5627 matches found
JVN#86833991 CGI RESCUE MiniBBS2000 directory traversal vulnerability
MiniBBS2000, a message board script provided by CGI RESCUE, contains a directory traversal vulnerability. Impact A remote attacker could view files on the server where MiniBBS2000 is installed. This could lead to disclosure of file contents. Solution Update the Software Update to the latest versi...
JVN#53267766 MyNETS cross-site scripting vulnerability
MyNETS from Usagi Project is an open source SNS Social Networking Service software. MyNETS contains a cross-site scripting vulnerability. Impact If a user views a specially crafted web page, an arbitrary script may be executed on the user's web browser. As a result, user information may be...
JVN#83428818 La!cooda WIZ and LacoodaST vulnerable to cross-site request forgery
La!cooda WIZ from System Consultants Co., Ltd. and LacoodaST from SpaceTag, Inc. are groupware providing schedule and task managements, etc. La!cooda WIZ and LacoodaST contain a cross-site request forgery vulnerability. Impact Password or other configurations may be changed if the logged in user...
JVN#52363223: Cybozu Garoon vulnerable to arbitrary script execution
Cybozu Garoon, a groupware from Cybozu, contains a vulnerability that allows an attacker to execute an arbitrary script when a user views RSS feed. Impact An arbitrary script could be executed on the user's web browser. Solution Update the Software Apply the latest update provided by the vendor...
JVN#45389864 CGIWrap error page cross-site scripting vulnerability
CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms on the web server. CGIWrap contains a cross-site scripting vulnerability as it does not specify charset in the error page. Impact An arbitrary script may be executed on the user's web browser. Solution Update...
Fujitsu Java Runtime Environment reflection API vulnerability
Overview A vulnerability exists in the reflection API in the Java Runtime Environment that may allow a Java applet to elevate its privileges bypassing its security restrictions. This problem was reported by Sun Microsystems as a vulnerability in Java Runtime Environment. Fujitsu's product is...
JVN#28356427 ColdFusion cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct a session hijacking. Solution Products Affected ColdFusion MX 7.X For more information, refer to the vendor's website...
JVN#25264194: Multiple vulnerabilities in WordPress plugin "Carousel Slider"
WordPress plugin "Carousel Slider" provided by Sayful Islam contains 2 CSRF vulnerabilities listed below. Cross-site request forgery on Carousel image selection feature CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3 CVE-2024-45269 Cross-site request forgery on Hero image...
JVN#06672778: Multiple vulnerabilities in ELECOM wireless LAN routers
Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Unrestricted Upload of File with Dangerous Type CWE-434 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.8 CVE-2024-34021 OS Command Injection CWE-78...
JVN#22376992: WebProxy vulnerable to OS command injection
WebProxy provided by LunarNight Laboratory according to the original report submitted by the reporter is software to build a proxy server. WebProxy contains an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed with the privilege of the running web server...
JVN#48443978: a-blog cms vulnerable to directory traversal
a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a directory traversal vulnerability CWE-22. Impact A user with editor or higher privilege who can log in to the product may obtain arbitrary files on the server including password files. Solution Update t...
JVN#37326856: Improper input validation vulnerability in WordPress Plugin "WordPress Quiz Maker Plugin"
WordPress Plugin "WordPress Quiz Maker Plugin" provided by AYS Pro Plugins contains an improper input validation vulnerability CWE-20. Impact A user of the product may use the product to perform a Denial of Service DoS attack against external services. Solution Update the plugin Update the plugin...
JVN#46993816: EC-CUBE 2 series vulnerable to cross-site scripting
EC-CUBE 2 series provided by EC-CUBE CO.,LTD. contains a cross-site scripting vulnerability CWE-79 in "mail/template" and "products/product" of Management page. Impact An arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the...
JVN#19243534: ESS REC Agent Server Edition for Linux etc. vulnerable to directory traversal
ESS REC Agent Server Edition for Linux etc. provided by Encourage Technologies Co.,Ltd. contain a directory traversal vulnerability CWE-23. Impact Arbitrary files on the server may be viewed or altered by an attacker. Solution Update the software Update the software to the latest version accordin...
JVN#05288621: EasyMail vulnerable to cross-site scripting
EasyMail provided by First Net Japan Inc. contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who accessed the site using the product. Solution Update the software Update the software to the latest version accordin...
