5627 matches found
JVN#22534185: ServerView Operations Manager vulnerable to cross-site scripting
ServerView Operations Manager provided by FUJITSU LIMITED is server management software. ServerView Operations Manager contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version...
JVN#10319260: Cybozu Remote Service Manager vulnerable to denial-of-service (DoS)
Remote Service Manager provided by Cybozu,Inc. is a software to access on-premise systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a denial-of-service DoS vulnerability. Impact An attacker may cause a denial-of-service on a server that is installed Remo...
JVN#05951929: sp mode mail issue where emails in the process of creation may be accessed
sp mode mail provided by NTT DOCOMO contains an application link interface so that mail data can be exchanged with external application during email creation. When the application to be linked is selected, the email contents and attachment are saved to the SD card, therefore other Android...
JVN#89260331: sp mode mail vulnerability where Java methods may be executed
sp mode mail provided by NTT DOCOMO contains an issue in the processing Deco-mail emoticon POP, which may lead to the execution of arbitrary Java methods that can be executed with the privileges of sp mode mail. Impact When a specially crafted email is opened, an arbitrary Java method that can be...
JVN#69986880: OpenPNE vulnerable to PHP Object Injection
OpenPNE contains an issue in processing Cookie headers, which may result in a PHP Object Injection vulnerability. Impact A remote, unauthenticated attacker may execute an arbitrary PHP code. Solution Apply an update Update to the latest version according to the information provided by the...
JVN#40079308: SEIL Series routers vulnerable in RADIUS authentication
The PPP Access Concentrator PPPAC in SEIL Series routers provided by Internet Initiative Japan Inc. contains an issue when generating random numbers used for RADIUS authentication, which may result in the generated random numbers to be easily predicted. Impact An attacker who can intercept...
JVN#70245052: D-Link DES-3810 Series vulnerable to denial-of-service (DoS)
DES-3810 Series provided by D-Link Japan contains a denial-of-service DoS vulnerability due to an issue in SSH implementation. Impact A user who can login with SSH may cause the product to stop responding. Solution Update the Firmware Update the firmware to version R2.20.011 or later according to...
JVN#77455005: ChamaCargo vulnerable to cross-site scripting
ChamaCargo provided by ChamaNet is a system for creating shopping websites. ChamaCargo contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Apply an update Update to the latest version according to the information provided b...
JVN#53014207: Cybozu Office vulnerable to cross-site scripting
Cybozu Office is a groupware. Cybozu Office contains a cross-site scripting vulnerability in the function to customize the top page. Impact An arbitrary script may be executed on the web browser of an user who is logged in. Solution Update the software Update to the latest version according to th...
JVN#19491840: Cybozu Office session management vulnerability
Cybozu Office is a groupware. Cybozu Office contains a vulnerability in session management. Impact A third-party that obtains the URL for a login may impersonate a user and access the product. As a result information may be altered or disclosed. Solution Update the software Update to the latest...
JVN#04161229: EC-CUBE vulnerable to directory traversal
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a directory traversal vulnerability. Note that this vulnerability is different from JVN43886811. Impact A remote attacker may obtain arbitrary image files on the server. Solution Apply the updat...
JVN#18223913: BeZIP vulnerable to directory traversal
BeZIP provided by Be Graph Co.,Ltd. is a file compression/extraction software supporting ZIP and LZH formats. BeZIP contains a directory traversal vulnerability. Impact An arbitrary file may be created or altered when extracting a specially crafted file. Solution Update the software Update to the...
JVN#24646833: SEIL series fail to restrict access permissions
SEIL series are wireless LAN routers. SEIL series contain an issue where access permissions are not restricted. Impact An attacker that can access the product's HTTP proxy may bypass restrictions such as the URL filter. Solution Update the Software Update to the latest version of the firmware...
JVN#85934986: Logitec LAN-W300N/R series fails to restrict access permissions
The LAN-W300N/R series are wireless LAN routers. Logitec LAN-W300N/R series contain an issue where access permissions are not restricted. Impact An attacker that can access the product may log in with administrative privileges. As a result, settings may be changed or altered by the attacker who...
JVN#86044443: iLunascape for Android vulnerable in the WebView class
iLunascape for Android is a web browser for Android devices. iLunascape for Android contains a vulnerability in the WebView class. Impact If a user of the affected product uses other malicious Android application, information managed by the affected product may be disclosed. Solution Update the...
JVN#47536971: WEB MART from KENT-WEB vulnerable to cross-site scripting
WEB MART provided by KENT-WEB is a system for creating shopping websites. WEB MART contains a vulnerability in handling cookies, which may result in cross-site scripting. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest versio...
