5625 matches found
JVN#83459967: Janetter vulnerable to cross-site request forgery
Janetter is a client software for using Twitter. Janetter contains a cross-site request forgery vulnerability. Impact When a malicious page is opened with a web browser while Janetter is being used, the user may be impersonated to post tweets, upload local image files, and OS commands may be...
JVN#41032068: Multiple SKYARC System Co., Ltd. products fail to restrict access permissions
MTCMS and multiple Movable Type plugins provided by SKYARC System Co., Ltd. contain an issue where access permissions are not restricted. Impact A user without the appropriate privileges may alter settings and files. Solution Apply an update Update to the latest version according to the informati...
JVN#30221194: Sage vulnerable to arbitrary script execution
Sage is an addon for Mozilla Firefox that adds an RSS/Atom feed reader. Sage is vulnerable to arbitrary script execution due to the improper processing during HTML page output based on feed information. Impact An arbitrary script embedded in an RSS/Atom feed may be executed on the user's Mozilla...
JVN#02134508: WebsiteBaker vulnerable to cross-site scripting
WebsiteBaker is a content management system CMS. WebsiteBaker contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Upgrade the software Upgrade to Lepton CMS according to the information provided by the developer. Products...
JVN#70984231: Mozilla Firefox vulnerable to denial-of-service (DoS)
Mozilla Firefox contains an issue in the validation of certificates, leading to a denial-of-service DoS vulnerability. Impact When accessing a HTTPS site with a specially crafted Certificate Authority CA certificate imported, a denial-of-service DoS may occur. Solution Update the Software Update ...
JVN#54074460: Multiple Cybozu products vulnerable to cross-site scripting
Multiple groupware provided by Cybozu, Inc. contain a cross-site scripting vulnerability due to an issue when downloading graphic files from the mail system. Impact An arbitrary script may be executed on the web browser of an user who is logged on. Solution Update the software Update to the lates...
JVN#91740962: Winny vulnerable to buffer overflow
Winny is a P2P file sharing software. Winny contains a buffer overflow vulnerability. This vulnerability is different from JVN21471805 and JVN74294680. Impact A remote attacker may be able to execute arbitary code. Solution Do not use Winny Please discontinue use of Winny. Products Affected Winny...
JVN#49467403 Internet Explorer information disclosure vulnerability
Internet Explorer contains an issue when handling content using specific encoding strings that may lead to an information disclosure vulnerability. Impact When a user opens specially crafted web page, an attacker may be able to obtain sensitive information. Solution Update the software Apply the...
JVN#22247093 WebCalenderC3 vulnerable to directory traversal
WebCalenderC3 from C3 Corp. is a calender software. WebCalenderC3 contains a directory traversal vulnerability. Impact A remote attacker could view an arbitrary file on the server. Solution Update the Software Update to the latest version according to the information provided by the developer...
JVN#97248625 Movable Type cross-site scripting vulnerability
Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability. This vulnerability is a different vulnerability than past reports on JVN. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest versio...
MTCMS WYSIWYG Editor cross-site scripting vulnerability
Overview MTCMS WYSIWYG Editor, weblog management software from SKYARC System, contains a cross-site scripting vulnerability. MTCMS WYSIWYG Editor from SKYARC System is management software used to update Movable Type contents, etc. The install.cgi in MTCMS WYSIWYG Editor contains a cross-site...
JVN#88575577 Multiple Yamaha routers vulnerable to cross-site request forgery
Multiple Yamaha routers provide a web-based interface for users to configure the settings of the routers. The web interface is vulnerable to cross-site request forgery. Impact If the administrator views a malicious website while logged onto the web interface, the password and other configuration...
JVN#50876069 Flash Player allows to send arbitrary HTTP headers
Adobe Flash Player is a player for the Flash media format and enables frame-based animations with sound to be viewed within a web browser. Flash Player contains a vulnerability that could allow a remote attacker to modify HTTP headers of client requests and conduct a HTTP request splitting attack...
JVN#16018033 Safari URL spoofing vulnerability
Apple's Safari is a web browser installed as default with Mac OS X. There is a problem in Safari where URLs displayed in the address bar could be spoofed to deceive Safari users. This could be conducted by using Unicode characters that look alike to ASCII characters as URL strings. Impact As it i...
JVN#65500885 Serene Bach cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. Also, session information or credential information kept in a cookie could be leaked. Solution Products Affected Serene Bach ver 2.05R and earlier Serene Bach ver 2.08D and earlier sb 1.13D and earlier sb 1.18R and earlier...
