5625 matches found
JVN#80006084: Web Kyukincho vulnerable to cross-site scripting
Web Kyukincho provided by Intercom, Inc. is a software that digitizes and distributes a pay statement and others. Web Kyukincho contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed in the user's web browser. Solution Update the Software Update to the latest...
JVN#04288738: Active! mail vulnerable to information disclosure
Active! mail provided by TransWARE is a webmail software. Active! mail contains an information disclosure vulnerability. Impact If the "external public interface" is enabled, an attacker who can log into the server may obtain users credentials. Solution Restrict log-in to the server Allow...
JVN#23563149: KENT-WEB ACCESS REPORT vulnerable to cross-site scripting
ACCESS REPORT provided by KENT-WEB is a software to analyze web access logs. ACCESS REPORT contains a cross-site scripting vulnerability. This is caused by a particular method in which tags are embedded into the web page. Note that this vulnerability is different from JVN68830017. Impact An...
JVN#56373673: myLittleAdmin for SQL Server 2000 vulnerable to arbitrary script execution
myLittleAdmin for SQL server 2000 from myLittleTools is a web-based database management software.The management screen in myLittleAdmin for SQL server 2000 contains a vulnerability that may allow arbitrary script execution. Impact When a user accesses a malicious database entry through the...
JVN#21422837: Roundcube Webmail vulnerable to cross-site scripting
Roundcube Webmail is an open source webmail client from the Roundcube Webmail Project. Roundcube Webmail contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's Internet Explorer when viewing a specially crafted image file. Solution Update the...
JVN#07414354: DAEMON Tools vulnerable to denial-of-service
DAEMON Tools is a software for optical media emulation. DAEMON Tools contains a denial-of-service DoS vulnerability. Impact An attacker that can login to the system with the software running may cause the system to crash. Solution Update the Software Update to the latest version according to the...
JVN#81667751 Directory traversal vulnerability in WebLogic Server and WebLogic Express plug-ins
WebLogic Server and WebLogic Express are application servers based on Java Platform Enterprise Edition 5 JavaEE5 and provided by Oracle formerly BEA Systems, Inc.. Plug-ins for Apache, Sun, and Microsoft IIS web servers which are included in WebLogic Server and WebLogic Express contain a director...
JVN#88676089 Safari installed in iPod touch and iPhone vulnerable in handling server certificates
Safari is a web browser provided by Apple. Safari installed in iPod touch and iPhone accepts a self-signed or invalid server cerficate without the user's explicit concent when connecting via SSL/TLS. According to Apple, "When Safari accesses a website that uses a self-signed or invalid certificat...
MTCMS WYSIWYG Editor cross-site scripting vulnerability
Overview MTCMS WYSIWYG Editor, weblog management software from SKYARC System, contains a cross-site scripting vulnerability. MTCMS WYSIWYG Editor from SKYARC System is management software used to update Movable Type contents, etc. The install.cgi in MTCMS WYSIWYG Editor contains a cross-site...
JVN#48566866 ColdFusion error page cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking. Solution Products Affected ColdFusion MX 6.X ColdFusion MX 7.X For more information, refer to the vendor's website...
JVN#78113802: Multiple vulnerabilities in F-RevoCRM
F-RevoCRM provided by Thinkingreed Inc. contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2023-41149 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Base Score: 9.8 CVSS v2| AV:N/AC:L/Au:N/C:P/I:P/A:P| Base Score: 7.5...
JVN#04876736: Multiple vulnerabilities in LuxCal Web Calendar
LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2023-39543 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base Score: 4.3 SQL...
JVN#57073973: "JustSystems JUST Online Update for J-License" starts a program with an unquoted file path
"JustSystems JUST Online Update for J-License" is bundled with multiple products for corporate users provided by JustSystems Corporation, as in Ichitaro through Pro5 and others, and it is registered as a Windows service. "JustSystems JUST Online Update for J-License" starts another program with a...
JVN#27256219: RevoWorks incomplete filtering of MS Office v4 macros
RevoWorks SCVX, RevoWorks Browser and RevoWorks Desktop provided by J's Communication Co., Ltd. enables users to execute web browsers, accessing drives, folders, files and registries in a sandboxed environment. Users can download files from the internet to the sandboxed environment, sanitizing...
JVN#49047921: Jimoty App for Android uses a hard-coded API key for an external service
Jimoty App for Android provided by Jimoty, Inc. uses a hard-coded API key for an external service CWE-798. Impact API key for an external service may be obtained by analyzing data in the app. Note that a user is not directly affected by this vulnerability. Solution Update the Application Update t...
