5625 matches found
JVN#58407606: Unlimited Sitemap Generator vulnerable to cross-site request forgery
Unlimited Sitemap Generator provided by XML-Sitemaps contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the software Update the software to the latest version according to th...
JVN#81658818: Multiple vulnerabilities in RevoWorks Browser
RevoWorks Browser provided by J’s Communication Co., Ltd. is a virtual browser which enables internet isolation. It provides the function that enables access to drives, folders, files, and registries under the isolated environment from the local environment when running the web browser. RevoWorks...
JVN#42164352: GroupSession fails to restrict access permissions
GroupSession provided by Japan Total System Co.,Ltd. is open source groupware. GroupSession fails to restrict access permissions. Impact An authenticated attacker may obtain other user's senisitive information such as email. Solution Update the Software Update to the latest version according to t...
JVN#85512750: Empirical Project Monitor - eXtended vulnerable to cross-site scripting
Empirical Project Monitor - eXtended provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use Empirical Project Monitor - eXtended The...
JVN#25598952: ​CS-Cart Japanese Edition fails to restrict access permissions
CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions CWE-425. Impact An unauthenticated remote attacker may create a request of return an item that a consumer has purchased. Solution Update the Software Update to the latest versi...
JVN#01014759: LaLa Call App for Android fails to verify SSL server certificates
LaLa Call App for Android provided by K-Opticom Corporation fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provid...
JVN#12124922: WEB SCHEDULE vulnerable to cross-site scripting
WEB SCHEDULE provided by Olive Design contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing the month parameter. Impact An artbitrary script may be executed on the user's web browser. Solution Do not use WEB SCHEDULE WEB SCHEDULE is no longer being developed or...
JVN#16200242: Cybozu Garoon vulnerable to directory traversal
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a directory traversal vulnerability CWE-22. Impact A user may obtain arbitrary files managed by the product. Solution Update the Software Update to the latest version according to the information provided by the develope...
JVN#09736331: Cybozu Office vulnerable to information disclosure
Cybozu Office contains an information disclosure vulnerability in the page where CGI environment variables are displayed. Cookie that contains session information has httponly attribute, and the Cookie value cannot be obtained by JavaScript code. However, Cookie values can be obtained in the page...
JVN#46087986: Multiple plugins for Geeklog IVYWE edition vulnerable to cross-site scripting
Geeklog is an open source content management system CMS. The Geeklog IVYWE edition plugins Assist, dataBox, and userBox each contain a cross-site scripting CWE-79 vulnerability. Impact An arbitrary script may be executed on the web browser of a user who is logged on as an administrator. Solution...
JVN#96052093: ETX-R vulnerable to denial-of-service (DoS)
ETX-R provided by I-O DATA DEVICE, INC. is a wired LAN router. ETX-R contains a denial-of-service DoS vulnerability. Impact A remote unauthenticated attacker may cause the web server on the product to be terminated abnormally. Solution Apply a Workaround The following workarounds may mitigate the...
JVN#48847535: Trend Micro enterprise products multiple vulnerabilities
Multiple enterprise products provided by Trend Micro Incorporated contain the following vulnerabilities. Directory Traversal - CVE-2016-1223 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N| Base Score: 4.3 CVSS v2| AV:A/AC:L/Au:N/C:P/I:N/A:N| Base Score:...
JVN#41875357: ActiveX control for EVA Animator vulnerable to buffer overflow
ActiveX control for EVA Animator provided by Sharp Corporation contains a buffer overflow vulnerability. Impact If a user views a malicious page, arbitrary code may be executed. Solution Remove ActiveX control for EVA Animator The EVA Animator service ended and the related website for its service...
JVN#71428831: Cybozu Office vulnerable to open redirect
Cybozu Office contains an open redirect vulnerability in network functions. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update to the latest version...
JVN#12165579: Vine MV vulnerable to cross-site scripting
Vine MV contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected Vine MV prior to commit...
JVN#43344629: Welcart vulnerable to SQL injection
Welcart provided by Collne Inc. is a WordPress plugin. Welcart contains an SQL injection vulnerability CWE-89 due to a flaw in the processing of searchcolumn and switch parameter in admin.php. Impact An unauthenticated attacker may obtain or alter information stored in the database. Solution Appl...
JVN#51046809: ArcSight Management Center and ArcSight Logger vulnerable to cross-site scripting
ArcSight Management Center and ArcSight Logger from Hewlett-Packard Development Company L.P. contain a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the...