JVN#90055996: Dokodemo Rikunabi 2013 vulnerable to cross-site scripting
Dokodemo Rikunabi 2013 is an extension for Google Chrome. Dokodemo Rikunabi 2013 contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on user's Google Chrome. Solution Update the software Update to the latest version according to the information provided by th...
JVN#14791558: Jenkins vulnerable to cross-site scripting
Jenkins is a continuous integration CI tool. Jenkins contains a cross-site scripting vulnerability. Note that this vulnerability is different from JVN79950061. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according...
JVN#49836527: Movable Type vulnerable to cross-site scripting
mt-wizard.cgi and Movable Type templates contain a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version of each product according to the information provided by the developer. Products...
JVN#65869891: glucose 2 vulnerable to arbitrary script execution
glucose 2 is an RSS reader. glucose 2 is vulnerable to arbitrary script execution which is inserted in RSS feed, due to the improper processing of RSS feed output. Impact An arbitrary script may be executed on the vulnerable system. Solution Update the software Update to the latest version...
JVN#70502960: phpWebSite vulnerable to cross-site scripting
phpWebSite is a content management system CMS. phpWebSite contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer. Products...
JVN#71349007: Opengear console servers vulnerable to authentication bypass
Opengear console servers are for managing servers and network products. Opengear console servers contain an authentication bypass vulnerability. Impact A remote attacker may change the settings in the Opengear console server or gain access to products that are connected to the console server...
JVN#37223351: WebObjects vulnerable to cross-site scripting
WebObjects provided by Apple is a web application server. WebObjects contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the develope...
JVN#44496332: EC-CUBE vulnerable to SQL injection
EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an issue in assembling SQL statements, leading to a SQL injection vulnerability. This vulnerability is different from JVN81111541 and JVN19072922. Impact A remote, unauthenticated attacke...
JVN#45458289: Megalith vulnerable to authentication bypass
Megalith is a bulletin board software. Megalith contains an authentication bypass vulnerability. Impact A remote attacker may obtain administrative privileges. Solution Update the software Update to the latest version according to the information provided by the developer. Products Affected...
JVN#30273074: Internet Explorer vulnerable to cross-site scripting
Microsoft Internet Explorer contains a vulnerability in handling specific UTF-7 encoded characters, which may result in cross-site scripting. Impact An arbitrary script may be executed. Solution Update the Software Apply the latest update according to the information provided by Microsoft. Produc...
JVN#01948274: Ichitaro series vulnerable to arbitrary code execution
The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. Impact When opening a specially crafted file locally or through a website, an attacker may be able to execute arbitrary code. Solution Update the Software...
JVN#25393522: Winny node information processing vulnerability
Winny is a P2P file sharing software. Winny contains a vulnerability in the processing of node information, which can be used to launch Distributed Denial of Service DDoS attacks. Impact A user may take part in a DDoS attack by a remote attacker. Solution Do not use Winny Please discontinue use o...
JVN#17293765 Ichitaro series vulnerable to arbitrary code execution
The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. Impact When opening a specially crafted file locally or through a website, an attacker may be able to execute arbitrary code. Solution Update the software...
JVN#62211338 Buffer overflow vulnerability in Microsoft Windows
Windows Media Format Runtime included in Microsoft Windows contains a buffer overflow vulnerability when parsing specific files. Impact If a user opens a specially crafted file, an attacker may execute arbitrary code. Solution Update the software Apply the update according to the information...
JVN#68640473 bingo!CMS core and bingo!CMS vulnerable to cross-site request forgery
bingo!CMS core and bingo!CMS are content management systems CMS. bingo!CMS core and bingo!CMS contain a cross-site request forgery vulnerability. Impact If a user views a malicious web page while logged into the CMS, an attacker could modify configurations or modify contents managed by CMS...
JVN#63511247 Access Analyzer CGI Professional Version vulnerability allows third party to gain administrative privileges
Access Analyzer CGI provided by futomi's CGI Cafe is a software to analyze web access logs. Access Analyzer CGI Professional Version contains a vulnerability that allows an attacker to gain administrative privileges. Impact A remote attacker could impersonate an administrator of Access Analyzer C...
JVN#70599814 I-O DATA DEVICE HDL-F series cross-site request forgery vulnerability
The HDL-F series products provided by I-O DATA DEVICE, INC. are LAN connectable hard disk drives. Configuration of these devices are done through a web-based interface. This web interface is vulnerable to cross-site request forgery. Impact If a user views a malicious web page while logged into th...
