GateWay/Hikari Denwa routers provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION fail to restrict access permissions CWE-451. Keishi Awata of logicalmixed reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
IPCOM vulnerable to information disclosure
Overview SSL Accelerator/SSL-VPN Function of IPCOM provided by Fsas Technologies Inc. contains an information disclosure vulnerability due to observable timing discrepancy CWE-208. Fsas Technologies Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/...
Multiple Safie products vulnerable to improper server certificate verification
Overview Multiple Safie products are vulnerable to improper server certificate verification CWE-295. The product can be operated via port 11029/TCP and Bluetooth, and its communications are AES encrypted. The product user can obtain the encryption key from the cloud server based on the...
SDoP contains a stack-based buffer overflow vulnerability.
Overview SDoP fails to handle appropriately some parameters inside the input data, resulting in a stack-based buffer overflow vulnerability CWE-121. Yuhei Kawakoya of NTT Security Holdings reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Earl...
ORC vulnerable to stack-based buffer overflow
Overview ORC provided by GStreamer is typically used when developing GStreamer plugins. Stack-based buffer overflow vulnerability CWE-121 exists in orcparse.c of ORC. Yuhei Kawakoya of NTT Security Holdings reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Cleartext transmission issue in TONE store App to TONE store
Overview TONE store App provided by DREAM TRAIN INTERNET INC. contains a cleartext transmission issue to TONE store website CWE-419. Kodai Karakawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
"Piccoma" App uses a hard-coded API key for an external service
Overview "Piccoma" App for Android and "Piccoma" App for iOS provided by Kakao piccoma Corp. use a hard-coded API key for an external service CWE-798. Yoshihito Sakai of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Securit...
WordPress plugins "WP Tweet Walls" and "Sola Testimonials" vulnerable to cross-site request forgery
Overview WordPress plugins "WP Tweet Walls" and "Sola Testimonials" provided by Sola Plugins contain a cross-site request forgery vulnerability CWE-352. These vulnerabilities are reported by the following reporters, and JPCERT/CC coordinated with the developer under Information Security Early...
Multiple vulnerabilities in ID Link Manager and FUJITSU Software TIME CREATOR
Overview ID Link Manager and FUJITSU Software TIME CREATOR provided by Fsas Technologies Inc. contain multiple vulnerabilities listed below. Path Traversal CWE-36 CVE-2024-33620 Missing Authentication CWE-306 CVE-2024-33622 Information disclosure CWE-204 CVE-2024-34024 Christian Demko of WithSecu...
Denial-of-service (DoS) vulnerability in IPCOM WAF function
Overview WAF function of IPCOM provided by Fsas Technologies Inc. contains a denial-of-service DoS vulnerability CWE-908. Fsas Technologies Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fsas Technologies Inc. coordinated under the...
Redmine DMSF Plugin vulnerable to path traversal
Overview Redmine DMSF Plugin provided by Kontron contains a path traversal vulnerability CWE-22. Tsukuba Secure Network Research Co. Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When the affected...
EC-Orange vulnerable to authorization bypass
Overview EC-Orange provided by S-cubism Inc. is an e-commerce website building system package based on an open source software EC-CUBE. EC-Orange contains an authorization bypass vulnerability CWE-639. This is the same issue as JVN51770585 EC-CUBE vulnerable to authorization bypass. This...
Splunk Config Explorer vulnerable to cross-site scripting
Overview Splunk Config Explorer provided by Chris Younger contains a reflected cross-site scripting vulnerability CWE-79. Taihei Shimamine of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
LINE client for iOS vulnerable to improper server certificate verification
Overview The financial module within LINE client for iOS lacks server certificate verification in log transmission CWE-295, CVE-2023-5554. LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact The communication may be eavesdropped under a...
Multiple vulnerabilities in PLANEX COMMUNICATIONS wireless LAN routers
Overview Wireless LAN routers provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities listed below. Active debug code CWE-489 - CVE-2024-30219 Command Injection on certain port CWE-77 - CVE-2024-30220 Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to...
"EasyRange" may insecurely load executable files
Overview "EasyRange" provided by sira.jp according to the original report submitted by the reporter is a tool to extract compressed files. "EasyRange" contains an issue with the executable file search path when displaying an extracted file on Explorer, which may lead to loading an executable file...
TvRock vulnerable to cross-site scripting
Overview TvRock provided by TvRock according to the original report submitted by the reporter is a tool to set a timer recording for a TV program. TvRock contains a cross-site scripting vulnerability CWE-79. During the meeting of Committee for authorizing the disclosure of unresolved...
