5625 matches found
JVN#49974594: Webmin vulnerable to cross-site scripting
Webmin is a web-based system management tool. Webmin contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser who is logged into Webmin. Solution Update the software Update to the latest version according to the information provided by th...
JVN#50129191: JustSystems Online Update Program bundled with JustSystems products vulnerable to arbitrary code execution
"JUST Online Update" and "JUST Online Update for J-License and the management tools" that are bundled with multiple JustSystems products contain a flaw that allows the update program to be executed even if the signature of an update module is invalid. Please note that this is a flaw in the online...
JVN#81637882: Information disclosure vulnerability in Sleipnir Mobile for Android
Sleipnir Mobile for Android is a web browser for Android devices. Sleipnir Mobile for Android contains an issue in handling Geolocation API, which may result in the disclosure of a user's location. Impact When a website that a user is viewing requests the user's location information, Sleipnir...
JVN#55630933: EC-CUBE information disclosure vulnerability
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an information disclosure vulnerability due to an issue in processing front features. Impact User's information may be obtained or altered by other user who visits the shopping site. Solution...
JVN#06870202: EC-CUBE information disclosure vulnerability
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an information disclosure vulnerability. Impact When the server receives a specially crafted request, the absolute path of the product on the server may be obtained. Solution Apply the update or...
JVN#81813850: Tiki Wiki CMS Groupware vulnerable to cross-site scripting
Tiki Wiki CMS Groupware Tiki is a content management system CMS. Tiki contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the web browser of an user who is logged in. Solution Apply an Update Apply the appropriate update for the version of the software bei...
JVN#70739377: Multiple products that use International Components for Unicode (ICU) vulnerable to denial-of-service (DoS)
International Components for Unicode ICU is a library for handling Unicode strings. A C version, ICU4C and a Java version ICU4J are available. Multiple products that use ICU4C contain a denial-of-service vulnerability due to a race condition. ICU released ICU4C version 50.1.1 that addresses this...
JVN#44035194: docomo overseas usage application vulnerability in the connection process
docomo overseas usage application provided by NTT DOCOMO contains a vulnerability within the process of connecting to Wi-Fi access points, which may lead to user information being sent unintentionally. Impact When connecting to a Wi-Fi access point, an attacker may obtain user information. Soluti...
JVN#39218538: Pizza Hut Japan Official Order App for Android. contains an issue where it fails to verify SSL server certificates
Pizza Hut Japan Official Order App for Android. contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the...
JVN#39699406: EC-CUBE vulnerable to information disclosure as a result of improper input checking
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an issue with checking input values, which may result in information disclosure. Impact A remote, unauthenticated attacker may obtain information stored in the product. Solution Apply the update...
JVN#18501376: OpenPNE vulnerable to cross-site scripting
The management screen in OpenPNE contains an issue in the processing of data input into the "mobile version color scheme configuration" item, which may result in a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the web browser of a user who is logged on as an...
JVN#06251813: Multiple Cybozu products vulnerable to cross-site request forgery
Multiple Cybozu products contain a cross-site request forgery vulnerability. Impact If a user accesses a specially crafted URL while logged in, user passwords or administrator passwords may be altered. Solution Update the Software Update to the latest version according to the information provided...
JVN#16817324: Multiple JustSystems products vulnerable to arbitrary code execution
Multiple products provided by JustSystems Corporation contain a vulnerability that may allow arbitrary code execution. For more information, refer to the information provided by the developer. Impact Opening a file may cause arbitrary code to be executed with the privilege of the running...
JVN#56923652: Monaca Debugger for Android information management vulnerability
Monaca Debugger provided by Asial Corporation contains an issue where account information of the product or other information such as session IDs are saved in a log file. Impact Android applications with permissions to read system log files may obtain users credentials of Monaca or other...
JVN#67435981: LINE for Android vulnerable in handling of implicit intents
LINE for Android provided by NHN Japan, is an application for communication with others. LINE for Android contains a vulnerability in the handling of implicit intents. Impact Information such as messages sent by LINE may be leaked to a third party through a malicious application. Solution Update...
JVN#80835745: Movable Type plugin MT4i vulnerable to cross-site scripting
MT4i is a Movable Type plugin. MT4i contains a cross-site scripting vulnerability. Note that this vulnerability is different from JVN79111101. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the informati...
JVN#44913777: SENCHA SNS vulnerable to cross-site request forgery
SENCHA SNS is an open source SNS software. SENCHA SNS contains a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in, arbitrary operations may be conducted on the vulnerable system. Solution Update the Software Update to the latest version provided by...