JVN#29657972: TP-Link RE300 V1 tdpServer vulnerable to improper processing of its input
tdpServer of TP-Link RE300 V1 improperly processes its input, possibly resulting to crash CWE-228. Impact An attacker may be able to cause a denial-of-service DoS condition of the product's OneMesh function. Solution Update the software Update the software to the latest version according to the...
JVN#48120704: Movable Type plugin A-Form vulnerable to cross-site scripting
Movable Type plugin A-Form provided by ARK-Web co., ltd. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who accessed the site using the product. Solution Update the Software Update A-Form to the latest version...
JVN#32625020: LiteCart vulnerable to cross-site scripting
LiteCart contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the web site using the product. Solution Update the software Update the software to the latest version according to the information provided by...
JVN#14134801: baserCMS vulnerable to cross-site scripting
baserCMS provided by baserCMS Users Community contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update the software to the latest version according to the information provided by the developer...
JVN#73742314: RT-AC68U vulnerable to cross-site scripting
RT-AC68U provided by ASUS Japan Inc. is a wireless LAN router. RT-AC68U contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Firmware Apply the firmware update according to the information provided by the...
JVN#36048131: Multiple I-O DATA network devices incorporating "MagicalFinder" vulnerable to OS command injection
"MagicalFinder" provided by I-O DATA DEVICE, INC. is a IP address setting tool to for I-O DATA network devices such as routers, network cameras, strages, etc. Multiple I-O DATA network devices that incorporate "MagicalFinder" contain an OS command injection vulnerability CWE-78. Impact An attacke...
MQTT.js issue in handling PUBLISH packets
Overview MQTT.js is a client library for MQTT. MQTT.js contains an issue in handling PUBLISH packets sent from an MQTT Broker. Masataka Sakaguchi, Bintatsu Noda and Hisashi Kojima of Fujitsu Laboratories Ltd.reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Installer of Charamin OMP may insecurely load Dynamic Link Libraries
Overview The installer of Charamin OMP provided by Charamin steering committee contains an issue with the DLL search path, which may lead to insecurely load Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...
JVN#75514460: Installer of electronic tendering and bid opening system provided by Acquisition, Technology & Logistics Agency may insecurely load Dynamic Link Libraries
Installer of electronic tendering and bid opening system provided by Acquisition, Technology & Logistics Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact This vulnerability can be exploited when the following condition is met. ...
JVN#12281353: Cybozu Garoon vulnerable to cross-site scripting
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a cross-site scripting vulnerability CWE-79 due to an issue in "Messages" function of Cybozu Garoon Keitai. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the...
JVN#13218253: Cybozu Garoon vulnerable to information disclosure
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an information disclosure vulnerability CWE-200. Impact Cybozu Garoon uses HTTPS communication, therefore an attacker can not eavesdrop on communication under normal operations. However, if a user conducts a specific...
JVN#17980240: Cybozu Garoon vulnerable to SQL injection
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an SQL injection vulnerability CWE-89 due to an issue in "MultiReport" function. Impact A user may execute arbitrary SQL commands. Solution Update the Software Update to the latest version according to the information...
JVN#14567604: Multiple vulnerabilities in WordPress plugin WP-OliveCart
WP-OliveCart provided by Olive Design is a WordPress plugin to construct a shopping site. WP-OliveCart contains the following vulnerabilities. Cross-site scripting CWE-79 - CVE-2016-4903 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS...
JVN#71462075: Splunk Enterprise and Splunk Lite vulnerable to cross-site scripting
Splunk Enterprise and Splunk Lite contain a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser by an attacker who can log-in to the system as an administrator. Solution Update the Software Update to the latest version according t...
JVN#48789425: Trend Micro Internet Security multiple vulnerabilities
Trend Micro Internet Security provided by Trend Micro Incorporated contains the following vulnerabilities. Access Restriction Flaw - CVE-2016-1225 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N| Base Score: 5.3 CVSS v2| AV:N/AC:L/Au:N/C:P/I:N/A:N| Base...
JVN#37121456: Cybozu Garoon vulnerable to cross-site scripting
Cybozu Garoon is a groupware. Cybozu Garoon contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products...
JVN#49285177: Cybozu Garoon vulnerable to cross-site scripting
Cybozu Garoon is a groupware. Cybozu Garoon contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products...
JVN#41772178: Apache Cordova vulnerable to arbitrary plugin execution
Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms. iOS applications built using Apache Cordova contain a vulnerability where arbitrary plugins may be executed. Impact Accessing a specially crafted URL may result in...
