5627 matches found
JVN#56667137: Multiple SKYARC System Co., Ltd. products vulnerable to cross-site request forgery
MTCMS and multiple Movable Type plugins provided by SKYARC System Co., Ltd. contain a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged into MTCMS or a Movable Type implementation with any of the plugins from "Products Affected" running, information...
JVN#81294135: IBM Tivoli vulnerable to denial-of-service (DoS)
IBM Tivoli contains a denial-of-service DoS vulnerability due to an issue in Java Runtime Environment JRE. Impact A remote attacker may cause a denial-of-service DoS. Solution Apply a patch Apply the appropriate patch according to the information provided by the developer. Products Affected A wid...
JVN#33880169: Opera may insecurely load executable files
Opera loads certain executables .exe when opening the folder where downloaded contents are stored. Opera contains an issue with the file search path, which may insecurely load executables. Impact An attacker may execute arbitrary code with the privilege of running the application. Solution Update...
JVN#62868899 7-ZIP32.DLL buffer overflow vulnerability
7-ZIP32.DLL is an open source library for compression and decompression supporting 7z, zip, and some other format files. 7-ZIP32.DLL is based on "Integrated Archiver API Specification", and called from the compression/decompression software. 7-ZIP32.DLL contains a buffer overflow vulnerability. I...
JVN#95019167 Internet Explorer vulnerable in handling MHTML protocol
When Internet Explorer accesses a website using MHTML MIME Encapsulation of Aggregate HTML, Internet Explorer processes the contents as MHTML data, ignoring their actual content types, and it does not properly handle the Content-Disposition header field. This could cause a dialog box not to be...
JVN#59547048: WinRAR vulnerable to the symbolic link based "Mark of the Web" check bypass
WinRAR provided by RARLAB contains a vulnerability that bypasses the "Mark of the Web" CWE-356 security warning function for files when opening a symbolic link that points to an executable file. In the initial Windows configuration, only administrators have the privilege to create symbolic links...
Multiple vulnerabilities in Sharp and Toshiba Tec MFPs
Overview MFPs multifunction printers provided by Sharp and Toshiba Tec Corporation contain multiple vulnerabilites listed below. Out-of-bounds Read CWE-125 CVE-2024-42420 Out-of-bounds read vulnerabilities coming from improper processing of keyword search input and improper processing of SOAP...
JVN#43561812: +Message App improper handling of Unicode control characters
+Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode control character's specifications. Therefore, a crafted text may display misleading web links CWE-451. Impact A spoofed URL may be displayed and phishing attacks may be...
JVN#70100915: Multiple vulnerabilities in TransmitMail
TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below. Directory traversal vulnerability due to the improper validation of external input values CWE-22 - CVE-2022-22146 Version| Vector| Score ---|---|--- CVSS v3|...
JVN#64806328: Canon laser printers and small office multifunctional printers vulnerable to cross-site scripting
Multiple Canon laser printers and small office multifunctional printers contain a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the product settings screen. Solution Update the firmware Update the...
JVN#80288258: The installers of multiple Sony products may insecurely load Dynamic Link Libraries
The installers of multiple Sony products contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the latest installer by following the...
JVN#27806339: NETGEAR GS108Ev3 vulnerable to cross-site request forgery
GS108Ev3 switching hub provided by NETGEAR contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in to the management screen of the device, the product's settings may be changed without the user's intention or consent. Solution Update th...
JVN#40039627: Chrome Extension for e-Tax Reception System vulnerable to arbitrary command execution
Chrome Extension for e-Tax Reception System provided by National Tax Agency is an extension to use the e-Tax Reception System on Google Chrome and/or Chromium-based versions of Microsoft Edge. When a user runs a Chrome Extension for e-Tax Reception System, a specially crafted parameter by an...
JVN#85056623: Installer of SoundEngine Free may insecurely load Dynamic Link Libraries
Installer of SoundEngine Free contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the latest installer Use the latest installer...
JVN#87226910: WebProxy vulnerable to directory traversal
WebProxy provided by LunarNight Laboratory is software for creating a proxy server. WebProxy contains a directory traversal vulnerability CWE-22 due to a flaw in processing certain requests. Impact A remote attacker may create an arbitrary file on the server where the product is running. Solution...
JVN#03044183: Wi-Fi STATION L-02F fails to restrict access permissions
Wi-Fi STATION L-02F provided by NTT DOCOMO, INC. fails to restrict access permissions. Impact An unauthenticated remote attacker may access the web interface of the device through internet and obtain the stored setting information. Solution Apply an Update Apply the update according to the...
Multiple vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. SQL injection CWE-89 - CVE-2017-10842 Arbitary files may be deleted - CVE-2017-10843 Arbitary PHP code execution - CVE-2017-10844 Shoji Baba reported the vulnerabilities to IPA. JPCERT/CC...