JVN#62336482: FFFTP may insecurely load executable files
FFFTP loads certain executables when using certain functions. FFFTP contains an issue with the file search path, which may insecurely load executables. Impact An attacker may execute arbitrary code with the privilege of the running application. Solution Update the software Update to the latest...
JVN#36684331: WEB FORUM vulnerable to cross-site scripting
WEB FORUM provided by KENT-WEB is a bulletin board software. WEB FORUM contains a vulnerability in processing the web page to be output, which may result in cross-site scripting. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the lates...
JVN#31506102: Aipo vulnerable to SQL injection
Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-office blogging. Aipo contains a SQL injection vulnerability. Impact Users who can login and do not have access privileges to information in Aipo may view or alter information. The developer has confirmed that a...
JVN#09157962: SquirrelMail vulnerable to cross-site scripting
SquirrelMail from SquirrelMail Project is an open source webmail web-based email. SquirrelMail contains an issue in handling specific character encoding and processing "data:" URL, which may result in cross-site scripting. Impact An arbitrary script may be executed on the user's web browser...
JVN#36765384: Google Chrome information disclosure vulnerability
Google Chrome contains an information disclosure vulnerability caused by the improper handling of XML files. Impact When viewing a specially crafted web page, information may be disclosed. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#72541530: Active! mail 6 vulnerable to HTTP header injection
Active! mail 6 from TransWARE Co. is a web-based email software. Active! mail 6 contains a HTTP header injection vulnerability. Impact Falsified information may be displayed or an arbitrary script may be executed on the user's web browser. HTTP response splitting attacks are also possible. Soluti...
JVN#75101998: moobbs2 vulnerable to cross-site scripting
moobbs2 from Moo is a threaded bulletin board software. moobbs contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer...
JVN#82749282 CapsSuite Small Edition PatchMeister vulnerable to denial of service
CapsSuite Small Edition PatchMeister is a product that manages the application of security patches. CapsSuite Small Edition PatchMeister contains a denial of service DoS vulnerability. Impact On a server or workstation with "Client Service for PTM" installed, a remote attacker may shut down or...
JVN#06362164 SEIL/X Series and SEIL/B1 buffer overflow vulnerability
SEIL/X Series and SEIL/B1 are routers. SEIL/X Series and SEIL/B1 contain an issue in the processing by the URL filtering function, which may lead to a buffer overflow vulnerability. Impact When processing a specially crafted URL, a remote attacker may be able to execute arbitrary code. Solution...
JVN#00425482 XF-Section vulnerable to cross-site scripting
XF-Secion from Happy Linux is a XOOPS module that categorizes contents. XF-Section contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use XF-Section Since the product is no longer being developed, users are...
JVN#31035930 SugarCRM vulnerable to SQL injection
SugarCRM is a customer relationship management CRM software. SugarCRM contains a SQL injection vulnerability. Impact As a result of SQL injection, contents within the database can be compromised. Solution Update the Software Update to the latest version according to the information provided by th...
JVN#87239696 iPhone OS denial of service (DoS) vulnerability
iPhone OS from Apple contains a denial of service DoS vulnerability. Impact A remote attacker could possibly cause a denial of service DoS attack by sending a specially crafted packet. Solution Update the software Update to latest version according to the information provided by Apple. Products...
JVN#19072922 EC-CUBE vulnerable to SQL injection
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a SQL injection vulnerability. This vulnerability is different from JVN81111541. Impact A remote attacker could obtain the website administrator's privilege which was created using EC-CUBE...
JVN#81490697: Movable Type cross-site scripting vulnerability
Movable Type, a web log system from Six Apart KK, contains a vulnerability resulting from the improper handling of the management page that can lead to cross-site scripting. This vulnerability is different from JVN30385652. Impact An arbitrary script may be executed on the blog administrator's we...
JVN#03859837 Blogn vulnerable to cross-site scripting
Blogn from R-ONE Computer is software for creating blogs. Blogn contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Apply the latest update provided by the vendor. Products Affected Blogn v1.9.7 and earl...
JVN#33044255 GreaseKit and Creammonkey allows execution of userscript functions
GreaseKit and Creammonkey are plugins that enable user scripting to Safari and other Apple Webkit applications, and they provide APIs callable only from userscripts. GreaseKit and Creammonkey are vulnerable in allowing APIs called from a web page. Impact When a user views a specially crafted web...
JVN#77886599 Hatena Toolbar sends URL information unecnrypted
Impact When a user of Hatena Toolbar views a SSL secured web page, an attacker could obtain the information contained in the URL such as a session ID which needs to be protected. As a result, an attacker could possibly conduct session hijacking. Solution Products Affected Hatena Toolbar v1.5.4 an...