JVN#97278546: EC-CUBE vulnerable to cross-site request forgery
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page, arbitrary PHP code may be executed on the server. Solution Update or apply the patch Update to the...
JVN#08535069: MATCHA SNS vulnerable to code injection
MATCHA SNS provided by ICZ Corporation is an SNS software. MATCHA SNS contains a code injection CWE-94 vulnerability due to a flaw when configuring the database during installation. Impact An unauthenticated attacker who can execute the installer may execute arbitrary PHP code on the server where...
JVN#79633796: baserCMS vulnerable to SQL injection
baserCMS is an open-source Contents Management System CMS. baserCMS contains a vulnerability that allows an authenticated user to inject arbitrary SQL statements CWE-89. Impact A logged in attacker may execute arbitrary SQL statements. Solution Update the Software Update to the latest version...
JVN#19948778: Photon vulnerable to URL whitelist bypass
Photon provided by Newphoria Corporation Inc. is an application for Android built using "applican". Photon contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme. Impact Android version of this app may allow an applican API to be executed if th...
JVN#41048401: Japan Connected-free Wi-Fi vulnerable to script injection
Japan Connected-free Wi-Fi provided by NTT Broadband Platform, Inc. is vulnerable to script injection when displaying malformed strings contained in SSID. Impact When the device running the app connects to an access point and its SSID contains malicious script, the script may be executed. Solutio...
JVN#09283606: desknet's NEO vulnerable to directory traversal
desknet's NEO provided by NEOJAPAN Inc. contains a directory traversal CWE-22 vulnerability where it fails to verify html parameter in zhtml.cgi. Impact An authenticated attacker may view arbitrary files on the server. Solution Update the Software Update to the latest version according to the...
JVN#81207766: Rakuten card App for iOS fails to verify SSL server certificates
Rakuten card App for iOS provided by Rakuten Card Co., Ltd. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided ...
JVN#92828286: Welcart vulnerable to SQL injection
Welcart provided by Collne Inc. is a WordPress plugin for creating shopping websites. Welcart contains a SQL injection CWE-89 vulnerability due to the processing of changeSort parameter in admin.php. Impact An attacker that can log in to WordPress with this plugin enabled may obtain or alter...
JVN#98447310: NetFlow Analyzer vulnerable to cross-site scripting
NetFlow Analyzer provided by Zoho Corporation is a traffic analysis tool. NetFlow Analyzer contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software build and apply the patch Update the software to build 10250...
JVN#12329472: Lhaplus vulnerable to remote code execution
Lhaplus is a file compression/decompression software. Lhaplus contains a remote code execution vulnerability. Impact Decompressing a specially crafted file name may result in an arbitrary code execution. Solution Update the Software Update to the latest version according to the information provid...
JVN#97384696: TSUTAYA App for Android vulnerable to arbitrary Java method execution
TSUTAYA App for Android contains a vulnerability where an arbitrary Java method may be executed. Impact When viewing a specially crafted web page, an arbitrary Java method may be executed. Solution Update the software Update to the latest version according to the information provided by the...
JVN#09717399: Piwigo vulnerable to cross-site scripting
Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Apply a patch Apply the patch according to the information provided by the developer. According to t...
JVN#42511610: acmailer contains a cross-site request forgery vulnerability
Several cgi programs in acmailer contain a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in, information registered in the product may be altered or deleted, or in some cases, the authorization privilege can be stolen. Solution Update the Software...
JVN#31230946: Cybozu Garoon API access restriction bypass vulnerability
Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains an access restriction bypass vulnerability when using APIs. Impact Users who can log in to the system may delete schedule information that they do not have permission to edit. Solution Update the Software Update to the...
JVN#38227002: Unzipper vulnerable to directory traversal
Unzipper provided by R-Company contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to...
JVN#50943964: phpMyFAQ vulnerable to cross-site request forgery
phpMyFAQ is an open source FAQ software. phpMyFAQ contains a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in, settings may be changed unintentionally. Solution Apply an Update Update to the latest version according to the information provided by t...
JVN#41703192: TOWN (modified version) vulnerable to directory traversal
TOWN modified version provided by Tattyan's HP contains a directory traversal vulnerability. Impact A remote attacker may obtain arbitrary files on the server. Solution Apply an update Update to the latest version according to the information provided by the developer. Products Affected TOWN...
