5627 matches found
JVN#85073657: 128 Technology Session Smart Router vulnerable to authentication bypass
128 Technology Session Smart Router provided by 128 Technology contains an authentication bypass vulnerability CWE-287. Impact A remote attacker may bypass the authentication and execute an arbitrary OS command with the root privilege. Solution Update the software Update the software to the lates...
JVN#60978548: WordPress plugin "Site Reviews" vulnerable to cross-site scripting
The WordPress plugin "Site Reviews" provided by Gemini Labs contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the develope...
JVN#25078144: Source code security studying tool iCodeChecker vulnerable to cross-site scripting
Source code security studying tool iCodeChecker provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use Source code security studying tool...
JVN#65154137: Installer of Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) may insecurely load Dynamic Link Libraries
Installer of Denshinouhin Check System for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be executed with the privilege of the user invoking the...
JVN#51978169: The installer of SOY CMS vulnerable to cross-site scripting
SOY CMS provided by Nippon Institute of Agroinformatics Ltd. is a Contents Management System CMS. The installer of SOY CMS contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing parameter. Impact When a user accesses a malicious page that leads to where the SOY CMS...
JVN#39926655: Splunk Enterprise and Splunk Light vulnerable to open redirect
Splunk Enterprise and Splunk Light contain an open redirect vulnerability. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update to the latest version...
JVN#81698369: Multiple Buffalo wireless LAN routers vulnerable to directory traversal
Multiple wireless LAN routers provided by BUFFALO INC. contain a directory traversal vulnerability CWE-22. Impact Arbitrary files on the server may be viewed by an attacker who can access the product. Solution Update the Firmware Apply the appropriate firmware update provided by the developer...
JVN#11994518: Cybozu KUNAI App fails to verify SSL server certificates
Cybozu KUNAI App provided by Cybozu, Inc. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the developer...
WordPress plugin "Ninja Forms" vulnerable to PHP object injection
Overview WordPress plugin "Ninja Forms" contains a PHP object injection vulnerability due to a flaw where untrusted POST values are unserialized. Impact A remote attacker may execute an arbitrary PHP code. Solution Update the Software Update to a version that addresses the vulnerability according...
JVN#35341085: Apache Cordova fails to restrict access permissions
Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms. iOS applications built using Apache Cordova contain a vulnerability where whitelist restrictions are not properly applied. Impact Accessing a specially crafted URL may...
JVN#44541100: GANMA! App for iOS fails to verify SSL server certificates
GANMA! App for iOS provided by COMICSMART INC. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#25086409: ANA App fails to verify SSL server certificates
ANA App provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#55076671: Cacti vulnerable to cross-site request forgery
Cacti is a web application that graphs stored data collected from network devices. Cacti contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the software Update to the latest...
JVN#25598413: NetFlow Analyzer fails to restrict access permissions
NetFlow Analyzer provided by Zoho Corporation is a traffic analysis tool. NetFlow Analyzer fails to restrict access permissions. Impact Administrative operations, for example, changing passwords or user account deletion may be performed by a user with guest privileges. In addition, information...
JVN#93976566: SXF Common Library vulnerable to buffer overflow
SXF Common Library contains a buffer overflow vulnerability due to a flaw in processing an input data CWE-121. Impact By processing a specially crafted CAD file, arbitrary code may be executed. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#93727681: BestWebSoft Captcha plugin vulnerable to CAPTCHA authentication bypass
Captcha provided by BestWebSoft is a plugin for WordPress. Captcha contains a CAPTCHA authentication bypass vulnerability CWE-254. Impact If this vulnerability is exploited, an attacker may be able to successfully login to WordPress and access an administrative interface without authentication...
JVN#27142693: NP-BBRM vulnerable in UPnP functionality
NP-BBRM provided by I-O DATA DEVICE, INC. is a LAN router. NP-BBRM contains a vulnerability in the UPnP functionality. Impact The device may be used in a DDoS attack, as a SSDP reflector. Solution Disable UPnP Disable UPnP functionality from the management configuration in the settings screen...
JVN#81739241: sp mode mail issue when accessing attachments in incoming mail
sp mode mail provided by NTT DOCOMO contains a function that allows other Android applications to access attachments for incoming emails. This function contains an issue in the restriction of access permissions. Impact If a malicious Android application is installed on the device, attachments for...
