5627 matches found
JVN#65602714: H2O vulnerable to directory traversal
H2O is an open source web server software. H2O contains an issue in processing URL, which may result in a directory traversal CWE-22 vulnerability. Impact A remote attacker may obtain arbitrary files on the server if "file.dir" directive is specified. Solution Update the Software Update to the...
JVN#71815309: Auction Camera vulnerable to URL whitelist bypass
Auction Camera provided by Newphoria Corporation Inc. is an application for both iOS or Android built using "applican". Auction Camera contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme. Impact Android version of this app may allow an...
JVN#75851252: "Honda Moto LINC" App for Android fails to verify SSL server certificates
"Honda Moto LINC" App for Android fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the developer. Products...
JVN#41653647: TransmitMail vulnerable to directory traversal
TransmitMail is a PHP based mail form. TransmitMail contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote attacker may view arbitrary files on the server. Solution Update the Software Update to the latest version according to t...
JVN#97099798: eXtplorer vulnerable to cross-site scripting
eXtplorer is a web-based file manager. eXtplorer contains multiple cross-site scripting vulnerabilities. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer. Products...
JVN#42768331: Speed Software Root Explorer and Explorer vulnerable to directory traversal
Root Explorer and Explorer provided by Speed Software contain an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application...
JVN#33735535: Fumy News Clipper vulnerable to cross-site scripting
Fumy News Clipper is a weblog system. Fumy News Clipper contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer. Products...
JVN#13160869: Chyrp vulnerable to cross-site scripting
Chyrp is a blogging engine. Chyrp contains a cross-site scripting vulnerability. Impact An arbitrary script which may be embedded by an authenticated attacker could be executed on the Admin user's web browser. Solution Update the software Update to the latest version according to the information...
JVN#27702217: Ameba for Android contains an issue where it fails to verify SSL server certificates
Ameba for Android contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the develope...
JVN#28812735: D-Link DES-3800 Series vulnerable to denial-of-service (DoS)
DES-3800 Series provided by D-Link Japan contains a denial-of-service DoS vulnerability due to an issue in the Web manager function. Impact A remote attacker may cause the product to stop responding. Solution Update the Firmware Update to the latest version of firmware according to the informatio...
JVN#38790987: EC-CUBE vulnerable to cross-site scripting
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a vulnerability in processing the output of error messages, which may lead to cross-site scripting. Impact An arbitrary script may be executed on the user's web browser. Solution Apply the updat...
JVN#75084836: Yahoo! Japan Shopping for Android contains an issue where it fails to verify SSL server certificates
Yahoo! Japan Shopping for Android provided by Yahoo Japan Corporation contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version...
JVN#98665228: EC-CUBE vulnerable to cross-site scripting
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site scripting vulnerability. Note that this vulnerability is different from JVN07192063. Impact An arbitrary script may be executed on the user's web browser. Solution Apply the update ...
JVN#00985872: EC-CUBE vulnerable to session fixation
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a session fixation vulnerability. Impact A remote unauthenticated attacker may impersonate a user. As a result, information may be disclosed or altered. Solution Apply the update or patch Apply...
JVN#80922020: ArtIME Japanese Input vulnerable to information disclosure
ArtIME Japanese Input is a Japanese Input Method Editor IME for Android devices. ArtIME Japanese Input contains an issue in the access permissions for the certain files. Impact If a user of the affected product uses other malicious Android application, information managed by the affected product...
JVN#42676559: Safari vulnerable to local file content disclosure
Safari contains a vulnerability where a local file may be accessed from remote, which may result in a local file content disclosure. Impact By opening a specially crafted HTML document as a local file, an arbitrary local file may be obtained from remote even though access from other users is...
JVN#97200417: SENCHA SNS vulnerable to session fixation
SENCHA SNS is an open source SNS software. SENCHA SNS contains a session fixation vulnerability. Impact A remote, unauthenticated attacker may impersonate an honest user of the affected product. As a result, information may be altered or obtained. Solution Update the Software Update to the latest...
JVN#20083397: Movable Type vulnerable to session hijacking
Movable Type contains a session hijacking vulnerability in entering comments and community functionality. Impact A remote unauthenticated attacker may impersonate an honest user of the affected product. Solution Update the software Update to the latest version of each product according to the...
