5625 matches found
JVN#71138390: Apsaly may insecurely load executable files
Apsaly is a text editor that can interact with other applications. Apsaly loads certain executables when opening the folder that contains the file that is being edited, or when a particular sequence of actions are performed. Apsaly contains an issue with the file search path, which may insecurely...
JVN#87730223 Multiple Cybozu products vulnerable to authentication bypass
Multiple Cybozu products contain an issue in which the login page for mobile devices is not properly restrcited, leading to an authentication bypass vulnerability. As a result, an attacker may impersonate a user of a Cybozu product. Impact A remote attacker may view or modify information stored b...
JVN#19774883 MODx vulnerable to SQL injection
MODx provided by the MODx CMS Project is a Contents Management System CMS software. MODx contains a SQL injection vulnerability. Impact A remote attacker may view or modify information stored by the product. Solution Update the Software Update to the latest version according to the information...
JVN#72974205 Roundcube Webmail vulnerable to cross-site request forgery
Roundcube Webmail is an open source webmail client from the Roundcube Webmail Project. Roundcube Webmail contains a cross-site request forgery vulnerability. This issue is different from JVN33820033 and JVN75694913. Impact An attacker may be able to alter the user information within Roundcube...
JVN#65914253 Directory traversal vulnerability in multiple phpspot products
Multiple products BBS Software etc. provided by phpspot contain a directory traversal vulnerablility. Impact A remote attacker could view files on the server where the product is installed. This could lead to disclosure of contents. Solution Update the software Update to latest version according ...
JVN#86472161 Movable Type cross-site scripting vulnerability
Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability. This vulnerability is a different vulnerability than past reports on JVN. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest versio...
JVN#12244807 Cross-site scripting vulnerability in PukiWikiMod from XOOPS Maniac
PukiWikiMod from XOOPS Maniac is a contents management software for XOOPS. PukiWikiMod contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to latest version according to the information provided b...
JVN#66905322: Apache Tomcat information disclosure vulnerability
Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page JSP technologies. Apache Tomcat contains a vulnerability which may result in the disclosure of POSTed content from a previous request. Impact A remote attacker could possibly obtain user...
JVN#36802959 MyNETS cross-site scripting vulnerability
MyNETS from Usagi Project is an open source SNS Social Networking Service software. MyNETS contains a cross-site scripting vulnerability. Impact If a user views a specially crafted web page, an arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the...
JVN#92651529 Nucleus EUC-JP Japanese Edition vulnerable to cross-site scripting
Nucleus is an open source content management system provided by The Nucleus Group. Nucleus EUC-JP Japanese Edition contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the specific web browser. Solution Update the Software Apply the latest update provided b...
JVN#18405927 Multiple Cybozu products vulnerable to cross-site request forgery
Multiple Cybozu products contain a cross-site request forgery vulnerability. Impact If a user views a malicious web page while logged onto the Cybozu web interface, the user's schedules and other configuration settings may be altered. Solution Update the Software Apply the latest updates provided...
JVN#84798830 Denial of service vulnerability in Ruby CGI library (cgi.rb)
Impact A remote attacker could possibly conduct a DoS attack on a Ruby server by sending it a specially crafted request. Solution Products Affected 1.8 series 1.8.5 and all previous versions Developer version 1.9 series 2006-12-04 and all previous versions For more information, refer to the...
JVN#77105349 XOOPS cross-site scripting vulnerability
Impact A remote attacker may upload a script to be executed by a user reading a private message or a forum article. This may allow a remote attacker to perform a session-hijacking and manipulate the screens after the user logs in. Solution Products Affected XOOPS 2.0.12 JP and earlier XOOPS...
JVN#74538317: Multiple vulnerabilities in Exment
Exment provided by Kajitori Co.,Ltd contains multiple vulnerabilities listed below. Incorrect Permission Assignment for Critical Resource CWE-732 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N Base Score 3.8 CVE-2024-46897 Stored Cross-site Scripting CWE-79...
JVN#81570776: "@cosme" App fails to restrict custom URL schemes properly
"@cosme" App provided by istyle Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a user to access an...
JVN#32529796: Multiple products from KINGSOFT JAPAN vulnerable to path traversal
KINGSOFT JAPAN, INC. provides Kingsoft Office Software's WPS Office and its related products localized for Japan. WPS Office and its related products provided by KINGSOFT JAPAN, INC. contain a path traversal vulnerability CWE-22, CVE-2024-7262, CVE-2024-7263 due to inadequate file path validation...
