5627 matches found
JVN#71538099: Olive Diary DX vulnerable to cross-site scripting
Olive Diary DX provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the page parameter. Impact An artbitrary script may be executed on the user's web browser. Solution Do not use Olive Diary DX Olive Diary DX is no longer being developed or...
JVN#23549283: CG-WLR300NX fails to restrict access permissions
CG-WLR300NX provided by Corega Inc is a wireless LAN router. CG-WLR300NX fails to restrict access permissions. Impact An attacker who can access the product may perform an arbitrary operation in the product while an administrator logs in. Solution Update the Firmware Update to the latest version ...
JVN#08736331: Cybozu Office vulnerable to mail header injection
Cybozu Office contains a mail header injection vulnerability in the process of sending emails. Impact If a user is tricked into sending a specially crafted request, the header of the email to be sent may be altered. As a result, unintended emails may be sent. Solution Update the Software Update t...
JVN#03052683: Cybozu Mailwise vulnerable to information disclosure
Cybozu Mailwise contains an information disclosure vulnerability in the page where CGI environment variables are displayed. Cookie that contains session information has httponly attribute, and the Cookie value cannot be obtained by JavaScript code. However, Cookie values can be obtained in the pa...
JVN#26298347: Cybozu Garoon vulnerable to denial-of-service (DoS)
Cybozu Garoon is a groupware. Cybozu Garoon contains a denial-of-service DoS vulnerability. Impact An attacker may be able to cause a denial-of-service DoS that consumes system resources. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#56167268: HumHub vulnerable to cross-site scripting
HumHub is a software framework for developing a social networking service SNS. HumHub contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provide...
JVN#89026267: kintone mobile for Android information management vulnerability
kintone mobile for Android provided by Cybozu, Inc. contains an authentication information management vulnerability. Impact If using Android versions prior to 4.1, the token may be disclosed by an application with READLOGS permission or by a user who can access the device. If using Android versio...
JVN#20246313: Cybozu Office vulnerable to denial-of-service (DoS)
Cybozu Office contains a denial-of-service DoS vulnerability due to an issue in "customapp". Impact An authenticated attacker may cause a denial-of-service DoS condition which all users can not use the system. Solution Update the Software Update to the latest version according to the information...
JVN#96312698: osCommerce Japanese version vulnerable to directory traversal
osCommerce is an open source system for creating shopping websites. osCommerce Japanese version contains a directory traversal vulnerability. Impact A user who can log in to the system as an administrator may obtain arbitrary files on the server. Solution Update the Software Update to the latest...
JVN#74280258: MilkyStep fails to restrict access permissions
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions CWE-264. Impact A remote attacker may alter product settings. Solution Update the Software Update to the latest version according to the information provided by...
JVN#91383083: Seasar S2Struts vulnerable to input validation bypass
The Validator in Apache Struts 1.1 and later contains a function MPV -- Multi Page Validator to efficiently define rules for input validation across multiple pages during screen transitions. The MPV contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validato...
JVN#58784309: Maruo Editor vulnerable to buffer overflow
Maruo Editor provided by Saitoh Kikaku contains a buffer overflow vulnerability due to a flaw in processing a specially crafted .hmbook file CWE-119. Impact By processing a specially crafted .hmbook file, arbitrary code may be executed. Solution Update the Software Update to the latest version...
JVN#63687798: Maroyaka Simple Board vulnerable to cross-site scripting
Maroyaka Simple Board provided by Maroyaka CGI is a CGI script for posting text into a website. Maroyaka Simple Board contains a persistent cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest...
JVN#63949115: SEIL Series routers vulnerable to denial-of-service (DoS)
The PPP Access Concentrator PPPAC in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service DoS vulnerability due to a flaw in processing SSTP packets. Impact Receiving a specially crafted SSTP packet may result in the device becoming unresponsive. Solution...
JVN#18387086: Saurus CMS Community Edition vulnerable to cross-site scripting
Saurus CMS Community Edition is open source software to manage and build websites. Saurus CMS Community Edition contains multiple cross-site scripting vulnerabilities. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Apply the appropriate update...
JVN#80531230: jigbrowser+ for iOS same origin policy bypass
jigbrowser+ for iOS contains a flaw in loading web pages, which may allow an attacker to bypass the same origin policy. Impact By using JavaScript, an attacker may obtain sensitive data from a different domain in violation of the same origin policy. Solution Update the Software Update to the late...