WordPress Plugin "easy-popup-show" vulnerable to cross-site request forgery
Overview WordPress Plugin "easy-popup-show" provided by Ari Susanto contains a cross-site request forgery vulnerability CWE-352. Daiki Kojima of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to the developer an...
a-blog cms vulnerable to directory traversal
Overview a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a directory traversal vulnerability CWE-22. Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Securi...
FUJIFILM Business Innovation Corp. printers vulnerable to cross-site request forgery
Overview Multiple printers provided by FUJIFILM Business Innovation Corp. contain a cross-site request forgery vulnerability CWE-352. Junnosuke Kushibiki, Ryu Kuki, Masataka Mizokuchi, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA...
Multiple vulnerabilities in printers and scanners which implement BROTHER Web Based Management
Overview Multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. contain multiple vulnerabilities listed below. Improper Authentication CWE-287 - CVE-2024-21824 Cross-Site Request Forgery CWE-352 - CVE-2024-22475 Hiroki Yasui, Yudai Morii, Takaya...
OpenPNE plugin "opTimelinePlugin" vulnerable to cross-site scripting
Overview OpenPNE plugin "opTimelinePlugin" provided by OpenPNE Project contains a stored cross-site scripting vulnerability CWE-79 in Edit Profile page. Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Multiple vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. Reflected cross-site scripting vulnerability in Site search Feature CWE-79 - CVE-2023-44379 Stored cross-site scripting vulnerability in Content Management CWE-79 - CVE-2024-26128 OS command...
Multiple vulnerabilities in ELECOM wireless LAN routers and wireless LAN repeater
Overview Multiple wireless LAN routers and wireless LAN repeater provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2024-21798 Cross-Site Request Forgery CWE-352 - CVE-2024-23910 CVE-2024-21798 Yamaguchi Kakeru of Fujitsu Limited reported...
a-blog cms vulnerable to URL spoofing
Overview a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains an URL spoofing vulnerability CWE-451. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Sharp NEC Display Solutions' public displays vulnerable to local file inclusion
Overview Multiple public displays provided by Sharp NEC Display Solutions, Ltd. contain a local file inclusion vulnerability CWE-22, CVE-2023-7077. Tunahan TEKEOÄžLU of Senior Cyber Security Consultant reported this vulnerability to Sharp NEC Display Solutions, Ltd. and coordinated. Sharp NEC...
Incorrect permission assignment vulnerability in Trend Micro uiAirSupport
Overview Trend Micro Incorporated has released a security update for Trend Micro uiAirSupport. Proof-of-concept code PoC for this vulnerability is available on the Internet. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact The...
Cybozu KUNAI for Android vulnerable to denial-of-service (DoS)
Overview Cybozu KUNAI for Android is a client application for using Cybozu products from an Android device. Cybozu KUNAI for Android contains an issue allowing to send massive requests to the connected Cybozu product if a user performs certain operations on KUNAI, which may result in repeated...
File and Directory Permissions Vulnerability in Hitachi Tuning Manager
Overview A File and Directory Permissions Vulnerability CVE-2023-6457 exists in Hitachi Tuning Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Group Office vulnerable to cross-site scripting
Overview Group Office provided by Intermesh BV contains a stored cross-site scripting vulnerability CWE-79. Yoichi Tsuzuki of FFRI Security, Inc. and Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Payment EX vulnerable to information disclosure
Overview Payment EX provided by Simplesite contains an information disclosure vulnerability CWE-200. Impact A remote unauthenticated attacker may obtain the information of the user who purchases merchandise using Payment EX. Solution Update the Software Update the software to the latest version...
Access analysis CGI An-Analyzer vulnerable to open redirect
Overview Access analysis CGI An-Analyzer provided by ANGLERSNET Co,.Ltd. contains an open redirect vulnerability CWE-601. Tomoomi Iwata of Information-technology Promotion Agency, Japan reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Multiple vulnerabilities in BUFFALO VR-S1000
Overview VR-S1000 provided by BUFFALO INC. contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2023-45741 Argument injection CWE-88 - CVE-2023-46681 Use of hard-coded cryptographic key CWE-321 - CVE-2023-46711 Information disclosure CWE-200 - CVE-2023-51363...