JVN#23835228: Proscend Communications M330-W and M330-W5 vulnerable to OS command injection
M330-W and M330-W5 provided by Proscend Communications Inc. are LTE Industrial Cellular Routers. M330-W and M330-W5 contain an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed by an attacker who has access to the product. Solution Update the firmware The...
JVN#46874970: 0ch BBS Script (0ch) vulnerable to cross-site scripting
0ch BBS Script 0ch according to the original report submitted by the reporter provided by Zerochannel according to the original report submitted by the reporter is bulletin board software. 0ch BBS Script 0ch contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be...
JVN#34328023: FUJIFILM Business Innovation Corp. printers vulnerable to cross-site request forgery
Multiple printers provided by FUJIFILM Business Innovation Corp. contain a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logging in, the user information may be altered. In the case the user is an administrator, the settings such as the...
JVN#48057522: Inkdrop vulnerable to code injection
Inkdrop provided by Takuya Matsuyama is a Markdown editor. Inkdrop contains a code injection vulnerability CWE-94. Impact If a specially crafted markdown file is opened using the product, arbitrary code may be executed. Solution Update the Software The developer states that Inkdrop has an...
JVN#41113329: Pyramid vulnerable to directory traversal
Pyramid provided by Pylons Project, which is a web framework for Python, contains a directory traversal vulnerability CWE-22. Impact index.html located one directory above the location of the static view's file system path can be accessed via a crafted request. Solution Update the software Update...
JVN#13306058: JINS MEME CORE uses a hard-coded cryptographic key
JINS MEME CORE provided by JINS Inc. is a nose pad type sensor attached to a glass frame. JINS MEME CORE uses a hard-coded cryptographic key CWE-321. Impact A network-adjacent attacker may decrypt data acquired by a sensor of the affected product. Solution Update the firmware Update the firmware ...
JVN#40907489: "Hulu / フールー" App for Android uses a hard-coded API key for an external service
"Hulu / フールー" App for Android provided by HJ Holdings, Inc. uses a hard-coded API key for an external service CWE-798. Impact The hard-coded API key may be retrieved via reverse-engineering the application binary. Note that the application users are not directly affected by this vulnerability...
JVN#79254445: Multiple ETUNA EC-CUBE plugins vulnerable to cross-site scripting
Multiple EC-CUBE plugins provided by ETUNA contain a cross-site scripting vulnerability CWE-79. An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE. As of 2021 June 15, an attack exploting this vulnerability has been observed in the wild. Impact...
JVN#68244135: rNote vulnerable to cross-site scripting
rNote provided by Woody Rinn is software to create a blog. rNote contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing an website that uses rNote. Solution Consider stop using rNote 0.9.7.5 Since the...
JVN#26838191: WordPress Plugin "WP Spell Check" vulnerable to cross-site request forgery
WordPress Plugin "WP Spell Check" provided by WP Spell Check contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information...
JVN#98505783: HOUSE GATE App for iOS vulnerable to directory traversal
HOUSE GATE App for iOS provided by HOUSE GATE inc. uses the old version of cordova-plugin-ionic-webview, and inherits a directory traversal vulnerability CWE-22, CVE-2018-16202. Impact A remote attacker may obtain an arbitrary file such as a file related to an application on iOS device. As a...
JVN#15462187: MP Form Mail CGI eCommerce Edition vulnerable to OS command injection
MP Form Mail CGI eCommerce Edition provided by futomi Co., Ltd. is a CGI used to send mail from a web form. MP Form Mail CGI eCommerce Edition contains an OS command injection vulnerability CWE-78. Impact A remote attacker may execute an arbitrary OS command. Solution Update the Software Update t...
JVN#76382932: Robotic appliance COCOROBO vulnerable to session management
Robotic appliance COCOROBO provided by Sharp Corporation is a robot with cleaning function. Robotic appliance COCOROBO contains a vulnerability in session management CWE-639. Impact An attacker on the same LAN may impersonate a user to accessing product. As a result, there is a possibility that a...
JVN#94771799: Installer of QuickTime for Windows may insecurely load Dynamic Link Libraries
Installer of QuickTime for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Do not use Installer of QuickTime for Windows T...
JVN#48790793: WNC01WH vulnerable to OS command injection
WNC01WH provided by BUFFALO INC. is a network camera. WNC01WH contains an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed by an authenticated attacker. Solution Update the Firmware Update to the latest version of firmware according to the information...
JVN#18739672: WordPress plugin "Booking Calendar" vulnerable to directory traversal
The WordPress plugin "Booking Calendar" provided by wpdevelop contains a directory traversal vulnerability CWE-22. Impact A local file outside of the application on the server may be accessed by a remote attacker. Solution Update the Software Update to the latest version according to the...
