5627 matches found
JVN#26044739: Typora fails to properly neutralize JavaScript code
Typora fails to properly neutralize JavaScript code CWE-116. Impact Opening a file with the affected product may lead to execute the JavaScript code inside the file. Solution Update the Software Update the software to the latest version according to the information provided by the developer. The...
JVN#77850327: WordPress Plugin "Newsletter" vulnerable to cross-site scripting
WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin with the administrative privilege...
BlueStacks App Player fails to restrict access permissions
Overview BlueStacks App Player fails to restrict access permissions CWE-284. Masaki Kubo and Yoshiki Mori of Cybersecurity Laboratory, National Institute of Information and Communications Technology reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
JVN#61297210: Money Forward Apps for Android vulnerable in the WebView class
Money Forward Apps for Android contain a vulnerability in the WebView class. Impact If a user of the affected product uses another malicious Android application, information managed by the affected product may be disclosed. Solution Update the application Update to the latest version according to...
JVN#11877654: 百五銀行 (105 BANK) App fails to verify SSL server certificates
百五銀行 105 BANK App provided by THE HYAKUGO BANK, LTD. is a mobile app for internet banking. 百五銀行 App fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest...
JVN#11815655: Photopt App fails to verify SSL server certificates
Photopt App provided by NTT Communications Corporation fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by th...
JVN#47951769: Shoplat App for iOS issue in the verification of SSL certificates
Shoplat App for iOS provided by NTT DOCOMO contains an issue in the verification of the SSL server certificate. Impact A connection to a server using an invalid SSL server certificate can be estabilished without a warning. As a result, the user may not notice that a remote attacker is interceptin...
JVN#21968837: ManageEngine Firewall Analyzer vulnerable to directory traversal
ManageEngine Firewall Analyzer provided by Zoho Corporation is a log analytics and configuration management software for network security devices. ManageEngine Firewall Analyzer contains a directory traversal vulnerability. Impact An authenticated attacker may be able to obtain arbitrary files on...
JVN#68289108: Enisys Gw fails to restrict access permissions
Enisys Gw provided by Techno Project Japan Co. is an open source groupware. Enisys Gw fails to restrict access permissions. Impact A remote unauthenticated attacker may be access to an arbitrary file uploaded on the product. Solution Update the Software Update to the latest version according to t...
JVN#91474878: File Encryption Software "ED" where encrypted data may be easier to decipher when files of small size are encrypted
File encyption software "ED" contains an issue when files of small size are encyrpted, they may become easier to decipher in comparison to when files of a larger size are encrypted. When encrypting small files that are smaller than the block size 128 bits, file encryption software "ED" encrypts...
JVN#17522792: yoyaku_v41 vulnerable to OS command injection
yoyakuv41 provided by Webservice-DIC is a software to manage conference room reservations. yoyakuv41 contains an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed with the privileges of the web server on the server where yoyakuv41 is running. Solution Do no...
JVN#24336273: BloBee vulnerable to arbitrary file creation
BloBee provided by CGI RESCUE is a bulletin board software. BloBee contains a vulnerability that may allow a remote attacker to create arbitrary files CWE-20. Impact An arbitrary file created by an attacker may result in arbitrary code being executed on the server. Solution Update the Software...
JVN#16409640: MilkyStep fails to restrict access permissions
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions CWE-264. Impact A remote attacker may obtain files managed by the product. Solution Update the Software Update to the latest version according to the informatio...
JVN#95246510: "Open Explorer Beta" App for Android vulnerable to directory traversal
"Open Explorer Beta" App for Android provided by brandroid.org contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the...
JVN#20133698: MailDealer vulnerable to cross-site scripting
MailDealer provided by RAKUS Co.,Ltd. contains a persistent cross-site scripting CWE-79 vulnerability due to a flaw in processing file names of attachments. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to...
JVN#89852154: iLogScanner vulnerable to cross-site scripting
iLogScanner provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA is a software that checks access logs to detect suspected attacks against a web server. iLogScanner contains a cross-site scripting vulnerability CWE-79 due to a flaw when processing analysis results and outputting the...
JVN#08994136: Bump for Android vulnerable in handling of implicit intents
Bump for Android is an application that allows users to share information and files. Bump for Android contains a vulnerability in the handling of implicit intents. Impact Information such as the owner's name that was obtained from another device may be disclosed. Solution Do not use Bump for...
JVN#70029459: ES File Explorer vulnerable to directory traversal
ES File Explorer provided by ES APP Group contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has...