JVN#67305782: Installer of CASL II simulator(self-extract format) may insecurely load Dynamic Link Libraries
Installer of CASL II simulatorself-extract format provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be executed with the privilege of the user invoking t...
JVN#31236539: [Simeji for Windows(β)] installer may insecurely load Dynamic Link Libraries
Simeji for Windowsβ installer provided by Baidu Japan Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Do not use Simeji for...
JVN#01404851: Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to remote code execution
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a remote code execution vulnerability. Impact When accessing a specially crafted URL, an arbitrary code may...
JVN#87770873: CS-Cart Japanese Edition vulnerable to cross-site request forgery
​CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition contains a cross-site request forgery CWE-352 vulnerability. Impact If a consumer views a malicious page while logged in, an unintended item may be purchased. Solution Update the Software Update to the latest...
BlueZ userland utilities vulnerable to buffer overflow
Overview BlueZ provides a Bluetooth protocol stack for Linux kernel and userland utilities. parseline function used in some userland utilities contains a buffer overflow vulnerability. Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with...
JVN#16781735: Multiple access restriction bypass vulnerabilities in Cybozu Dezie
Cybozu Dezie contains multiple access restriction bypass vulnerabilities listed below. Access restriction bypass to download DBM files - CVE-2016-7832 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N| Base Score: 5.3 CVSS v2| AV:N/AC:L/Au:N/C:P/I:N/A:N| Bas...
JVN#00324715: Electron may insecurely load Node modules
Electron is a software framework for developing cross-platformm desktop applications with web technologies, such as HTML, CSS, JavaScript with Chromium and Node.js. Electron is used in applications such as Atom editor, Microsoft Visual Studio Code, etc.. Electron contains a flaw where the search...
JVN#51250073: CG-WLNCM4G may behave as an open resolver
CG-WLNCM4G provided by Corega Inc is a network camera. CG-WLNCM4G contains an issue where it may behave as an open resolver. Impact The device may be leveraged for use in a DNS amplification attack and unknowingly become a part of a DDoS attack. Solution Do not use CG-WLNCM4G As of December 25,...
JVN#39175666: MP Form Mail CGI eCommerce edition vulnerable to code injection
MP Form Mail CGI eCommerce edition provided by futomi Co., Ltd. is a CGI used to send mail from a web form. MP Form Mail CGI eCommerce edition contains a code injection vulnerability. Impact Arbitrary Perl code may be executed on the server where it resides. Solution Update the software Update to...
JVN#71762315: LG Electronics mobile access routers lack access restrictions
LG Electronics mobile access routers provided by NTT DOCOMO, INC. lack access restrictions in the web administration interface. Impact An attacker that can access the device may bypass authentication and obtain information stored on the device. Solution Apply an Update Apply the update according ...
JVN#42024228: Cybozu Garoon CGI vulnerable to remote command execution
Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon CGI contains a remote command execution vulnerability. Impact An arbitrary command may be executed on the server where Cybozu Garoon resides. Solution Update the Software Update to the latest version according to the information...
JVN#36259412: Web Kyukincho vulnerable to cross-site request forgery
Web Kyukincho provided by Intercom, Inc. is a software that digitizes and distributes a pay statement and others. Web Kyukincho contains a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in, unintended operations may be conducted. Solution Update the...
JVN#93344001: ATOK for Android issue in the access permissions for the learning information file
ATOK for Android provided by JUST Systems contains an issue where another application may access the learning information file which stores user input strings. Impact If a user of the affected product uses other malicious Android application, the learning information file may be obtained. Solutio...
JVN#59652356: Cybozu KUNAI for Android vulnerable in the WebView class
Cybozu KUNAI is a mobile client software for using Cybozu. Cybozu KUNAI for Android contains a vulnerability in the WebView class. Impact When there is a malicious file in the user's Android device, clicking a file:// hyperlink may lead to the malicious file being opened and information managed b...
JVN#46088915: Yahoo! Browser vulnerable in the WebView class
Yahoo! Browser is a web browser for Android devices. Yahoo! Browser contains a vulnerability in the WebView class. Impact If a user of the affected product uses other malicious Android application, information managed by the affected product may be disclosed. Solution Update the software Update t...
JVN#25731073: Multiple COOKPAD applications for Android vulnerable in WebView class
Cookpad and Cookpad Noseru provided by COOKPAD Inc. are Android applications to search or post recipes. Cookpad and Cookpad Noseru contain a vulnerability in WebView class. Impact If an user of the affected product uses other malicious Android application, the information contained in the affecte...
JVN#84838479: Cybozu Office vulnerable in restricting access
Cybozu Office is a groupware.Cybozu Office contains a vulnerability in restricting access permissions. Impact A user without the appropriate privileges may view an arbitrary user's attendance information. Solution Upgrade the Software Upgrade to Cybozu Office 9 that has addressed this...