JVN#85492429: WordPress Plugin "Push Notifications for WordPress (Lite)" vulnerable to cross-site request forgery
WordPress Plugin "Push Notifications for WordPress Lite" provided by Delite Studio contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the...
JVN#49465877: Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) vulnerable to improper handling of Intent
Android App "Mercari Merpay - Marketplace and Mobile Payments App" Japan version provided by Mercari, Inc. is vulnerable to improper handling of Intent CWE-939. Impact If a user who is using the vulnerable application accesses a malicious page, the malicious page can launch an arbitrary Activity ...
JVN#57544707: GROWI vulnerable to cross-site scripting
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update the software to the latest version according to the information provided by the developer. Products Affect...
JVN#92404841: WordPress Plugin "Live Chat – Live support" vulnerable to cross-site request forgery
WordPress Plugin "Live Chat - Live support" provided by onWebChat contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious web page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the...
JVN#32396594: Yodobashi App for Android fails to restrict access permissions
Yodobashi App for Android provided by Yodobashi Camera Co.,Ltd. implements the function to access a requested URL using an Intent. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an Intent from an arbitrary App and to access an...
JVN#05502028: WordPress Plugin "Social Sharing Plugin" vulnerable to cross-site request forgery
WordPress Plugin "Social Sharing Plugin" provided by Social Rocket contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the...
JVN#51737843: Multiple vulnerabilities in Cybozu Office
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Information disclosure in the application "Message" when viewing an external image CWE-200 - CVE-2018-0526 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N| Base Score:...
JVN#96655441: QQQ SYSTEMS vulnerable to cross-site scripting
QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. quizop.cgi of QQQ SYSTEMS contains a cross-site scripting vulnerability CWE-79. When a user accesses a malicious page and is redirected to a page created with the product, an arbitrary script may be executed on the user...
JVN#60032768: WordPress plugin "WP All Import" vulnerable to cross-site scripting
The WordPress plugin "WP All Import" provided by Soflyy contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the developer...
JVN#39605485: The installer of The Public Certification Service for Individuals "The JPKI user's software" may insecurely load Dynamic Link Libraries
The installer of The Public Certification Service for Individuals "The JPKI user's software" provided by Japan Agency for Local Authority Information Systems J-LIS contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be...
JVN#05340816: Multiple installers of Toshiba memory card related software may insecurely load Dynamic Link Libraries
Multiple installers of Toshiba memory card related software contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the latest installe...
JVN#01537659: WN-AC1167GR vulnerable to cross-site scripting
WN-AC1167GR provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-AC1167GR contains a stored cross-site scripting vulnerability CWE-79. Impact If a user accesses a malicious URL while logged in, an arbitrary script may be executed on the user's web browser. Solution Update the Firmware...
JVN#14631222: Cybozu Garoon fails to restrict access permissions
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains following multiple vulnerabilities in restricting access permissions. Access restriction flaw in the RSS settings - CVE-2016-4908 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N|...
JVN#50347324: ManageEngine ServiceDesk Plus vulnerable to cross-site scripting
ManageEngine ServiceDesk Plus provided by Zoho Corporation is a help desk software. ManageEngine ServiceDesk Plus contains a stored cross-site scripting CWE-79 vulnerability. Impact An arbitrary script may be executed on a web browser of a user that is logged in. Solution Update the software Upda...
JVN#49343562: Money Forward Apps for Android vulnerability that allows unintended operations
Money Forward Apps for Android contain a vulnerability where unintended operations may be performed. Impact When a user executes a malicious application, it may perform an unintended operation. Solution Update the Application Update to the latest version according to the information provided by t...
JVN#93411577: Cybozu Garoon fails to restrict access permissions
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon fails to restrict access permissions in the error page. Impact A user may be able to obtain product settings information. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#03188560: Apache Struts 1 vulnerability that allows unintended remote operations against components on memory
The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met: Condition 1: When the following ActionForm including its subclasses are in the session...
JVN#78187936: Cacti vulnerable to cross-site scripting
Cacti is a web application that graphs stored data collected from network devices. Cacti contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing parameters in settings.php. Impact If a user views a malicious page while logged in, an arbitrary script may be executed on the...
JVN#83881261: Ruby on Rails library Paperclip vulnerable to cross-site scripting
Paperclip provided by thoughtbot is a library to upload files in Ruby on Rails. Paperclip contains a persistent cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to t...