JVN#34977158: WordPress plugins "WP Tweet Walls" and "Sola Testimonials" vulnerable to cross-site request forgery
WordPress plugins "WP Tweet Walls" and "Sola Testimonials" provided by Sola Plugins contain a cross-site request forgery vulnerability CWE-352. Impact While a user logs in to the WordPress site where the affected plugin is enabled, accessing a malicious page may make the user perform unintended...
JVN#96154238: Android App "Spoon" uses a hard-coded API key for an external service
Android App "Spoon" provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service CWE-798. Impact The hard-coded API key may be retrieved when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service. Note that t...
JVN#46895889: RakRak Document Plus vulnerable to path traversal
RakRak Document Plus provided by Sumitomo Electric Information Systems Co., Ltd. contains a path traversal vulnerability CWE-22. Impact Arbitrary files on the server may be obtained or deleted by a user of the product with specific privileges. Solution Update the Software Update the software to t...
JVN#80476432: web2py vulnerable to OS command injection
web2py web application framework contains an OS command injection vulnerability CWE-78. Impact When web2py is configured to use notifySendHandler for logging not the default configuration, a crafted web request may execute an arbitrary OS command on the web server using the product. Solution Upda...
JVN#72418815: Pgpool-II vulnerable to information disclosure
Pgpool-II is cluster management tool. Pgpool-II contains an information disclosure vulnerability CWE-200 in its watchdog function. Note that, only systems that meet all of the following setting requirements are affected by this vulnerability. Watchdog function is enabled usewatchdog = on "query...
JVN#02158640: web2py vulnerable to open redirect
web2py contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update the software to the latest version accordi...
JVN#32962443: SHIRASAGI vulnerable to cross-site scripting
SHIRASAGI provided by SHIRASAGI Project contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is using the product. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#28659051: T&D Data Server and THERMO RECORDER DATA SERVER vulnerable to directory traversal
T&D Data Server and THERMO RECORDER DATA SERVER provided by T&D Corporation contain a directory traversal vulnerability CWE-22. Impact Arbitrary files on the server may be viewed by a remote attacker. Solution Update the software Update the software to the latest version according to the...
JVN#19482703: Wi-Fi STATION SH-52A vulnerable to cross-site scripting
Wi-Fi STATION SH-52A provided by NTT DOCOMO, INC. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the WebUI of the product. Solution Apply an Update Apply the update according to the information...
JVN#70615027: The installer of Anshin net security for Windows may insecurely load Dynamic Link Libraries
Anshin net security for Windows provided by KDDI CORPORATION is an Internet Security suite. The installer of Anshin net security for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with...
JVN#41185163: Installers of the screensavers provided by JAPAN AIR SELF DEFENSE FORCE, MINISTRY OF DEFENSE may insecurely load Dynamic Link Libraries
Installers of the screensavers provided by JAPAN AIR SELF DEFENSE FORCE, MINISTRY OF DEFENSE contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact This vulnerability can be exploited when the following condition is met. If this vulnerabilit...
JVN#96681653: WinSparkle issue where registry value is not validated
When an application that uses WinSparkle is launched, it checks the directory used by WinSparkle for temporary files and deletes any temporary files. This directory path is specified in a registry key. In a situation where an attacker has modified the specific registry value used by this library,...
JVN#16200242: Cybozu Garoon vulnerable to directory traversal
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a directory traversal vulnerability CWE-22. Impact A user may obtain arbitrary files managed by the product. Solution Update the Software Update to the latest version according to the information provided by the develope...
JVN#55826471: WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting
WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the develope...
JVN#75028871: CG-WLR300GNV Series does not limit authentication attempts
CG-WLR300GNV and CG-WLR300GNV-W provided by Corega Inc are wireless LAN routers. The WPS functionality in CG-WLR300GNV Series does not limit PIN authentication attempts, making it susceptible to brute force attacks. Impact An unauthenticated attacker within wireless range of the device may perfor...
JVN#55428526: Deep Discovery Inspector vulnerable to remote code execution
Deep Discovery Inspector provided by Trend Micro Incorporated contains a remote code execution vulnerability. Impact An attacker who can access the product as an administrator may execute arbitrary code with the root privilege. Solution For Deep Discovery Inspector 3.5 and later: Apply the patch...