JVN#28011378: Sanshiro Series vulnerable to arbitrary code execution
The "Sanshiro" series software provided by JustSystems Corporation is a spreadsheet software. The "Sanshiro" series contains a vulnerability that may allow arbitrary code execution. Impact When a user opens a specially crafted file, arbitrary code may be executed. Solution Update the software App...
JVN#60997973: Cybozu Garoon vulnerable to SQL injection
Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains an issue in processing input through API, which may result in SQL injection. Impact A user who can log in to the system may alter information stored in the database. Solution Apply the Patch Apply the appropriate patch...
JVN#21336955: Cybozu Dezie vulnerable to cross-site scripting
Cybozu Dezie provided by Cybozu, Inc. contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the web browser of a user that is logged on. Solution Update the Software Update to the latest version according to the information provided by the developer. Product...
JVN#21103639: Cybozu Mailwise vulnerable to information disclosure
Cybozu Mailwise contains a vulnerability that may display contents of another email in the subject field. Impact Contents of an email may be obtained by a user that does not have privileges to access that original email. Solution Update the Software Update to the latest version according to the...
JVN#26394323: POST-MAIL vulnerable to cross-site scripting
POST-MAIL provided by KENT-WEB contains an issue in the webpage output of strings entered in the form, which may result in a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version accordin...
JVN#51305555: Lotus Domino vulnerable to denial-of-service (DoS)
Lotus Domino contains a denial-of-service DoS vulnerability due to an issue in processing HTTP requests. Impact A remote attacker may cause the Domino service to crash. Solution Update the software Update to the latest version according to the information provided by the developer. Products...
JVN#83907168: Multiple KYOCERA mobile devices may reboot during email reception
Multiple KYOCERA mobile devices contain an issue where the device may reboot when receiving an email in an invalid format. When this issue occurs, the device will always reboot when attempting to receive the invalid email. Impact When receiving an invalid email, the device will always reboot,...
JVN#23009798: Cybozu Live for Android vulnerable to arbitrary Java method execution
Cybozu Live for Android is a client software for Cybozu Live. Cybozu Live for Android contains an arbitrary Java method execution vulnerability. Impact When opening a specially crafted website, an attacker may be able to execute an arbitrary Java method. As a result, information stored in Android...
JVN#33171616: WEB PATIO vulnerable to cross-site scripting
WEB PATIO is a bulletin-board software. WEB PATIO contains a vulnerability in handling web form entries, which may result in cross-site scripting. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the...
JVN#15646988: WordPress plugin WassUp vulnerable to cross-site scripting
WassUp is a WordPress plugin that tracks visitors to the blog. WassUp contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the...
JVN#10745573: Janetter vulnerable to information disclosure
Janetter is a client software for using Twitter. Janetter contains an information disclosure vulnerability. Impact When a malicious page is opened with a web browser while Janetter is being used, session information used to communicate with Twitter may be disclosed. Solution Update the software...
JVN#88991166: SEIL Series routers vulnerable to buffer overflow
The PPP Access Concentrator PPPAC contained in SEIL Series routers contain a buffer overflow vulnerability when processing PPPoE packets. Impact An attacker may be able to execute arbitrary code. Accoding to the developer, all versions of SEIL/86, SEIL/B1, SEIL/X1, SEIL/X2 3.00 through 3.11 proce...
JVN#84393059: EC-CUBE vulnerable to cross-site scripting
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site scripting vulnerability. This vulnerability is different than the previous vulnerabilities disclosed on JVN. Impact An arbitrary script may be executed on the user's web browser...
JVN#62275332: Internet Explorer vulnerable to cross-site scripting
Microsoft Internet Explorer contains a vulnerability in handling Content-Type, which may result in cross-site scripting. Impact An arbitrary script may be executed. Solution Update the Software Apply the latest update according to the information provided by Microsoft. Products Affected Internet...
JVN#82465391: e-Pares vulnerable to cross-site request forgery
e-Pares is a system that manages facility conference rooms, etc. information. e-Pares contains a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged into e-Pares, facility reservation data may be altered. Solution Update the Software Update to the latest...