FXC wireless LAN routers "AE1021PE" and "AE1021" vulnerable to OS command injection Critical
Overview "AE1021PE" and "AE1021" provided by FXC Inc. are information outlet-based wireless LAN routers. "AE1021PE" and "AE1021" contain an OS command injection vulnerability CWE-78. JPCERT/CC has confirmed the communication which exploits this vulnerability. Ryu Kuki, Takayuki Sasaki, and...
RakRak Document Plus vulnerable to path traversal
Overview RakRak Document Plus provided by Sumitomo Electric Information Systems Co., Ltd. contains a path traversal vulnerability CWE-22. Asato Masamu of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Redmine vulnerable to cross-site scripting
Overview Redmine contains a cross-site scripting vulnerability CWE-79 due to improper character string processing. Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
OSS Calendar vulnerable to SQL injection
Overview OSS Calendar provided by Thinkingreed Inc. contains an SQL injection vulnerability CWE-89. Shogo Iyota of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
Multiple vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2023-29009 Reflected cross-site scripting vulnerability CWE-79 - CVE-2023-43647 Directory traversal vulnerability CWE-22 - CVE-2023-43648...
Movable Type vulnerable to cross-site scripting
Overview Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability CWE-79. Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning...
Improper restriction of XML external entity references (XXE) in Proself
Overview Proself provided by North Grid Corporation improperly restricts XML external entity references XXE CWE-611. The developer states that attacks exploiting this vulnerability have been observed. North Grid Corporation reported this vulnerability to JPCERT/CC to notify users of its solution...
DoS Vulnerability in Hitachi Ops Center Common Services
Overview A DoS vulnerability CVE-2023-3967 exists in Hitachi Ops Center Common Services. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Trend Micro Endpoint security products for enterprises vulnerable to arbitrary code execution
Overview Trend Micro Endpoint security products for enterprises provided by Trend Micro Incorporated contain an arbitrary code execution vulnerability CWE-94, CVE-2023-41179 in 3rd Party AV Uninstaller Module. Trend Micro Incorporated states that an attack exploiting this vulnerability has been...
Pyramid vulnerable to directory traversal
Overview Pyramid provided by Pylons Project contains a directory traversal vulnerability. Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact index.html located one directory abov...
"direct" Desktop App for macOS fails to restrict access permissions
Overview "direct" Desktop App for macOS provided by L is B Corp. fails to restrict access permissions CWE-284. The access control mechanism provided by macOS "TCC Transparency Consent and Control" may be bypassed. Koh M. Nakagawa of FFRI Security, Inc. reported this vulnerability to IPA. JPCERT/C...
SYNCK GRAPHICA Mailform Pro CGI vulnerable to Regular expression Denial-of-Service (ReDoS)
Overview Mailform Pro CGI provided by SYNCK GRAPHICA contains a Regular expression Denial-of-Service ReDoS vulnerability CWE-1333, CVE-2023-40599. This vulnerability is a similar issue as CVE-2023-32610 published on JVN on June 20, 2023, and was newly discovered in several Add-ons listed above...
Rakuten WiFi Pocket vulnerable to improper authentication
Overview Rakuten WiFi Pocket provided by Rakuten Mobile, Inc. is a mobile router. Management Screen of Rakuten WiFi Pocket contains an improper authentication vulnerability CWE-287. Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA...
Multiple vulnerabilities in CBC digital video recorders
Overview Digital video recorders provided by CBC Co.,Ltd. contain multiple vulnerabilities listed below. Improper authentication CWE-287 - CVE-2023-38585 OS command injection CWE-78 - CVE-2023-40144 Hidden functionality CWE-912 - CVE-2023-40158 Yoshiki Mori, Ushimaru Hayato, Hiromu Kubiura and...
WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting
Overview WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability CWE-79. Ryotaro Imamura of SB Technology Corp. and Satoo Nakano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Multiple vulnerabilities in Proself
Overview Proself provided by North Grid Corporation is an online storage server software. Proself contains multiple vulnerabilities listed below. Improper authentication CWE-287 - CVE-2023-39415 OS command injection CWE-78 - CVE-2023-39416 The developer states that attacks exploiting these...
"FFRI yarai" and "FFRI yarai Home and Business Edition" handle exceptional conditions improperly
Overview "FFRI yarai" and "FFRI yarai Home and Business Edition" provided by FFRI Security, Inc. handle exceptional conditions improperly CWE-703. When the product's Windows Defender management feature is enabled, and Microsoft Defender detects some files matching specific conditions as a threat,...