JVN#90289505: Content Provider in MovatwiTouch fails to restrict access permissions
MovatwiTouch is a Twitter client software for Android devices. The Content Provider in MovatwiTouch contains an issue where access permissions are not restricted. Impact If a user of the affected product uses another malicious Android application, authorization information granted to MovatwiTouch...
JVN#52552792: EC-CUBE vulnerable to cross-site scripting
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a vulnerability in handling the output of parameters, which may result in cross-site scripting. Impact When a user accesses a specially crafted URL while there is an item in the shopping cart, a...
JVN#77360971: Simeji vulnerable to information disclosure
Simeji is a Japanese Input Method Editor IME for Android devices. Simeji contains an issue in the access permissions for the certain files. Impact If a user of the affected product uses other malicious Android application, information managed by the affected product may be disclosed. Solution...
JVN#60931933: BIGACE vulnerable to session fixation
BIGACE is a content management system CMS. BIGACE contains a session fixation vulnerability. Impact A remote unauthenticated attacker may impersonate a registered user. As a result, information disclosure or alteration may be possible. Solution Update the Software Apply the latest update accordin...
JVN#78305073: @WEB ShoppingCart vulnerable to cross-site scripting
@WEB ShoppingCart provided by WEBLOGIC CORPORATION. is a system for creating shopping websites. @WEB ShoppingCart contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Apply a patch Apply the appropriate patch according to th...
JVN#51216285: DBD::mysqlPP vulnerable to SQL injection
DBD::mysqlPP is a Perl module that provides a client interface for MySQL. DBD::mysqlPP contains a SQL injection vulnerability. Impact An attacker may view or alter information stored in the database. Solution Do not use DBD::mysqlPP According to the developer, "DBD::mysqlPP was developed as a jok...
WalRack upload file handilng vulnerability
Overview WalRack Walrus File Rack CGI contains a vulnerability in handling upload files. WalRack is a CGI that provides an interface to upload files on the Web. WalRack contains a vulnerability in handling upload files. Impact An arbitrary PHP script may be executed on the server where WalRack is...
JVN#46984044: WalRack upload file handilng vulnerability
WalRack is a CGI that provides an interface to upload files on the Web. WalRack contains a vulnerability in handling upload files. Impact An arbitrary PHP script may be executed on the server where WalRack is installed. Solution Update the Software Update to the latest version according to the...
JVN#94695018: Lunascape may insecurely load dynamic libraries
Lunascape is a web browser. Lunascape loads certain DLL's when HTML files are opened. Lunascape contains an issue with the DLL search path, which may lead to insecurely loading dynamic libraries. Impact An attacker may execute arbitrary code with the privilege of running the application. Solution...
JVN#78536512: Movable Type vulnerable to SQL injection
Movable Type, a web log system from Six Apart KK, contains a SQL injection vulnerability. Impact A remote attacker may view or modify information stored by the product. Solution Update the Software Update to the latest version according to the information provided by the developer. Products...
JVN#27868039: GVim may insecurely load dynamic libraries
GVim is a text editor. GVim loads certain DLL's when TXT files are opened. GVim contains an issue with the DLL search path, which may lead to insecurely loading dynamic libraries. Impact An attacker may execute arbitrary code with the privilege of running the application. Solution Update the...
JVN#04665167: XacRett may insecurely load executable files
XacRett is a file extraction software that supports many file formats. XacRett loads certain executables .exe when extracting files. XacRett contains an issue with the file search path, which may insecurely load executables. Impact An attacker may execute arbitrary code with the privilege of...
JVN#69191943: AD-EDIT2 vulnerable to cross-site scripting
AD-EDIT2 is a Contents Management System CMS software. AD-EDIT2 contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer...
JVN#35605523: Cross-site scripting vulnerability in Access Analyzer CGI by futomi's CGI Cafe
Access Analyzer CGI provided by futomi's CGI Cafe is a software to analyze web access logs. Access Analyzer CGI contains a cross-site scripting vulnerability. This is caused by a particular method in which tags are embedded into the web page. Impact An arbitrary script may be executed on the user...
JVN#67120749 Multiple vulnerabilities in ActiveGeckoBrowser
ActiveGeckoBrowser from Fenrir Inc. is a plugin that adds the Gecko rendering engine to the Sleipnir web browser. ActiveGeckoBrowser contains multiple vulnerabilities caused by the Gecko engine. Impact A remote attacker may execute an arbitrary code or script, or conduct a denial of service DoS...