JVN#90872372 WebSAM DeploymentManager vulnerable to denial of service
WebSAM DeploymentManager is a product that manages the distribution of security patches. WebSAM DeploymentManager contains a denial of service DoS vulnerability. Impact On a server or workstation with "Client Service for DPM" installed, a remote attacker may shut down or restart the operating...
JVN#93827000 Tree BBS from Let's PHP! vulnerable to cross-site scripting
Tree BBS from Let's PHP! is a tree-structured bulletin board software. Tree BBS contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by t...
JVN#07468800 Predictable session ID vulnerability in Access Analyzer CGI by futomi's CGI Cafe
Access Analyzer CGI provided by futomi's CGI Cafe is a software to analyze web access logs. Access Analyzer CGI contains a predictable session ID vulnerability. Impact A remote attacker could impersonate an administrator of Access Analyzer CGI. As a result, a remote attacker could view access...
JVN#77203800: OET-213H-BTS1 missing authorization check in the initial configuration
OET-213H-BTS1 is a digital temperature measurement and face recognition terminal, developed by Zhejiang Uniview Technologies Co.,Ltd and provided by Atsumi Electric Co., Ltd. The initial configuration of the product is insecure CWE-1188, it does not perform an authorization check when processing...
JVN#82758000: Multiple vulnerabilities in SHIRASAGI
SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below. Reflected cross-site scripting CWE-79 - CVE-2023-36492 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base Score:...
JVN#03447226: "Skylark" App fails to restrict custom URL schemes properly
"Skylark" App provided by SKYLARK HOLDINGS CO., LTD. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939, CVE-2023-40530, CVE-2024-54014 which may be exploited to direct the App to access any sites. Impact An...
JVN#59663854: WordPress Plugin "Salon booking system" vulnerable to cross-site scripting
WordPress Plugin "Salon booking system" contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress administrative page where the product is installed. Solution Update the plugin Update the plug...
JVN#23766146: Passage Drive vulnerable to insufficient data verification
Passage Drive provided by Yokogawa Rental & Lease Corporation contains an insufficient data verification vulnerability for interprocess communication CWE-20. Impact By running a malicious program, an arbitrary OS command may be executed with LocalSystem privilege of the Windows system where the...
JVN#58266015: Multiple vulnerabilities in multiple MEIKYO ELECTRIC products
Multiple MEIKYO ELECTRIC products provided by MEIKYO ELECTRIC CO.,LTD. contain multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2022-27632 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L| Base Score: 5.4 CVSS v2|...
JVN#75444925: Multiple vulnerabilities in EC-CUBE 2 series
EC-CUBE 2 series provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below. Improper access control in Management screen CWE-284 - CVE-2021-20841 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N| Base Score: 4.3 CVSS v2|...
JVN#89054582: WordPress Plugin "Software License Manager" vulnerable to cross-site request forgery
WordPress Plugin "Software License Manager" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Upda...
JVN#73559859: Installer of Shin Kikan Toukei Houkoku Data Nyuryokuyou Program may insecurely load Dynamic Link Libraries
Installer of Shin Kikan Toukei Houkoku Data Nyuryokuyou Program provided by Agency for Natural Resources and Energy of METI contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of...
JVN#74554973: Installer of LhaForge may insecurely load Dynamic Link Libraries
LhaForge is a file compression/decompression software. The installer of LhaForge contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution U...
JVN#55294532: WordPress plugin "YOP Poll" vulnerable to cross-site scripting
The WordPress plugin "YOP Poll" contains a stored cross-site scripting CWE-79 vulnerability. Impact An arbitrary script may be executed on the web browser of a user accessing the poll generated by the application. Solution Update the plugin Update the plugin according to the information provided ...
JVN#71666779: Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to remote code execution
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a remote code execution vulnerability. Impact If a user accesses a malicious web page, arbitrary code may b...
JVN#23823838: CG-WLR300NX vulnerable to cross-site request forgery
CG-WLR300NX provided by Corega Inc is a wireless LAN router. CG-WLR300NX contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Firmware Update to the latest version of...
JVN#31524757: EC-CUBE plugin "Help plug-in" vulnerable to SQL injection
EC-CUBE plugin "Help plug-in" provided by Cuore contains an SQL injection vulnerability CWE-89. Impact Information stored in the database may be obtained or altered by a remote attacker. Solution Update the plugin Update to the latest version according to the information provided by the developer...