JVN#97757029 w3ml cross-site scripting vulnerability
Impact An arbitrary script could be executed on the user's web browser which may allow an attacker to steal cookie information. Solution Products Affected w3ml-0.4-20020625 and earlier...
JVN#83855727: FortiWeb vulnerable to SQL injection
FortiWeb provided by Fortinet, Inc. contains an SQL injection vulnerability CWE-89, CVE-2024-55593. Impact Information in the FortiWeb database may be obtained by a user who can log in to the product. Solution Update the software Update the software to the latest version according to the...
JVN#41397971: Multiple vulnerabilities in AIPHONE IX SYSTEM, IXG SYSTEM, and System Support Software
AIPHONE IX SYSTEM is an IP Network Audio-Video Intercom and IXG SYSTEM is an IP-based Residential System. IX SYSTEM, IXG SYSTEM, and System Support Software contain multiple vulnerabilities listed below. OS command injection CWE-78 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.0...
JVN#25594256: Denial-of-service (DoS) vulnerability in IPCOM WAF function
WAF function of IPCOM provided by Fsas Technologies Inc. contains a denial-of-service DoS vulnerability CWE-908. Impact If the product receives a specially crafted packet by an attacker, the system may be rebooted or suspended. Solution Update the firmware Update the firmware to the latest versio...
JVN#71404925: Multiple vulnerabilities in UTAU
UTAU provided by ameya/ayame contains multiple vulnerabilities listed below. OS command injection CWE-78 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Base Score 5.3 CVE-2024-28886 Path Traversal CWE-22 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 3.3 CVE-2024-32944 Impact If a user of...
JVN#87694318: WordPress Plugin "Heateor Social Login WordPress" vulnerable to cross-site scripting
WordPress Plugin "Heateor Social Login WordPress" provided by Heateor contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who accessed the website using the product. Solution Update the plugin Update the plugin to...
JVN#70977403: Multiple vulnerabilities in a-blog cms
a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in Entry editing pages CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4 CVE-2024-30419 Server-side request forgery CWE-918...
JVN#48966481: a-blog cms vulnerable to URL spoofing
a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains an URL spoofing vulnerability CWE-451. Impact If an attacker sends a specially crafted request, the administrator of the product may be forced to access an arbitrary website when clicking a link in the...
JVN#96240417: Thermal camera TMC series vulnerable to insufficient technical documentation
Thermal camera TMC series provided by THREE R SOLUTION CORP. JAPAN are vulnerable to insufficient technical documentation CWE-1059. The related documentation does not describe the existence of the network interface, nor the internal storage for pictures and measurement data. Impact The user of th...
JVN#39139884: Movable Type vulnerable to cross-site scripting
Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged-in user's web browser. Solution Update the Software Apply the appropriate update according to the information provided by the developer. The develop...
JVN#42691027: "direct" Desktop App for macOS fails to restrict access permissions
"direct" Desktop App for macOS provided by L is B Corp. fails to restrict access permissions CWE-284. The access control mechanism provided by macOS "TCC Transparency Consent and Control" may be bypassed. Impact Camrea, microphone, etc. of the device where the product is installed may be used...
JVN#95981715: Starlette vulnerable to directory traversal
Starlette provided by Encode contains a directory traversal vulnerability CWE-22. Impact Under certain conditions, a remote attacker may view files in a web service which was built using the product. Solution Update the software Update the software according to the information provided by the...
JVN#75742861: Improper restriction of XML external entity references (XXE) in National land numerical information data conversion tool
National land numerical information data conversion tool provided by MLIT improperly restricts XML external entity references XXE CWE-611. Impact By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. Solution Stop using the product The developer...
JVN#78253670: web2py development tool vulnerable to open redirect
The admin development tool included in the web2py source code contains an open redirect vulnerability CWE-601. According to the developer, they do not recommend using the tool in operational environment or disclosing it on the Internet. Impact When using the tool, a web2py user may be redirected ...
JVN#00845253: Growi vulnerable to improper access control
GROWI provided by WESEEK, Inc. contains an improper access control vulnerability CWE-284. Impact A user who can login to the affected product may download the markdown data from the pages set to private by the other users. Solution Update the software Update the software to the following versions...
JVN#15241647: WordPress plugin "WP Statistics" vulnerable to cross-site scripting
WordPress plugin "WP Statistics" provided by VeronaLabs contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the web site using the product. Solution Update the plugin Update the plugin according to th...