JVN#24143619: WebARENA formmail vulnerable to cross-site scripting
formmail used for the WebARENA Service provided by NTT PC Communications Incorporated contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information...
JVN#43076390: Web Mailing List vulnerable to cross-site scripting
Web Mailing List provided by Epoch Ltd. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products...
JVN#47164236: AQUOS Photo Player HN-PP150 vulnerable to cross-site request forgery
AQUOS Photo Player HN-PP150 provided by Sharp Corporation contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page, information such as settings may be altered unintentionaly. Solution Update the Firmware Update to the latest firmware version according ...
JVN#28042424: Cybozu Office vulnerable to information disclosure
Cybozu Office contains an information disclosure vulnerability in the mail function. Impact When a specially crafted mail is opened, images files accessible by authenticated users may be obtained by a third-party. Solution Update the Software Update to the latest version according to the...
JVN#22533124: Adobe Flash Player issue where iframe contents may be overwritten
Adobe Flash Player contains an issue where the same-origin policy may be bypassed leading to iframe contents being overwritten. Impact Processing specially crafted Flash content may lead to iframe contents being overwritten. Solution Apply an Update Update to the latest version according to the...
JVN#72891124: p++BBS vulnerable to cross-site scripting
p++BBS provided by Let's PHP! contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Apply an Update Update to the latest version according to the information provided by the developer. Products Affected p++BBS...
JVN#18889193: Apache Cordova vulnerable to improper application of whitelist restrictions
Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms. Android applications built using Apache Cordova contain a vulnerability where whitelist restrictions are not properly applied. Impact Accessing a specially crafted URL...
JVN#27462572: AjaXplorer vulnerable to directory traversal
AjaXplorer contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact An authenticated attacker may view files on the server. Solution Use Pydio The developer states that the development of AjaXplorer has been discontinued and there are no...
JVN#00015036: OpenDocMan vulnerable to cross-site scripting
OpenDocMan is a document management system DMS. OpenDocMan contains a cross-site scripting vulnerability due to a processing flaw in the "redirection" parameter. Impact An arbitrary script may be executed on the user's Mozilla Firefox. Solution Update the software Update to the latest version...
JVN#69175956: Photo Gallery CMS for PC, smartphone and feature phone (Free) vulnerable to cross-site scripting
Photo Gallery CMS for PC, smartphone and feature phone Free provided by PHP Kobo contains a cross-site scripting CWE-79 vulnerability in admin.php. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Replace admin.php with a new version according to...
JVN#77386811: Explorer+ File Manager vulnerable to directory traversal
Explorer+ File Manager provided by Droidware UK contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has...
JVN#51176150: ZenPhoto20 vulnerable to cross-site scripting
ZenPhoto20 is a content management system CMS. ZenPhoto20 contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing encoded user-supplied input. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version...
JVN#41281927: LINE vulnerable to script injection
LINE provided by LINE Corporation is an application used to communicate with others. LINE is vulnerable to MITM man-in-the-middle attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM man-in-the-middle attacker. Impac...
JVN#09871547: Maroyaka Image Album vulnerable to cross-site scripting
Maroyaka Image Album provided by Maroyaka CGI is a CGI script for placing image files within a website. Maroyaka Image Album contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest versi...
JVN#62298871: KENT-WEB Clip Board vulnerability where arbitary files may be deleted
Clip Board provided by KENT-WEB is a bulletin board software that allows users to upload binary files such as image files. KENT-WEB Clip Board contains a vulnerability that may allow a remote attacker to delete arbitrary files. Impact A remote attacker may delete arbitrary files on the server...
JVN#55365709: AL-Mail32 vulnerable to denial-of-service (DoS)
AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a denial-of-service DoS vulnerability due to a flaw in processing attachments. Impact Processing an attachment with a specially crafted file name may cause the software to become unresponsive. Solution Upda...
JVN#96155055: PerlTreeBBS vulnerable to cross-site scripting
PerlTreeBBS from Homepage Decorator is a tree-structured bulletin board software. PerlTreeBBS contains a persistent cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according ...
JVN#63587560: Huawei E5332 vulnerable to denial-of-service (DoS)
Huawei E5332 provided by Huawei Technologies is a mobile router. Huawei E5332 contains an issue when processing a GET request that contains an extremely long parameter, which lead to the device rebooting. Impact An attacker that can send requests to the device may cause the device to become...