JVN#77253951: WordPress plugin "WP Statistics" vulnerable to cross-site scripting
The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of a user accessing the page generated by the application. Solution Update the plugin Update the plugin accordi...
JVN#21114208: Business LaLa Call App for Android fails to verify SSL server certificates
Business LaLa Call App for Android provided by K-Opticom Corporation fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the informati...
JVN#15222211: Cybozu Garoon vulnerable to cross-site request forgery
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, the user may be forced to log out. Solution Update the Software Update to the latest version according to the...
JVN#25060672: Multiple Corega wireless LAN routers vulnerable to cross-site scripting
Multiple Corega wireless LAN routers contain a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Use CG-WLR300NX or CG-WFR600 CG-WLBARGMH and CG-WLBARGNL are no longer being supported, therefore fix for this vulnerability wil...
JVN#92237169: CG-WLR300NX vulnerable to cross-site scripting
CG-WLR300NX provided by Corega Inc is a wireless LAN router. CG-WLR300NX contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Firmware Update to the latest version of firmware according to the information...
JVN#91002412: The installer of The Public Certification Service for Individuals "The JPKI user's software" may insecurely load Dynamic Link Libraries
The installer of The Public Certification Service for Individuals "The JPKI user's software" provided by Japan Agency for Local Authority Information Systems J-LIS contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be...
JVN#27260483: mobiGate App fails to verify SSL server certificates
mobiGate App provided by Nihon Unisys, Ltd. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by the...
JVN#76780067: Installer of 7-Zip for Windows may insecurely load Dynamic Link Libraries
7-Zip for Windows is an open source compression and decompression software. The installer of 7-Zip for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be executed with the privilege of the user invoking the...
JVN#94779084: H2O use of externally-controlled format string
H2O is an open source web server software. H2O uses externally-controlled format strings CWE-134 in the code which output error logs. Impact An unauthenticated remote attacker may cause a denial-of-service DoS condition. Solution Update the Software Update to the latest version according to the...
JVN#67595539: Cybozu Garoon multiple cross-site scripting vulnerabilities
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains multiple cross-site scripting vulnerabilities. Cross-site scripting in the "Response request" function - CVE-2016-1214 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score:...
JVN#67266823: Cybozu Garoon vulnerable to open redirect
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an open redirect vulnerability in the "Scheduler" function. Impact When accessing a specially crafted URL, a user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack...
JVN#58455472: OSSEC Web UI vulnerable to cross-site scripting
OSSEC Web UI is a web interface for use with Open Source HIDS Security OSSEC. OSSEC Web UI contains a cross-site scripting CWE-79 vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the...
JVN#28386124: ClipBucket vulnerable to cross-site scripting
Clipbucket is open source video sharing script. ClipBucket contains a cross-site scripting CWE-79 vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the vendor...
JVN#01353821: Cybozu Mailwise vulnerable to mail header injection
Cybozu Mailwise contains a mail header injection vulnerability in the process of sending emails. Impact If a user is tricked into sending a specially crafted request, the header of the email to be sent may be altered. Solution Update the Software Update to the latest version according to the...
JVN#06920277: Coordinate Plus App fails to verify SSL server certificates
Coordinate Plus App provided by Toshiba Corporation fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by th...
JVN#25765762: Cybozu Garoon vulnerable to information disclosure
Cybozu Garoon is a groupware. Cybozu Garoon contains an information disclosure vulnerability in the mail function. Impact By sending a specially crafted email, an attacker may be convinced that the user read the email. Solution Update the Software Update to the latest version according to the...
JVN#49476817: DX Library vulnerable to buffer overflow
DX Library is an open source library for creating Windows application. DX Library contains a buffer overflow vulnerability due to a flaw in processing an inner function CLvsprintf. Impact When processing a specially crafted string, an application built using DX Library may allow an arbitrary code...
JVN#71730320: Zend Framework vulnerable to SQL injection
Zend Framework is an open source web application framework. Zend Framework contains an SQL injection vulnerability CWE-89 due to the argument of the ORDER BY clause. Impact An attacker who can access the product may execute SQL commands. Solution Update the Software Update to the latest version...
JVN#04281281: ISUCON5 qualifier portal web application (eventapp) vulnerable to OS command injection
ISUCON5 qualifier portal web application eventapp provided by ISUCON organizers contains an OS command injection CWE-78 vulnerability. Impact A logged in attacker may execute arbitrary OS commands on the server. Solution Update the Software Update to the latest version according to the informatio...