5625 matches found
JVN#70858401 Buffer overflow vulnerability in Microsoft Works converters
Microsoft Works converters contain a buffer overflow vulnerability when processing Works .wps files. Impact If a user opens a malicious Works file, an attacker may execute arbitrary code. Solution Update the software Update to latest version according to the information provided by Microsoft...
JVN#72630020 MODx vulnerable to SQL injection
MODx, an open source contents management system, contains a SQL injection vulnerability in the MODx Control Panel. Impact A remote attacker could obtain administrative privileges of MODx. Solution Update the Software Apply the latest update provided by the developer. Products Affected MODx 0.9.6....
JVN#26621646 EC-CUBE cross-site scripting vulnerability
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site scripting vulnerability. This vulnerability is different from JVN61543834, JVN36085487, and JVN99916563. Impact An arbitrary script could be executed on the user's web browser...
JVN#07274813 phpAdsNew cross-site scripting vulnerability
The products listed below use the same module as phpAdsNew thus they are also affected by the vulnerability. All users of these products are encouraged to update to the latest versions provided by the developer. phpPgAds 2.0.9-pr1 and earlier Max Media Manager v0.1.29-rc and earlier Max Media...
JVN#52201480 Microsoft Windows Indexing Service cross-site scripting vulnerability
Impact If the Indexing Service in Internet Information Services IIS provides search capabilities, an arbitrary script could be executed on the user's web browser. Solution Products Affected Windows 2000 Windows XP Windows 2000 Server Windows Server 2003...
JVN#39103264 Owl SQL injection vulnerability
Impact A remote attacker may modify or steal the database contents. Solution Products Affected Owl version 0.90 and earlier...
JVN#85380030: WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal
WordPress Plugin "Download Plugins and Themes from Dashboard" provided by WPFactory LLC contains a path traversal vulnerability CWE-22. Impact The user with "switchthemes" privilege may obtain arbitrary files on the server. Solution Update the plugin Update the plugin to the latest version...
JVN#99177549: HOTELDRUID vulnerable to cross-site scripting
HOTELDRUID provided by DigitalDruid.Net contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the product. Solution Update the software Update the software according to the information provided by the...
JVN#61337171: SEIKO EPSON printer Web Config vulnerable to denial-of-service (DoS)
SEIKO EPSON printer Web Config contains a denial-of-service DoS vulnerability due to improper input validation CWE-20. Impact The printer may be turned off by a remote attacker. Solution Apply workarounds The developer strongly recommends users to apply workarounds, as the update firmware for the...
JVN#19748237: Multiple vulnerabilities in Panasonic AiSEG2
Panasonic AiSEG2 contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2023-28726 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H| Base Score: 7.5 CVSS v2| AV:N/AC:H/Au:S/C:C/I:C/A:C| Base Score: 7.1 Improper Authentication...
JVN#33836375: "Jiyu Kukan Toku-Toku coupon" App vulnerable to improper server certificate verification
"Jiyu Kukan Toku-Toku coupon" App provided by RUNSYSTEM CO.,LTD. is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update the application to the...
JVN#84642320: SUSHIRO App for Android outputs sensitive information to the log file
SUSHIRO App for Android provided by AKINDO SUSHIRO CO., LTD. outputs sensitive information to the log file CWE-532. Impact An attacker may obtain a credential information from the log file. Solution Update the Application Update the application to the latest version according to the information...
JVN#06093462: Zenphoto vulnerable to cross-site scripting
Zenphoto contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is using the product. Solution Update the software Update the software to the latest version according to the information provided by the developer...
JVN#24659622: RICOH Aficio SP 4210N vulnerable to cross-site scripting
Aficio SP 4210N provided by RICOH COMPANY, LTD. contains a cross-site scripting vulnerability CWE-79 in Web Image Monitor. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege. Solution Update the firmware...
JVN#04155116: WordPress Plugin "Modern Events Calendar Lite" vulnerable to cross-site scripting
WordPress Plugin "Modern Events Calendar Lite" provided by Webnus contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the website using the plugin. Solution Update the plugin Update the plugin to t...
JVN#63047298: Kinza vulnerable to cross-site scripting
Kinza provided by Dayz Inc. contains a cross-site scripting vulnerability CWE-79. Impact If CSP Content Security Policy on the affected product is disabled, an arbitrary script may be executed on the web browser of the user who uses RSS reader. Solution Update the Software Update to the latest...