JVN#11458774: EC-CUBE fails to restrict access permissions
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE fails to restrict access permissions. Impact A logged in attacker may bypass access restrictions, or delete access restriction settings. Solution Apply the update or the patch Apply the update or the pat...
JVN#13288761: baserCMS plugin "Recruit Plugin" multiple vulnerabilities
baserCMS plugin "Recruit Plugin" contains multiple vulnerabilities: Cross-site scripting CWE-79 - CVE-2016-1169 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:L/Au:S/C:N/I:P/A:N| Base Score: 4.0 Cross-site request forgery...
JVN#59349382: Multiple Corega wireless LAN routers vulnerable to cross-site request forgery
Multiple wireless LAN routers provided by Corega Inc contain a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged into the management screen, various administrative functions may be performed. Solution Apply a workaround The following workaround...
JVN#93535632: Log-Chat vulnerable to cross-site scripting
Log-Chat provided by Script contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer. Products Affected Log-Ch...
JVN#22578691: Akerun - Smart Lock Robot App for iOS fails to verify SSL server certificates
Akerun - Smart Lock Robot App for iOS provided by Photosynth Inc. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information...
JVN#50899877: acmailer vulnerable to OS command injection
acmailer provided by Seeds Co.,Ltd. contains an OS command injection vulnerability CWE-78. Impact An authenticated attacker may execute an arbitrary OS command on the server. Solution Update the software Update to the latest version according to the information provided by the developer. Products...
JVN#64625488: applican vulnerable to script injection
applican provided by Newphoria Corporation Inc. is a platform to build hybrid applications for both iOS and Android. applican is vulnerable to script injection due to an issue in proccessing URL. Impact When a user accesses a specially crafted URL through an application built using applican, an...
JVN#79633796: baserCMS vulnerable to SQL injection
baserCMS is an open-source Contents Management System CMS. baserCMS contains a vulnerability that allows an authenticated user to inject arbitrary SQL statements CWE-89. Impact A logged in attacker may execute arbitrary SQL statements. Solution Update the Software Update to the latest version...
JVN#00015036: OpenDocMan vulnerable to cross-site scripting
OpenDocMan is a document management system DMS. OpenDocMan contains a cross-site scripting vulnerability due to a processing flaw in the "redirection" parameter. Impact An arbitrary script may be executed on the user's Mozilla Firefox. Solution Update the software Update to the latest version...
JVN#96439865: EasyCTF vulnerable to session management
EasyCTF is a server side CGI used to score CTF Capture The Flag. EasyCTF contains a vulnerability in session management CWE-639. Impact A remote attacker without login credentials may log in. As a result, information may be disclosed. Solution Update the Software Update to the latest version...
JVN#30135729: SYNCK GRAPHICA Mailform Pro CGI vulnerable to remote code execution
Mailform Pro CGI provided by SYNCK GRAPHICA contains a flaw in the process of sending emails, which may result in an arbitrary code execution. Impact Arbitrary code may be executed on the server. Solution Update the Software Update to the latest version according to the information provided by th...
JVN#14522790: Smartphone Passbook fails to verify SSL server certificates
Smartphone Passbook provided by Ogaki Kyoritsu bank Ltd. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by...
JVN#87910097: i-HTTPD vulnerable to cross-site scripting
i-HTTPD is a web server for Windows. i-HTTPD contains a flaw in processing HTTP header, which may lead to cross-site scripting CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use i-HTTPD i-HTTPD is no longer being developed or maintained. It is...
JVN#61593104: ARROWS Me F-11D vulnerability where arbitrary areas may be accessed
ARROWS Me F-11D contains a vulnerability where arbitrary areas on the device may be accessed. Impact An attacker with local access may obtain or alter contents in the flash memory of the device. Solution Apply an Update Apply the update according to the information provided by the provider...
JVN#87373393: BirdBlog vulnerable to cross-site scripting
BirdBlog is a weblog software. BirdBlog contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use BirdBlog BirdBlog is no longer being developed or maintained, therefore it is recommended to stop using BirdBlog. Produc...
JVN#84335912: File Explorer vulnerable to directory traversal
File Explorer provided by NextApp, Inc. contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileg...
JVN#10603428: JR East Japan App for Android. contains an issue where it fails to verify SSL server certificates
JR East Japan App for Android. contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by...