5625 matches found
JVN#83568336: Cybozu Garoon vulnerable to SQL injection
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an SQL injection vulnerability in the "Messages" function. Impact An authenticated attacker may obtain or alter information stored in the database. Solution Update the Software Update to the latest version according to t...
JVN#04125292: Cybozu Mailwise contains issue in preventing clickjacking attacks
Cybozu Mailwise contains multiple pages for editing/sending bulk emails. Some of these pages fail to protect against clickjacking attacks. Impact If a user views a malicious page while logged in, the user may be tricked into conducting unintended operations. Solution Update the Software Update to...
JVN#39594409: DMM Movie Player App fails to verify SSL server certificates
DMM Movie Player App provided by DMM.com Labo Co.,Ltd. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by...
JVN#63384827: Multiple shiro8 Co., Ltd. freearea_ addition_plugins for EC-CUBE vulnerable to cross-site scripting
EC-CUBE plugin "categoryfreearea additionplugin" and "itemdetailfreearea additionplugin" provided by shiro8 Co., Ltd. contain a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the Software Update to the...
JVN#00272277: Tokyo Star bank App fails to verify SSL server certificates
Tokyo Star bank App provided by The Tokyo Star Bank, Limited fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided...
JVN#78383854: Internet Explorer cross-domain policy bypass
Internet Explorer contains an information disclosure vulnerability due to a flaw in handling cross-domain policies. Impact When a specially crafted content is opened, cross-domain policies may be bypassed and then information of the URL that the user is accessing may be obtained by an attacker...
JVN#55545372: EC-CUBE plugin BbAdminViewsControl vulnerable to SQL injection
BbAdminViewsControl from BOKUBLOCK CO., LTD. is an EC-CUBE plugin. BbAdminViewsControl contains an SQL injection vulnerability CWE-89. Impact A logged in attacker may execute SQL statements. According to the developer, this vulnerability affects availability of the server that EC-CUBE resides, bu...
JVN#73346595: applican vulnerable to URL whitelist bypass
applican provided by Newphoria Corporation Inc. is a platform to build hybrid applications for both iOS and Android. applican provides a whitelisting function whitelist.xml to limit the URLs that applications can access. However, if the application is launched using the URL-scheme, the access...
JVN#77193915: Twit BBS vulnerable to cross-site scripting
Twit BBS provided by LEMON-S PHP contains a persistent cross-site scripting CWE-79 vulnerability due to the processing of imagetitle parameter in index.php. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use Twit BBS Twit BBS is no longer being developed or...
JVN#97971874: Welcart vulnerable to cross-site scripting
Welcart provided by Collne Inc. is a WordPress plugin for creating shopping websites. Welcart contains a cross-site scripting CWE-79 vulnerability due to the processing of uscesreferer parameter in admin.php. Impact If a user views a malicious page while logged into WordPress with this plugin...
JVN#17480391: shiromuku(u1)GUESTBOOK vulnerable to cross-site scripting
shiromukuu1GUESTBOOK from Perl CGI's By Mrs. Shiromuku is a bulletin board software. shiromukuu1GUESTBOOK contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the...
JVN#94592501: Multiple I-O DATA IP Cameras vulnerable to authentication bypass
Multiple IP Cameras provided by I-O DATA contain an authentication bypass vulnerability. Impact An attacker who can access the product may be able to gain access to configuration and credential information. As a result, the attacker may take control of the product. Solution Apply an update Update...
JVN#31082531: Cybozu Garoon 3 API access restriction bypass vulnerability
Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains an access restriction bypass vulnerability CWE-264 when using Garoon APIs. Impact A remote attacker may cause a denial-of-service DoS or execute arbitrary code. Solution Update the Software Update to the latest version...
JVN#10724763: SEIL Series routers vulnerable to denial-of-service (DoS)
The PPP Access Concentrator PPPAC in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service DoS vulnerability due to an issue in processing certain packets. CWE-119 Impact By receiving a specially crafted TCP packet, a session established using PPPAC may be...
JVN#51285738: tetra filer vulnerable to directory traversal
tetra filer provided by Yuichiro Okuyama contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has...
JVN#85812843: FileMaker Pro fails to verify SSL server certificates
FileMaker Pro contains a function to encrypt communications with the FileMaker Server. FileMaker Pro fails to verify the SSL server certificate. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Upgrade the software Upgrade to the latest...