JVN#33124193: Local File Inclusion vulnerability in Zenphoto
Zenphoto is a content management system CMS. Zenphoto contains a Local File Inclusion vulnerability. Impact Sensitive information may be obtained or arbitrary code may be executed by a remote administrative user. Solution Update the Software Update to the latest version according to the informati...
JVN#56787058: WordPress plugin "WP Job Manager" fails to restrict access permissions
The WordPress plugin "WP Job Manager" provided by Automattic Inc. fails to restrict access permissions. Impact A remote unauthenticated attacker may upload an image file to the server. Solution Update the plugin Update the plugin according to the information provided by the developer. According t...
JVN#20870477: Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to remote code execution
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a remote code execution vulnerability. Impact When accessing a specially crafted URL, arbitrary code may be...
JVN#13003724: OneThird CMS vulnerable to cross-site scripting
OneThird CMS provided by SpiQe Software contains a cross-site scripting vulnerability CWE-79 due to an issue in processing the inquiry form. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the Software Update to the latest version according to the...
JVN#39008927: Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to cross-site request forgery
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in,...
JVN#09460804: Knowledge vulnerable to cross-site request forgery
Knowledge provided by support-project.org is an open-source knowledge base platform. Knowledge contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Software Update to the...
JVN#34103586: Multiple I-O DATA network camera products vulnerable to information disclosure
Multiple network camera products provided by I-O DATA DEVICE, INC. contain an information disclosure vulnerability CWE-200. Impact Information such as authentication credentials may be disclosed by an attacker who can access the product. Solution Update the Firmware Apply the appropriate firmware...
JVN#05924524: LINE for Windows fails to properly verify downloaded files
The auto update function in LINE for Windows provided by LINE Corporation contains a vulnerability where downloaded files are not properly verified. Impact A successful man-in-the-middle attack may result in a specially crafted file prepared by an attacker being downloaded and executed. Solution...
JVN#77403442: Multiple Hikari Denwa routers vulnerable to OS command injection
Multiple Hikari Denwa routers contain an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed on the product by a logged-in attacker. Solution Update the Firmware Apply the appropriate firmware update provided by the developer. Products Affected NIPPON TELEGRA...
JVN#07818796: Aterm WF800HP vulnerable to cross-site request forgery
Aterm WF800HP provided by NEC Corporation contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Firmware Update to the latest firmware version according to the information...
JVN#86517621: WordPress plugin "WP Favorite Posts" vulnerable to cross-site scripting
"WP Favorite Posts" is a plugin for WordPress. WP Favorite Posts contains a cross-site scripting vulnerability. Note that this vulnerability cannot be exploited on the default settings. Impact An arbitrary script may be executed on the user's web browser. Solution Update the plugin Update to the...
JVN#64209269: Cybozu Office vulnerable to cross-site request forgery
Cybozu Office contains a cross-site request forgery vulnerability CWE-352 in multiple functions. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#50775659: CG-WLBARAGM may behave as an open proxy
CG-WLBARAGM provided by Corega Inc is a wireless LAN router. CG-WLBARAGM contains an issue where it may behave as an open proxy. Impact The device may be leveraged as a proxy server to conduct cyber attacks. Solution Apply a Workaround The following workaround may mitigate the affects of this...
JVN#34489380: WL-330NUL vulnerable to remote command execution
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a remote command execution vulnerability. Impact An attacker that can access the product may execute an arbitrary command with administrative privileges. Solution Update the Firmware Update the firmware to...
JVN#25323093: pWebManager vulnerable to OS command injection
pWebManager provided by PC-EGG Co.,Ltd. contains an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed on the server by a user logged in with editor permissions. Solution Update the Software Update to the latest version according to the information provided ...
JVN#37825153: AirDroid for Android vulnerable in handling of implicit intents
AirDroid for Android provided by SAND STUDIO contains a vulnerability in the handling of implicit intents. Impact Information in AirDroid may be leaked to a third party through a malicious Android application. Solution Update the Software Update to the latest version according to the information...
JVN#38369032: Cybozu Garoon vulnerable to LDAP injection
Cybozu Garoon is a groupware. Cybozu Garoon contains an issue in processing authentication requests, which may result in an LDAP injection vulnerability. Impact A malicious user authorized to administer uesrs in certain groups may obtain information from the authentication server or may perform a...