JVN#41842181 PrettyFormMail vulnerable to cross-site scripting
PrettyFormMail from PrettyBook is a software that sends emails with contents that are input into a HTML form. PrettyFormMail contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use PrettyFormMail As patches will not ...
JVN#89791790 Cross-site scripting vulnerability in FreeNAS
FreeNAS is a NAS Network Attached Storage server software. FreeNAS contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer...
JVN#55752635 Cross-site scripting vulnerability in activeCollab
activeCollab from A51 D.O.O. is software for project management. activeCollab contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software According to the vendor, activeCollab 0.x is no longer being developed or...
JVN#03300113 Blosxom vulnerable to cross-site scripting
Blosxom is an open source weblog system. Blosxom contains a cross-site scripting vulnerability. Impact An arbitrary script can be executed on the user's web browser. Solution Update the Software Apply the latest udpate provided by the developer. Products Affected Blosxom 2.1.1 and earlier...
JVN#13159997 Multiple I-O DATA DEVICE wireless LAN routers default configuration does not set authentication
The authentication for the web administration interface for the WN-APG/R-Series and WN-WAPG/R-Series wireless LAN routers from I-O DATA DEVICE is disabled in the default configuration. This vulnerability may allow a remote attacker to access the web administration interface without authentication...
JVN#74079537 SugarCRM cross-site scripting vulnerability
Impact An arbitrary script could be executed on the user's web browser where the user logged into SugarCRM. If an attacker obtains session information from a cookie, an attacker could possibly conduct session hijacking. Solution Products Affected SugarCRM 4.5.0f and earlier...
JVN#55425662: MyWeb SQL injection vulnerability
Impact A remote attacker could view or modify the database contents. Solution Products Affected MyWeb Portal Office cellular phone functionality MyWeb Standard Edition MyWeb Public Edition MyWeb Medical Edition MyWeb Citizen Edition MyWeb School Edition MyWeb Light Edition...
JVN#25106961 Kent Web PostMail vulnerable to third party mail relay
Impact An attacker could possibly compromise the mail server to send an unsolicited email. Solution Products Affected Kent Web PostMail 3.2 and earlier...
JVN#25583987: FUJITSU Network Edgiot GW1500 vulnerable to path traversal
FUJITSU Network Edgiot GW1500 M2M-GW for FENICS provided by Fujitsu Limited contains a path traversal vulnerability CWE-22. Impact If a logged-in attacker with User Class privilege sends a specially crafted request to the affected product, access restricted files containing sensitive information...
JVN#35928117: Protection mechanism failure in RevoWorks
RevoWorks SCVX and RevoWorks Browser provided by J's Communication Co., Ltd. enable users to execute web browsers in the sandboxed environment isolated from the client's local environment. In the products, file exchange between the sandboxed environment and local environment is prohibited in...
JVN#02058996: HP ThinUpdate vulnerable to improper server certificate verification
HP ThinUpdate provided by HP Development Company, L.P. is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication or alter the communication. Solution Update the Software Update the software...
JVN#44726469: Improper restriction of XML external entity references (XXE) in XBRL data create application
XBRL data create application provided by Financial Services Agency improperly restricts XML external entity references XXE CWE-611. Impact By processing a specially crafted XBRL file, arbitrary files on the system may be read by an attacker. Solution Update the Software Update the software to the...
JVN#31701509: Multiple vulnerabilities in MicroEngine Mailform
MicroEngine Mailform provided by MicroEngine Inc. contains multiple vulnerabilities listed below. Unrestricted upload of file with dangerous type CWE-434 - CVE-2023-27397 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N| Base Score: 3.7 CVSS v2|...
JVN#59341308: WordPress Plugin "Newsletter" vulnerable to cross-site scripting
WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin. Solution Update the plugin Update the...
JVN#00971105: WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting
WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" provided by TMS contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in the WordPress where the product is installed. Solution...
JVN#76257155: Trend Micro Security may insecurely load Dynamic Link Libraries
Trend Micro Security provided by Trend Micro Incorporated contains an insecure DLL loading issue CWE-427. While the affected version of Trend Micro Security is installed and a malicious DLL is placed in a directory where some application executable resides, invoking the application executable may...
JVN#78481846: TP-Link SG105PE vulnerable to authentication bypass
TP-Link SG105PE contains an authentication bypass vulnerability CWE-287. Impact Under certain conditions, an attacker may impersonate an administrator of the product. As a result, information may be obtained and the product's settings may be altered with the privilege of the administrator. Soluti...