JVN#99681273: myu-s / PHP WeblogSystem by netmania vulnerable to cross-site scripting
myu-s and PHP WeblogSystem by netmania provided by FLUGELz contain a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest product released on Feb.16, 2012 or a fixed myu-s according to the...
JVN#50701493: Email Anti-virus (formerly WebShield SMTP) vulnerable to denial-of-service
Email Anti-virus formerly WebShield SMTP provided by McAfee Co., Ltd. is an anti-virus package that scans emails. Email Anti-virus formerly WebShield SMTP contains a denial-of-service DoS vulnerability. Impact An attacker may be able to cause a denial-of-service DoS. Solution Do not use Email...
JVN#03015214: KUNAI Browser for Remote Service beta vulnerable in the WebView class
KUNAI Browser for Remote Service beta is an Android browser software for using Cybozu. KUNAI Browser for Remote Service beta contains a vulnerability in the WebView class. Impact When there is a malicious file in the user's Android device, clicking a file:// hyperlink may lead to the malicious fi...
JVN#92038939: mixi for Android information management vulnerability
mixi for Android provided by mixi, Inc. contains an issue which stores friends' comments on a SD card, therefore other applications can access this information directly from the SD card. Impact If a user of the affected product uses a malicious Android application, friends' comments may be...
JVN#73162541: OTRS vulnerable to OS command injection
OTRS provided by the OTRS Project is a ticket management system. OTRS contains an OS command injection vulnerability. Impact An arbitrary OS command may be executed with the privileges of OTRS on the server where it is installed. Solution Update the software Update to the latest version according...
JVN#09115481: Cross-site scripting vulnerability in multiple Rocomotion products
Multiple products P board etc. provided by Rocomotion contain a cross-site scripting vulnerablility. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. This issue h...
JVN#50133036: Cross-site Request Forgery Vulnerability in Oracle iPlanet Web Server
Oracle iPlanet Web Server formerly Sun Java System Web Server is a web server. Oracle iPlanet Web Server contains a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged into the Oracle iPlanet Web Server management console, an arbitrary instance may be...
JVN#66077895 Virus Security and Virus Security ZERO denial of service (DoS) vulnerability
Virus Security and Virus Security ZERO are anti-virus software provided by SOURCENEXT CORPORATION. Virus Security and Virus Security ZERO contain a denial of service DoS vulnerability as they do not properly handle malicious compressed files when scanning. Impact The software may not function aft...
JVN#66673020: Multiple vulnerabilities in Defense Platform Home Edition
Defense Platform Home Edition provided by Humming Heads Inc. contains multiple vulnerabilities listed below. Improper handling of message in specific process CWE-422 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Base Score 8.8 CVE-2025-20094 Execution with unnecessary privileges CWE-250...
JVN#50132400: Multiple vulnerabilities in WordPress Plugin "Forminator"
WordPress Plugin "Forminator" provided by WPMU DEV contains multiple vulnerabilities listed below. Unrestricted upload of file with dangerous type CWE-434 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8 CVE-2024-28890 SQL injection CWE-89 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H...
JVN#51098626: Multiple vulnerabilities in WordPress Plugin "Survey Maker"
WordPress Plugin "Survey Maker" provided by AYS Pro Plugins contains multiple vulnerabilities listed below. Stored cross-site scripting CWE-79 - CVE-2023-34423 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2|...
JVN#10921428: Lemon8 App fails to restrict access permissions
Lemon8 by ByteDance K.K. provides the function to access a requested URL using Custom URL Scheme/DeepLink. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a user to access an arbitrar...
JVN#17625382: Multiple vulnerabilities in Nintendo Wi-Fi Network Adaptor WAP-001
Nintendo Wi-Fi Network Adaptor provided by Nintendo Co.,Ltd. contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2022-36381 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H| Base Score: 6.8 CVSS v2| AV:A/AC:L/Au:S/C:P/I:P/A:P|...
JVN#93667442: Gitlab vulnerable to server-side request forgery
Gitlab contains a server-side request forgery vulnerability CWE-918 through the Project Import feature. Impact The vulnerability allows an attacker to make arbitrary HTTP/HTTPS or git requests inside a GitLab instance's network. Solution Update the software Update the software to the latest versi...
JVN#13878856: Mobaoku-Auction & Flea Market App for iOS vulnerable to improper server certificate verification
Mobaoku-Auction & Flea Market App for iOS provided by DeNA Co., Ltd. is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update the application to the...