JVN#01073312: "Piccoma" App uses a hard-coded API key for an external service
"Piccoma" App for Android and "Piccoma" App for iOS provided by Kakao piccoma Corp. use a hard-coded API key for an external service CWE-798. Impact Data in the app may be analyzed and API key for an external service may be obtained. Note that the users of the app are not directly affected by thi...
JVN#50361500: Multiple vulnerabilities in WordPress Plugin "Ninja Forms"
WordPress Plugin "Ninja Forms" provided by Saturday Drive contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3 CVE-2024-25572 Stored cross-site scripting in submit processing CWE-79...
JVN#18743512: Cybozu KUNAI for Android vulnerable to denial-of-service (DoS)
Cybozu KUNAI for Android is a client application for using Cybozu products from an Android device. Cybozu KUNAI for Android contains an issue allowing to send massive requests to the connected Cybozu product if a user performs certain operations on KUNAI, which may result in repeated session...
JVN#32739265: "NewsPicks" App uses a hard-coded API key for an external service
"NewsPicks" App for Android and "NewsPicks" App for iOS provided by NewsPicks, Inc. use a hard-coded API key for an external service CWE-798. Impact Data in the app may be analyzed and API key for an external service may be obtained. Note that the users of the app are not directly affected by thi...
JVN#48687031: Qrio Smart Lock Q-SL2 vulnerable to authentication bypass by capture-replay
Qrio Smart Lock Q-SL2 provided by Qrio, inc. contains an authentication bypass by capture-replay vulnerability CWE-294. Impact An attacker may analyze the product's communication data and perform unintended operations under certain conditions. Solution Update the firmware and related products...
JVN#62420378: TP-Link T2600G-28SQ uses vulnerable SSH host keys
TP-Link layer-2 switch T2600G-28SQ uses vulnerable SSH host keys CWE-1391. Impact The credential information for an affected device may be obtained when the administrator is tricked to login to a device which spoofs the affected device. Solution Update the Firmware Update the firmware to the late...
JVN#11257333: Ichiran App vulnerable to improper server certificate verification
Ichiran App developed by Betrend Corporation and provided by ICHIRAN INC. is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update the application t...
JVN#01398015: pgAdmin 4 vulnerable to directory traversal
PostgreSQL management tool pgAdmin 4 contains a directory traversal vulnerability CWE-22. Impact A user of the product may change another user's settings or alter the database. Solution Update the Software Update the software to the latest version according to the information provided by the...
JVN#74592196: bingo!CMS vulnerable to authentication bypass
bingo!CMS provided by Shift Tech Inc. contains an authentication bypass vulnerability CWE-288 in some of the management functions. Shift Tech Inc. states that attacks exploiting this vulnerability have been observed. Impact Accessing a specific URL directly may allow a remote unauthenticated...
JVN#57728859: Movable Type XMLRPC API vulnerable to command injection
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability CWE-74. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. According to the...
JVN#20930118: FreeBSD vulnerable to denial-of-service (DoS)
FreeBSD contains a denial-of-service DoS vulnerability CWE-400 due to improper handling of TSopt on TCP connections. Impact A remote attacker may be able to cause a denial-of-service DoS condition. Solution Update the software Update the software to the latest version according to the information...
JVN#17645965: PowerCMS XMLRPC API vulnerable to OS command injection
PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed by a remote attacker. Solution In the case that not using XMLRPC API: If using as CGI/FCGI Delete mt-xmlrpc.cgi or remove execute permission to...
JVN#28218613: The management console of iDoors Reader vulnerable to authentication bypass
The management console of iDoors Reader provided by A.T.WORKS, Inc. contains an authentication bypass vulnerability CWE-288. Impact An attacker in the same segment may access the management console and operate the product. Solution Update the Firmware Apply the firmware update according to the...
JVN#91170929: Installer of SaAT Netizen may insecurely load Dynamic Link Libraries
The installer of SaAT Netizen provided by NetMove Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the latest...
JVN#92422409: The installer of the Ministry of Justice [The electronic authentication system based on the commercial registration system "The CRCA user's Software"] may insecurely load Dynamic Link Libraries
The electronic authentication system based on the commercial registration system "The CRCA user's Software" provided by the Ministry of Justice contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be executed with the...
JVN#93699304: Installer of PhishWall Client Internet Explorer version may insecurely load Dynamic Link Libraries
PhishWall Client Internet Explorer version, provided by SecureBrain Corporation, is an anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer version contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427...
JVN#71538099: Olive Diary DX vulnerable to cross-site scripting
Olive Diary DX provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the page parameter. Impact An artbitrary script may be executed on the user's web browser. Solution Do not use Olive Diary DX Olive Diary DX is no longer being developed or...