JVN#85118545: MATCHA SNS access restriction bypass vulnerability
MATCHA SNS provided by ICZ Corporation is an SNS software. MATCHA SNS contains an access restriction bypass vulnerability. Impact A user without administrative privileges may obtain administrative privileges. Solution Update the Software Update to the latest version according to the information...
JVN#18232032: MATCHA INVOICE vulnerable to SQL injection
MATCHA INVOICE provided by ICZ Corporation is a web-based billing management software. MATCHA INVOICE contains multiple SQL injection CWE-89 vulnerabilities. Impact An authenticated attacker may obtain or alter information stored in the database. Solution Update the Software Update to the latest...
JVN#04644117: Japan Connected-free Wi-Fi vulnerable to allow URL whitelist bypass
Japan Connected-free Wi-Fi provided by NTT Broadband Platform, Inc. contains an issue where an arbitrary page may be loaded if the application is launched with the URL-scheme. Impact Android version of this app may allow an arbitrary API to be executed if permissions to execute that API are grant...
JVN#13684924: BBS X102 vulnerable to cross-site scripting
BBS X102 provided by guide-park.com is a bulletin board software. BBS X102 contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Consider stop using BBS X102 Ver1.03 Since the developer was unreachable, existence of any...
JVN#70465405: Yodobashi App for Android vulnerable to arbitrary Java method execution
Yodobashi App for Android provided by Yodobashi Camera Co.,Ltd. contains a vulnerability where an arbitrary Java method may be executed. Impact When opening a specially crafted website, an attacker may be able to execute an arbitrary Java method. As a result, information stored in Android devices...
JVN#22677713: OpenEMR vulnerable to authentication bypass
OpenEMR is an electronic health records and medical practice management application. OpenEMR contains an authentication bypass vulnerability CWE-302. Impact Sensitive information may be obtained by a remote attacker who can access the web interface of the product. Solution Update the software and...
JVN#19732015: MilkyStep fails to restrict access permissions
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions against the management function for user information CWE-284. Impact A non-administrative user may be able to change administrative user credentials. Solution...
JVN#68452022: Zenphoto vulnerable to cross-site scripting
Zenphoto is a content management system CMS. Zenphoto contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing encoded user-supplied input. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version...
JVN#74547976: Fumy Teacher's Schedule Board vulnerable to cross-site scripting
Fumy Teacher's Schedule Board provided by Nishishi Factory is a CGI program that displays schedules. Fumy Teacher's Schedule Board contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest...
JVN#06302787: OS command injection vulnerability in multiple FUJITSU Android devices
Multiple FUJITSU Android devices contain an OS command injection vulnerability. Impact An attacker with local access may obtain root privileges and execute arbitrary OS commands. Solution Apply an Update Apply the appropriate update according to the information provided by the provider. Products...
JVN#07930208: BSD Operating Systems vulnerable to denial-of-service (DoS)
BSD operating systems contain an issue in the handling of the TCP session timer, which may lead to a denial-of-service DoS vulnerability. Impact When a sepcially crafted packet from a malicious server is received, a condition where client resources are not released may occur. As a result, clients...
JVN#27388160: SumaHo for Android fails to verify SSL/TLS server certificates
SumaHo for Android fails to verify SSL/TLS server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Apply the appropriate update according to the information provided by the developer. Products Affected...
JVN#66285408: Aflax vulnerable to cross-site scripting
Aflax is a JavaScript library that enables developers to use JavaScript to fully utilize all of the features of the Adobe Flash runtime. Aflax contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use Aflax According t...
JVN#72950786: Outlook.com for Android contains an issue where it fails to verify SSL server certificates
Outlook.com for Android contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#49974594: Webmin vulnerable to cross-site scripting
Webmin is a web-based system management tool. Webmin contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser who is logged into Webmin. Solution Update the software Update to the latest version according to the information provided by th...
JVN#50129191: JustSystems Online Update Program bundled with JustSystems products vulnerable to arbitrary code execution
"JUST Online Update" and "JUST Online Update for J-License and the management tools" that are bundled with multiple JustSystems products contain a flaw that allows the update program to be executed even if the signature of an update module is invalid. Please note that this is a flaw in the online...
JVN#54650130: SOY CMS vulnerable to cross-site scripting
SOY CMS provided by Nippon Institute of Agroinformatics Ltd. is an open source content management system CMS. SOY CMS contains a cross-site scripting vulnerability. Impact If a user views a malicious page while logged in, an arbitrary script may be executed on the user's web browser. Solution App...