JVN#85571806: SX-2000WG vulnerable to denial-of-service (DoS)
SX-2000WG provided by silex technology, Inc. is a product that provides wireless connectivity for USB devices such as printers and hard disk drives HDD. SX-2000WG contains an issue in the processing of TCP Option header, which may cause a denial-of-service DoS. Impact A remote attacker may cause...
JVN#07677464: 050 plus for Android information management vulnerability
050 plus provided by NTT Communications is an IP phone application for smartphones. 050 plus for Android contains an information management vulnerability that outputs some pieces of information stored by the product to a system log file on the device. Impact Android applications with permissions ...
JVN#82375148: Cybozu Garoon vulnerable to SQL injection
Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains a SQL injection vulnerability in the Space function. Impact A user who can log in to the product may execute an arbitrary SQL command in the database that the product is referencing. Solution Update the Software Update ...
JVN#85336306: Use-after-free vulnerability in multiple products that use International Components for Unicode (ICU)
International Components for Unicode ICU is a library for handling Unicode strings. A C version, ICU4C and a Java version, ICU4J are available. Multiple products that use ICU4C contain a use-after-free vulnerability. ICU released ICU4C version 52.1 that addresses this vulnerability on October 9,...
JVN#52509236: HDL-A and HDL2-A Series vulnerable in session management
HDL-A and HDL2-A Series provided by I-O DATA DEVICE, INC. are LAN connectable hard disk drives. HDL-A and HDL2-A Series contain a vulnerability related to the management of sessions. Impact A remote unauthenticated attacker may impersonate a user. As a result, information may be disclosed or...
JVN#43152129: SEIL Series routers vulnerable to buffer overflow
The PPP Access Concentrator PPPAC in SEIL Series routers provided by Internet Initiative Japan Inc. contains a buffer overflow vulnerability in processing L2TP messages. Impact An attacker may execute an arbitrary code on the vulnerable system. Solution Update the Firmware Apply the appropriate...
JVN#26103805: Oracle Enterprise Manager vulnerable to cross-site scripting
Oracle Enterprise Manager provided by Oracle contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Apply an Update Update to the latest version according to the information provided by the developer. Products Affected...
JVN#55074201: Yahoo! Browser vulnerable to address bar spoofing
Yahoo! Browser contains an issue when opening a new window, which may result in the address bar being spoofed. Impact This vulnerability could be leveraged to forge the contents of the address bar for conducting phishing attacks. Solution Update the software Update to the latest version according...
JVN#11434157: OpenWnn/Flick support vulnerable to information disclosure
OpenWnn/Flick support is a Japanese Input Method Editor IME for Android devices. OpenWnn/Flick support contains an issue in the access permissions for the certain files. Impact If a user of the affected product uses other malicious Android application, information managed by the affected product...
JVN#78601526: GREE for Android vulnerable to directory traversal
GREE for Android contains an issue in handling URL inputs, which may result in a directory traversal vulnerability. Impact If a user of the affected product uses another malicious Android application, information managed by the affected product may be disclosed. Solution Update the software Updat...
JVN#53269985: Welcart vulnerable to cross-site request forgery
Welcart provided by Collne Inc. is a WordPress plugin for creating shopping websites. Welcart contains a cross-site request forgery vulnerability. Impact If a logged in user views a malicious page after an item has been added in the shopping cart, the purchase process may unexpectedly be complete...
JVN#38163638: Flash Player issue in implementations of the Same Origin Policy
SoundMixer.computeSpectrum method, included in Flash Player, contains an issue in implementations of the Same Origin Policy. Impact An attacker may obtain sound spectrum data that user playing in violation of the same-origin policy. Solution Update the Software Update to the latest version...
JVN#39707339: Opera fails to verify SSL server certificates
Opera is a web browser. Opera contains an issue where it fails to verify SSL server certificates. Impact The user may unknowingly connect to a site that is using a certificate not authorized by a CA. As a result, the user may become a victim of phishing. Solution Update the software Update to the...
JVN#00000601: TwitRocker2 (Android version) vulnerable in the WebView class
TwitRocker2 is a client software for using twitter. TwitRocker2 Android version contains a vulnerability in the WebView class. Impact If a user of the affected product uses other malicious Android application, information managed by the affected product may be disclosed. Solution Update the...
JVN#79950061: Jenkins vulnerable to cross-site scripting
Jenkins is a continuous integration CI tool. Jenkins contains a cross-site scripting vulnerability. Note that this vulnerability is different from JVN14791558. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according...
JVN#70683217: Movable Type vulnerable to cross-site request forgery
Movable Type contains a cross-site request forgery vulnerability in entering comments and community functionality. Impact If a user views a malicious page while logged in, settings may be changed, data may be viewed or altered. Solution Update the software Update to the latest version for each...