JVN#89524240: MarkText vulnerable to cross-site scripting
MarkText is a Markdown editor. MarkText contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the PC of the user using the product. Solution Update the Software Update the software to the latest version according to the information provided by the...
JVN#60553023: ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS)
ESET Cyber Security and ESET Endpoint series are antivirus software. ESET Cyber Security and ESET Endpoint series for macOS contain a denial-of-service DoS vulnerability CWE-404. Impact If it is exploited, an attacker may cause a denial-of-service DoS to stop the applications and all daemons of t...
JVN#85073657: 128 Technology Session Smart Router vulnerable to authentication bypass
128 Technology Session Smart Router provided by 128 Technology contains an authentication bypass vulnerability CWE-287. Impact A remote attacker may bypass the authentication and execute an arbitrary OS command with the root privilege. Solution Update the software Update the software to the lates...
JVN#60978548: WordPress plugin "Site Reviews" vulnerable to cross-site scripting
The WordPress plugin "Site Reviews" provided by Gemini Labs contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the develope...
JVN#25078144: Source code security studying tool iCodeChecker vulnerable to cross-site scripting
Source code security studying tool iCodeChecker provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use Source code security studying tool...
JVN#65154137: Installer of Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) may insecurely load Dynamic Link Libraries
Installer of Denshinouhin Check System for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be executed with the privilege of the user invoking the...
JVN#51978169: The installer of SOY CMS vulnerable to cross-site scripting
SOY CMS provided by Nippon Institute of Agroinformatics Ltd. is a Contents Management System CMS. The installer of SOY CMS contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing parameter. Impact When a user accesses a malicious page that leads to where the SOY CMS...
JVN#39926655: Splunk Enterprise and Splunk Light vulnerable to open redirect
Splunk Enterprise and Splunk Light contain an open redirect vulnerability. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update to the latest version...
JVN#81698369: Multiple Buffalo wireless LAN routers vulnerable to directory traversal
Multiple wireless LAN routers provided by BUFFALO INC. contain a directory traversal vulnerability CWE-22. Impact Arbitrary files on the server may be viewed by an attacker who can access the product. Solution Update the Firmware Apply the appropriate firmware update provided by the developer...
JVN#11994518: Cybozu KUNAI App fails to verify SSL server certificates
Cybozu KUNAI App provided by Cybozu, Inc. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the developer...
JVN#35341085: Apache Cordova fails to restrict access permissions
Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms. iOS applications built using Apache Cordova contain a vulnerability where whitelist restrictions are not properly applied. Impact Accessing a specially crafted URL may...
JVN#44541100: GANMA! App for iOS fails to verify SSL server certificates
GANMA! App for iOS provided by COMICSMART INC. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#25086409: ANA App fails to verify SSL server certificates
ANA App provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#55076671: Cacti vulnerable to cross-site request forgery
Cacti is a web application that graphs stored data collected from network devices. Cacti contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the software Update to the latest...
JVN#25598413: NetFlow Analyzer fails to restrict access permissions
NetFlow Analyzer provided by Zoho Corporation is a traffic analysis tool. NetFlow Analyzer fails to restrict access permissions. Impact Administrative operations, for example, changing passwords or user account deletion may be performed by a user with guest privileges. In addition, information...
JVN#93976566: SXF Common Library vulnerable to buffer overflow
SXF Common Library contains a buffer overflow vulnerability due to a flaw in processing an input data CWE-121. Impact By processing a specially crafted CAD file, arbitrary code may be executed. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#93727681: BestWebSoft Captcha plugin vulnerable to CAPTCHA authentication bypass
Captcha provided by BestWebSoft is a plugin for WordPress. Captcha contains a CAPTCHA authentication bypass vulnerability CWE-254. Impact If this vulnerability is exploited, an attacker may be able to successfully login to WordPress and access an administrative interface without authentication...
JVN#27142693: NP-BBRM vulnerable in UPnP functionality
NP-BBRM provided by I-O DATA DEVICE, INC. is a LAN router. NP-BBRM contains a vulnerability in the UPnP functionality. Impact The device may be used in a DDoS attack, as a SSDP reflector. Solution Disable UPnP Disable UPnP functionality from the management configuration in the settings screen...
JVN#28011378: Sanshiro Series vulnerable to arbitrary code execution
The "Sanshiro" series software provided by JustSystems Corporation is a spreadsheet software. The "Sanshiro" series contains a vulnerability that may allow arbitrary code execution. Impact When a user opens a specially crafted file, arbitrary code may be executed. Solution Update the software App...