JVN#36559450: osCommerce Japanese version vulnerable to cross-site scripting
osCommerce is an open source system for creating shopping websites. osCommerce Japanese version contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's Internet Explorer. Solution Update the software Update to the latest version according to the...
JVN#54779201: Oracle WebLogic Server vulnerable to cross-site scripting
Oracle WebLogic Server contains a cross-site scripting vulnerability on the management console. Impact An arbitrary script may be executed on the browser of the user who is logged into the administration console of Oracle WebLogic Server. Solution Update the Software Apply the latest update...
JVN#03869266: Enkai-kun vulnerable to cross-site scripting
Enkai-kun provided by utage.org contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer. Products Affected Versions prior t...
JVN#09789751: BaserCMS vulnerable to cross-site scripting
BaserCMS is an open-source Contents Management System CMS. BaserCMS contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer...
JVN#77697803: iVIEW Suite vulnerable to SQL injection
iVIEW Suite provided by RADVISION is a software to manage video conference systems in SCOPIA. iVIEW Suite contains a SQL injection vulnerability. Impact A remote attacker may view or alter the information on the system. Solution Update the Software Update to the latest version according to the...
JVN#50505257: Multiple Buffalo routers vulnerable to cross-site request forgery
Multiple routers provided by Buffalo have a management screen that allows users to modify settings. These routers contain a cross-site request forgery vulnerability due to an issue in the management screen. Impact If a user views a malicious page while logged into the management screen, settings...
JVN#53293565: Contents-Mall vulnerability in password handling
Contents-Mall is a shopping cart software for digital contents. Contents-Mall contains a vulnerability in the way it handles passwords. Impact The administrative password may be disclosed. As a result, information stored by the software may be viewed or altered. Solution Updatethe software Update...
JVN#36207497 Active! mail 2003 cookie disclosure vulnerability
Active! mail 2003 from TransWARE Co. is a web-based email software. Active! mail 2003 contains a vulnerability in which cookies may be disclosed. Impact A remote attacker could impersonate a user of Active! mail 2003. As a result, the user's email could be viewed or configurations could be...
JVN#57040664 ATOK screen lock bypass vulnerability
ATOK from JustSystems Corporation is a software for Japanese Kana-Kanji conversion. ATOK contains an issue with the restriction of launching external applications, which may lead to a screen lock bypass vulnerability. Impact An attacker could execute arbitrary code or program with the privileges ...
JVN#28521500 Trees from CGI RESCUE vulnerable to cross-site scripting
Trees, a web log system from CGI RESCUE, contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer. Products Affected Trees...
JVN#80771386 Fulltext search CGI vulnerability allows third party to gain administrative privileges
Fulltext search CGI is a website search software from futomi's CGI Cafe. Fulltext search CGI contains a vulnerability that allows an attacker to gain administrative privileges. Impact A remote attacker could impersonate an administrator of fulltext search CGI. Solution Update the Software Update ...
JVN#36085487 EC-CUBE cross-site scripting vulnerability
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site scripting vulnerability. This vulnerability is different from JVN61543834, JVN26621646, and JVN99916563. Impact An arbitrary script could be executed on the user's web browser...
JVN#60419863 Geeklog Forum Plugin vulnerable to cross-site scripting
Geeklog Forum Plugin is a plugin for Geeklog, an open source contents management system. Geeklog Forum Plugin contains a cross-site scripting vulnerability. Impact An arbitrary script could be executed on the user's web browser. Solution Update the Software Apply the latest update provided by the...
JVN#76788395 Sony mylo COM-2 does not verify server SSL certificate
Sony mylo COM-2, a mobile terminal equipped with a web browser and media palyer, contains a vulnerability where it does not verify the server certificate when connecting to a server via SSL/TLS. Impact Normally, when a client connects to a web server through a SSL/TLS connection, it would verify...
JVN#42381549 Internet Scanner reporting engine vulnerable to cross-site scripting
IBM Internet Scanner has a function to generate a report as an HTML file. Internet Scanner's reporting engine does not properly sanitize data before generating this report. This vulnerability may allow an attacker to insert an arbitrary script, which is executed on the user's web browser when the...
JVN#25471539 Aruba Mobility Controller Series cross-site scripting vulnerability
Aruba Mobility Controller series, switch products from Aruba Networks, contain a cross-site scripting vulnerability in the login page of the web management interface. Impact An arbitrary script may be executed on the user's web browser. Solution Apply the patch Users of the products should apply...