JVN#64386898: osCommerce vulnerable to cross-site scripting
osCommerce is an open source system for creating shopping websites. osCommerce contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by th...
JVN#44642341: Juniper Networks IDP ACM vulnerable to cross-site scripting
Juniper Networks IDP ACM provides a web interface for changing configurations in the IDP. The ACM contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the...
JVN#96950482: Mozilla Firefox vulnerable to cross-site scripting
Mozilla Firefox contains a vulnerability in the rendering of specific numeric character references, which may result in cross-site scripting. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the informatio...
JVN#47757122: Opera vulnerable to denial-of-service (DoS)
Opera is a web browsing software. Opera contains an issue when attempting to resolve an invalid URL leading to a denial-of-service vulnerability. Impact If a user accesses a malicious URL, this may cause Opera or the system to crash. Solution Update the software Update to the latest version...
JVN#01635457: e107 vulnerable to cross-site scripting
e107 provided by e107.org is a Content Management System CMS software. e107 contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the...
JVN#30414126: Ruby Version Manager escape sequence injection vulnerability
Ruby Version Manager is a command line tool for managing multiple ruby environments. Ruby Version Manager contains an escape sequence injection vulnerability. Impact A user may unknowingly open a malicious file. As a result, the string that is output on the terminal may contain an arbitrary escap...
JVN#88850043: Lhasa may insecurely load executable files
Lhasa is a file extraction software that supports LZH and ZIP formats. Lhasa loads certain executables .exe when extracting files. Lhasa contains an issue with the file search path, which may insecurely load executables. Impact An attacker may execute arbitrary code with the privilege of running...
JVN#14313132 Cisco Router and Security Device Manager vulnerable to cross-site scripting
Cisco Router and Security Device Manager SDM is a web-based device management tool for Cisco routers. Cisco Router and Security Device Manager SDM contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Upda...
JVN#20219071 PHP-I-BOARD from Let's PHP! vulnerable to cross-site scripting
PHP-I-BOARD from Let's PHP! is a bulletin board software. PHP-I-BOARD contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#57036470 Cross-site scripting vulnerability in leger (free edition)
leger free edition from 'AD2000' is a software to manage conference room reservations. leger free edition contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the...
JVN#86833991 CGI RESCUE MiniBBS2000 directory traversal vulnerability
MiniBBS2000, a message board script provided by CGI RESCUE, contains a directory traversal vulnerability. Impact A remote attacker could view files on the server where MiniBBS2000 is installed. This could lead to disclosure of file contents. Solution Update the Software Update to the latest versi...
JVN#53267766 MyNETS cross-site scripting vulnerability
MyNETS from Usagi Project is an open source SNS Social Networking Service software. MyNETS contains a cross-site scripting vulnerability. Impact If a user views a specially crafted web page, an arbitrary script may be executed on the user's web browser. As a result, user information may be...
JVN#83428818 La!cooda WIZ and LacoodaST vulnerable to cross-site request forgery
La!cooda WIZ from System Consultants Co., Ltd. and LacoodaST from SpaceTag, Inc. are groupware providing schedule and task managements, etc. La!cooda WIZ and LacoodaST contain a cross-site request forgery vulnerability. Impact Password or other configurations may be changed if the logged in user...
JVN#52363223: Cybozu Garoon vulnerable to arbitrary script execution
Cybozu Garoon, a groupware from Cybozu, contains a vulnerability that allows an attacker to execute an arbitrary script when a user views RSS feed. Impact An arbitrary script could be executed on the user's web browser. Solution Update the Software Apply the latest update provided by the vendor...
JVN#45389864 CGIWrap error page cross-site scripting vulnerability
CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms on the web server. CGIWrap contains a cross-site scripting vulnerability as it does not specify charset in the error page. Impact An arbitrary script may be executed on the user's web browser. Solution Update...
JVN#28356427 ColdFusion cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct a session hijacking. Solution Products Affected ColdFusion MX 7.X For more information, refer to the vendor's website...
JVN#25264194: Multiple vulnerabilities in WordPress plugin "Carousel Slider"
WordPress plugin "Carousel Slider" provided by Sayful Islam contains 2 CSRF vulnerabilities listed below. Cross-site request forgery on Carousel image selection feature CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3 CVE-2024-45269 Cross-site request forgery on Hero image...
JVN#06672778: Multiple vulnerabilities in ELECOM wireless LAN routers
Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Unrestricted Upload of File with Dangerous Type CWE-434 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.8 CVE-2024-34021 OS Command Injection CWE-78...