JVN#79284156: NetFlow Analyzer vulnerable to cross-site request forgery
NetFlow Analyzer provided by Zoho Corporation is a traffic analysis tool. NetFlow Analyzer contains a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in, various administrative functions may be performed. Solution Update the software build and apply...
JVN#86448949: The Validator in TERASOLUNA Server Framework for Java(WEB) vulnerable to input validation bypass
The Validator in Apache Struts 1.1 and later contains a function MPV -- Multi Page Validator to efficiently define rules for input validation across multiple pages during screen transitions. The MPV contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validato...
JVN#67792023: Multiple improper data validation vulnerabilities in Syslink driver for Texas Instruments OMAP mobile processors
The OMAP mobile processor provided by Texas Instruments is used in some Android tablets, smartphones and other devices. The Syslink driver for some OMAP mobile processors is used to implement the communication of processes between the host and slave processors. The Syslink driver contains multipl...
JVN#51770585: EC-CUBE vulnerable to authorization bypass
EC-CUBE from EC-CUBE CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an authorization bypass vulnerability CWE-639. Impact A user of the affected shopping website may obtain other users' information by sending a crafted HTTP request. Solution Apply the update or...
JVN#07497769: Oracle Outside In vulnerable to buffer overflow
Oracle Outside In is a library to decode over 500 file types. Oracle Outside In contains a buffer overflow vulnerability. Impact When Oracle Outside In processes a specially crafted Ichitaro Word Processor file, arbitrary code may be executed. Solution Apply an update Update to the latest version...
JVN#63650108: Smarty vulnerable to cross-site scripting
Smarty is a template engine for PHP. Smarty contains a cross-site scripting vulnerability when displaying an error message. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the...
JVN#56667137: Multiple SKYARC System Co., Ltd. products vulnerable to cross-site request forgery
MTCMS and multiple Movable Type plugins provided by SKYARC System Co., Ltd. contain a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged into MTCMS or a Movable Type implementation with any of the plugins from "Products Affected" running, information...
JVN#81294135: IBM Tivoli vulnerable to denial-of-service (DoS)
IBM Tivoli contains a denial-of-service DoS vulnerability due to an issue in Java Runtime Environment JRE. Impact A remote attacker may cause a denial-of-service DoS. Solution Apply a patch Apply the appropriate patch according to the information provided by the developer. Products Affected A wid...
JVN#33880169: Opera may insecurely load executable files
Opera loads certain executables .exe when opening the folder where downloaded contents are stored. Opera contains an issue with the file search path, which may insecurely load executables. Impact An attacker may execute arbitrary code with the privilege of running the application. Solution Update...
JVN#62868899 7-ZIP32.DLL buffer overflow vulnerability
7-ZIP32.DLL is an open source library for compression and decompression supporting 7z, zip, and some other format files. 7-ZIP32.DLL is based on "Integrated Archiver API Specification", and called from the compression/decompression software. 7-ZIP32.DLL contains a buffer overflow vulnerability. I...
JVN#95019167 Internet Explorer vulnerable in handling MHTML protocol
When Internet Explorer accesses a website using MHTML MIME Encapsulation of Aggregate HTML, Internet Explorer processes the contents as MHTML data, ignoring their actual content types, and it does not properly handle the Content-Disposition header field. This could cause a dialog box not to be...
JVN#59547048: WinRAR vulnerable to the symbolic link based "Mark of the Web" check bypass
WinRAR provided by RARLAB contains a vulnerability that bypasses the "Mark of the Web" CWE-356 security warning function for files when opening a symbolic link that points to an executable file. In the initial Windows configuration, only administrators have the privilege to create symbolic links...
JVN#43561812: +Message App improper handling of Unicode control characters
+Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode control character's specifications. Therefore, a crafted text may display misleading web links CWE-451. Impact A spoofed URL may be displayed and phishing attacks may be...
JVN#46345126: Multiple vulnerabilities in the web interfaces of Kyocera Document Solutions MFPs and printers
The web interface "Command Center" of multiple MFPs and printers provided by KYOCERA Document Solutions Inc. contain multiple vulnerabilities listed below. Session Information Easily Guessable CWE-287 - CVE-2022-41798 Version| Vector| Score ---|---|--- CVSS v3|...
JVN#70100915: Multiple vulnerabilities in TransmitMail
TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below. Directory traversal vulnerability due to the improper validation of external input values CWE-22 - CVE-2022-22146 Version| Vector| Score ---|---|--- CVSS v3|...
JVN#64806328: Canon laser printers and small office multifunctional printers vulnerable to cross-site scripting
Multiple Canon laser printers and small office multifunctional printers contain a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the product settings screen. Solution Update the firmware Update the...