JVN#01094166: Opera vulnerable to cross-site scripting
Opera is a web browser. Opera contains a cross-site scripting vulnerability when the page encoding settings are set to UTF-8. Impact An arbitrary script may be executed on the user's web browser. Solution Apply an Update Update to the latest version according to the information provided by the...
JVN#68156832: Yafuoku! contains an issue where it fails to verify SSL server certificates
Yafuoku! provided by Yahoo Japan Corporation contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the informati...
JVN#91387819: mora Downloader may insecurely load executable files
mora Downloader contains an issue in the file search path when loading files, which may insecurely load executables or other files. Impact An attacker may execute arbitrary code with the privilege of the running application. Solution Update the software Update to the latest version according to t...
JVN#23328321: Puella Magi Madoka Magica iP for Android vulnerable to information disclosure
Puella Magi Madoka Magica iP for Android has a function to link with a Twitter account. Puella Magi Madoka Magica iP for Android contains an issue where Twitter account credentials entered by a user are saved in a log file in plain text. Impact Android applications with permissions to read system...
JVN#53465692: baserCMS vulnerable to session management
baserCMS is an open-source Contents Management System CMS. baserCMS contains a vulnerability in session management. Impact If a web server is hosting several websites, and baserCMS are installed on the respective websites, an administrator of a baserCMS can access baserCMS instance of the other...
JVN#15503729: OSQA vulnerable to cross-site scripting
OSQA is an open source question and answer system. OSQA contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Apply a patch Apply the patch according to the information provided the developer. According to the developer, this...
JVN#82029095: sp mode mail issue in the verification of SSL certificates
sp mode mail provided by NTT DOCOMO contains an issue in the verification of the SSL server certificate. Impact Since no warning is issued when connecting to a server that is using an invalid SSL server certificate, a remote attacker may be able to intercept communications. Solution Update the...
JVN#08871006: ES File Explorer fails to restrict access permissions
ES File Explorer provided by EStrongs Inc. is a file and application manager. ES File Explorer contains an issue where access permissions are not restricted. Impact When using a specific function, a remote attacker may obtain local files that the application has permissions to view. Solution Upda...
JVN#78901873: Wibu-Systems CodeMeter Runtime vulnerable to denial-of-service
CodeMeter Runtime provided by Wibu-Systems AG contains an issue when processing TCP packets, which may lead to a denial-of-service DoS. Impact A remote attacker may be able to cause a denial-of-service DoS. Solution Update the software Update to the latest version according to the information...
JVN#50227837: Touhou Hisouten vulnerable to denial-of-service
Touhou Hisouten from Twilight Frontier is a video game which has an online match mode. Touhou Hisouten contains an issue when processing network traffic, which may result in a denial-of-service DoS. Impact A remote attacker may cause an unexpected application termination. Solution Apply a patch...
JVN#04013920: Pligg vulnerable to cross-site scripting
Pligg is a Content Management System CMS. Pligg contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer. Products Affected...
JVN#29529126: Samba Web Administration Tool vulnerable to cross-site request forgery
Samba Web Administration Tool SWAT allows for Samba configuration through a web interface. SWAT contains a cross-site request forgery vulnerability. SWAT is disabled in a default configuration of Samba. Impact When a user is logged in to SWAT as root, an attacker may change configurations in Samb...
JVN#47124169: Oracle iPlanet Web Server information disclosure vulnerability
Oracle iPlanet Web Server formerly Sun Java System Web Server is a web server. Oracle iPlanet Web Server contains an information disclosure vulnerability. Impact A remote attacker may obtain source code. Solution Update the software Update to the latest version according to information provided b...
JVN#86220950: Google Search Appliance vulnerable to cross-site scripting
Google Search Appliance from Google is a product that provides searching services for an intranet service or a website. Google Search Appliance contains a cross-site scripting vulnerability. Impact An arbitrary script may executed on the user's web browser. Solution Update the software Update to...
JVN#99175647: Virus Buster 2009 key input encryption function vulnerability
The key input encryption function in Virus Buster 2009 contains a vulnerability where a portion of password that is entered in the web browser is not properly encrypted. Impact When input information is stolen by a key logger, portions of the information may be leaked in plaintext. Solution Updat...
JVN#48425028: Flash Player access restriction bypass vulnerability
When Flash Player references a different website than the site where Flash contents are hosted, the referenced site must be allowed access by the cross-domain policy file. Flash Player contains a vulnerability where access restrictions set by the cross-domain policy file may be bypassed. Impact...