JVN#86092776: BASP21 vulnerable in handling CRLF sequences
Impact An unauthenticated remote attacker may send an unintended email from a web application which its email function is implemented using BASP21. Solution Products Affected bsmtp.dll included in BASP21 2003.0211 Versions of BASP21 Pro earlier than 1,0,702,27...
JVN#78520316 a-blog cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking. Solution Products Affected a-blog 1.51 and earlier...
Multiple Vulnerabilities in Cosminexus
Overview Cosminexus Developer's Kit for JavaTM and Hitachi Developer's Kit for Java contain the following vulnerabilities: CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282 Impact Regarding the impact of the vulnerabilit...
JVN#27937557: Multiple vulnerabilities in RICOH Streamline NX PC Client
RICOH Streamline NX PC Client provided by Ricoh Company, Ltd. contains multiple vulnerabilities listed below. External control of file name or path CWE-73 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N Base Score 6.9 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Base Score 6.5...
JVN#11779839: Hikvision network camera security enhancement to prevent cleartext transmission of Dynamic DNS credentials
Multiple network cameras provided by Hangzhou Hikvision Digital Technology Co., Ltd. support two Dynamic DNS services, DynDNS and NO-IP. The user can select which to use on the GUI configuration page. Both the services provide their APIs accessible via HTTP and HTTPS, but old firmware versions of...
JVN#94347255: JP1/Extensible SNMP Agent fails to restrict access permissions
JP1/Extensible SNMP Agent provided by Hitachi fails to restrict access permissions CWE-276. Impact If an authenticated attacker who can log in to the product places a specially crafted DLL file in a specific directory, arbitrary code may be executed with the administrative privilege. Solution...
JVN#00442488: Multiple vulnerabilities in Ricoh Streamline NX PC Client
Ricoh Streamline NX PC Client provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below. Improper restriction of communication channel to intended endpoints CWE-923 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score 6.3 CVE-2024-36252 ricoh-2024-000004 Use of hard-coded...
JVN#97751842: Multiple vulnerabilities in MosP kintai kanri
MosP kintai kanri provided by esMind, LLC contains multiple vulnerabilities listed below. Path Traversal CWE-22 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Base Score 6.5 CVE-2024-28880 Incorrect Permission Assignment for Critical Resource CWE-732 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Bas...
JVN#52919306: Toyoko Inn official App vulnerable to improper server certificate verification
Toyoko Inn official App provided by Toyoko Inn IT Solution Co., Ltd. is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update the application to the...
JVN#01434915: Improper restriction of XML external entity references (XXE) in "Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version)"
"Electronic Delivery Check System Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version" provided by Ministry of Agriculture, Forestry and Fisheries improperly restricts XML external entity references XXE CWE-611. Impact Processing a specially craft...
JVN#67215338: FusionPBX vulnerable to cross-site scripting
FusionPBX contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the product. Solution Update the software Update the software to the latest version according to the information provided by the...
JVN#67822421: OSS Calendar vulnerable to SQL injection
OSS Calendar provided by Thinkingreed Inc. contains an SQL injection vulnerability CWE-89. Impact A logged-in user may execute an arbitrary code or obtain and/or alter the information stored in the database by sending a specially crafted request. Solution Update the software Update the software...
JVN#39596244: Improper restriction of XML external entity references (XXE) in FD Application
FD Application provided by Ministry of Health, Labour and Welfare improperly restricts XML external entity references XXE CWE-611. Impact By processing a specially crafted XML file, arbitrary files on the system may be read by an attacker. Solution Update the Software Update the software to the...
JVN#87559956: Joruri Gw vulnerable to cross-site scripting
Joruri Gw provided by SiteBridge Inc. is groupware. Message Memo function of Joruri Gw contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the specific page of the product. Solution Update the software...
JVN#22830348: Vulnerability in Driver Distributor where passwords are stored in a recoverable format
Driver Distributor provided by FUJIFILM Business Innovation Corp. contains a vulnerability where passwords are stored in a recoverable format CWE-257. Impact If an attacker obtains a configuration file of Driver Distributor, the encrypted administrator's credentials may be decrypted. Solution...
JVN#26044739: Typora fails to properly neutralize JavaScript code
Typora fails to properly neutralize JavaScript code CWE-116. Impact Opening a file with the affected product may lead to execute the JavaScript code inside the file. Solution Update the Software Update the software to the latest version according to the information provided by the developer. The...