JVN#63041502: Samba Web Administration Tool vulnerable to cross-site scripting
Samba Web Administration Tool SWAT allows for Samba configuration through a web interface. SWAT contains a cross-site scripting vulnerability. SWAT is disabled in a default configuration of Samba. Impact An arbitrary script may be executed on the web browser of a user that is logged into SWAT...
JVN#38362957: Lunascape may insecurely load executable files
Lunascape is a web browser. Lunascape loads certain executables when using the "script" function. Lunascape contain an issue with the file search path, which may insecurely load executables. Impact An attacker may execute arbitrary code with the privilege of the running application. Solution Upda...
JVN#95385972: MODx Evolution vulnerable to directory traversal
MODx provided by the MODx CMS Project is a Content Management System CMS software. MODx contains a directory traversal vulnerability. Impact A remote attacker may access or view arbitrary files on the server. Solution Update the software Update to the latest version according to the information...
JVN#54824688 phpMyAdmin cross-site scripting vulnerability
phpMyAdmin provided by The phpMyAdmin Project is software to handle the administration of MySQL over the web browser. phpMyAdmin contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. According to the developer, Microsoft Internet...
Security Update for Trend Micro Trend Vision One (April 2025)
Overview Trend Micro Incorporated has released the security update for the administration console of Trend Vision One. This update addressed the following vulnerabilities: CVE-2025-31282, CVE-2025-31283, CVE-2025-31284, CVE-2025-31285, CVE-2025-31286 Trend Micro Incorporated reported these...
JVN#63383723: Drupal vulnerable to improper handling of structural elements
Drupal provided by Drupal.org contains an improper handling of structural elements vulnerability CWE-237. Impact An attacker may be able to cause a denial-of-service DoS condition. Solution Update the Software Update the software to the latest version 10 series according to the information provid...
JVN#94132951: Cybozu Remote Service vulnerable to uncontrolled resource consumption
Cybozu Remote Service provided by Cybozu, Inc. is vulnerable to uncontrolled resource consumption CWE-400. Impact Certain operations performed by a logged-in user may lead to huge storage space consumption or significantly delayed communication. Solution Update the Software Update the software to...
JVN#45547161: Multiple vulnerabilities in baserCMS
baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2023-29009 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N| Base Score: 5.4 CVSS v2|...
JVN#95981460: Improper restriction of XML external entity references (XXE) in Proself
Proself provided by North Grid Corporation improperly restricts XML external entity references XXE CWE-611. The developer states that attacks exploiting this vulnerability have been observed. Impact By processing a specially crafted request containing malformed XML data, arbitrary files on the...
JVN#15808274: e-Gov Client Application fails to restrict custom URL schemes properly
e-Gov Client Application is installed, a Custom URL Scheme is configured on the system to enable invoking the product through a web browser. This custom URL contains the information about the website which the product should access, and a crafted URL may direct the application to access an...
JVN#14778242: Multiple vulnerabilities in T&D and ESPEC MIC data logger products
Multiple data logger products provided by T&D Corporation and ESPEC MIC CORP. contain multiple vulnerabilities listed below. Client-side enforcement of server-side security CWE-602 - CVE-2023-22654 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N| Base...
JVN#41694426: Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-3122 Denial-of-service DoS in Message CWE-400 - CVE-2023-26595 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L| Base Score: 5.0 CVSS v2| AV:N/AC:L/Au:S/C:N/I:N/A:P...
JVN#01093915: Multiple vulnerabilities in WordPress Plugin "MW WP Form" and "Snow Monkey Forms"
WordPress Plugin "MW WP Form" and "Snow Monkey Forms" provided by Monkey Wrench Inc. contain multiple vulnerabilities listed below. Directory traversal CWE-22 - CVE-2023-28408 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L| Base Score: 7.2 CVSS v2|...
JVN#31073333: WordPress plugin "Welcart e-Commerce" vulnerable to directory traversal
WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a directory traversal vulnerability CWE-22. Impact Arbitrary files on the server may be viewed by a remote attacker. Solution Update the plugin Update the plugin according to the information provided by the developer. The...
JVN#89126639: Nike App fails to restrict custom URL schemes properly
Nike App by Nike, Inc. provides the function to access a requested URL using Custom URL Scheme. The app does not restrict access to the function properly CWE-939 which may be exploited to direct the app to access any sites. Impact A remote attacker may lead a user to access an arbitrary website v...
JVN#00414047: Studyplus App uses a hard-coded API key for an external service
Studyplus App provided by Studyplus Inc. uses a hard-coded API key for an external service CWE-798. Impact API key for an external service may be obtained by analyzing data in the app. Note that a user is not directly affected by this vulnerability. Solution Update the Application Update the...