5625 matches found
JVN#77360971: Simeji vulnerable to information disclosure
Simeji is a Japanese Input Method Editor IME for Android devices. Simeji contains an issue in the access permissions for the certain files. Impact If a user of the affected product uses other malicious Android application, information managed by the affected product may be disclosed. Solution...
JVN#60931933: BIGACE vulnerable to session fixation
BIGACE is a content management system CMS. BIGACE contains a session fixation vulnerability. Impact A remote unauthenticated attacker may impersonate a registered user. As a result, information disclosure or alteration may be possible. Solution Update the Software Apply the latest update accordin...
JVN#78305073: @WEB ShoppingCart vulnerable to cross-site scripting
@WEB ShoppingCart provided by WEBLOGIC CORPORATION. is a system for creating shopping websites. @WEB ShoppingCart contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Apply a patch Apply the appropriate patch according to th...
JVN#51216285: DBD::mysqlPP vulnerable to SQL injection
DBD::mysqlPP is a Perl module that provides a client interface for MySQL. DBD::mysqlPP contains a SQL injection vulnerability. Impact An attacker may view or alter information stored in the database. Solution Do not use DBD::mysqlPP According to the developer, "DBD::mysqlPP was developed as a jok...
JVN#46984044: WalRack upload file handilng vulnerability
WalRack is a CGI that provides an interface to upload files on the Web. WalRack contains a vulnerability in handling upload files. Impact An arbitrary PHP script may be executed on the server where WalRack is installed. Solution Update the Software Update to the latest version according to the...
JVN#94695018: Lunascape may insecurely load dynamic libraries
Lunascape is a web browser. Lunascape loads certain DLL's when HTML files are opened. Lunascape contains an issue with the DLL search path, which may lead to insecurely loading dynamic libraries. Impact An attacker may execute arbitrary code with the privilege of running the application. Solution...
JVN#78536512: Movable Type vulnerable to SQL injection
Movable Type, a web log system from Six Apart KK, contains a SQL injection vulnerability. Impact A remote attacker may view or modify information stored by the product. Solution Update the Software Update to the latest version according to the information provided by the developer. Products...
JVN#04665167: XacRett may insecurely load executable files
XacRett is a file extraction software that supports many file formats. XacRett loads certain executables .exe when extracting files. XacRett contains an issue with the file search path, which may insecurely load executables. Impact An attacker may execute arbitrary code with the privilege of...
JVN#69191943: AD-EDIT2 vulnerable to cross-site scripting
AD-EDIT2 is a Contents Management System CMS software. AD-EDIT2 contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer...
JVN#35605523: Cross-site scripting vulnerability in Access Analyzer CGI by futomi's CGI Cafe
Access Analyzer CGI provided by futomi's CGI Cafe is a software to analyze web access logs. Access Analyzer CGI contains a cross-site scripting vulnerability. This is caused by a particular method in which tags are embedded into the web page. Impact An arbitrary script may be executed on the user...
JVN#67120749 Multiple vulnerabilities in ActiveGeckoBrowser
ActiveGeckoBrowser from Fenrir Inc. is a plugin that adds the Gecko rendering engine to the Sleipnir web browser. ActiveGeckoBrowser contains multiple vulnerabilities caused by the Gecko engine. Impact A remote attacker may execute an arbitrary code or script, or conduct a denial of service DoS...
JVN#41842181 PrettyFormMail vulnerable to cross-site scripting
PrettyFormMail from PrettyBook is a software that sends emails with contents that are input into a HTML form. PrettyFormMail contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use PrettyFormMail As patches will not ...
JVN#36207497 Active! mail 2003 cookie disclosure vulnerability
Active! mail 2003 from TransWARE Co. is a web-based email software. Active! mail 2003 contains a vulnerability in which cookies may be disclosed. Impact A remote attacker could impersonate a user of Active! mail 2003. As a result, the user's email could be viewed or configurations could be...
JVN#89791790 Cross-site scripting vulnerability in FreeNAS
FreeNAS is a NAS Network Attached Storage server software. FreeNAS contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer...
JVN#55752635 Cross-site scripting vulnerability in activeCollab
activeCollab from A51 D.O.O. is software for project management. activeCollab contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software According to the vendor, activeCollab 0.x is no longer being developed or...
JVN#03300113 Blosxom vulnerable to cross-site scripting
Blosxom is an open source weblog system. Blosxom contains a cross-site scripting vulnerability. Impact An arbitrary script can be executed on the user's web browser. Solution Update the Software Apply the latest udpate provided by the developer. Products Affected Blosxom 2.1.1 and earlier...
JVN#13159997 Multiple I-O DATA DEVICE wireless LAN routers default configuration does not set authentication
The authentication for the web administration interface for the WN-APG/R-Series and WN-WAPG/R-Series wireless LAN routers from I-O DATA DEVICE is disabled in the default configuration. This vulnerability may allow a remote attacker to access the web administration interface without authentication...
JVN#25471539 Aruba Mobility Controller Series cross-site scripting vulnerability
Aruba Mobility Controller series, switch products from Aruba Networks, contain a cross-site scripting vulnerability in the login page of the web management interface. Impact An arbitrary script may be executed on the user's web browser. Solution Apply the patch Users of the products should apply...
JVN#78520316 a-blog cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking. Solution Products Affected a-blog 1.51 and earlier...
JVN#55425662: MyWeb SQL injection vulnerability
Impact A remote attacker could view or modify the database contents. Solution Products Affected MyWeb Portal Office cellular phone functionality MyWeb Standard Edition MyWeb Public Edition MyWeb Medical Edition MyWeb Citizen Edition MyWeb School Edition MyWeb Light Edition...
JVN#25106961 Kent Web PostMail vulnerable to third party mail relay
Impact An attacker could possibly compromise the mail server to send an unsolicited email. Solution Products Affected Kent Web PostMail 3.2 and earlier...
JVN#25583987: FUJITSU Network Edgiot GW1500 vulnerable to path traversal
FUJITSU Network Edgiot GW1500 M2M-GW for FENICS provided by Fujitsu Limited contains a path traversal vulnerability CWE-22. Impact If a logged-in attacker with User Class privilege sends a specially crafted request to the affected product, access restricted files containing sensitive information...
JVN#35928117: Protection mechanism failure in RevoWorks
RevoWorks SCVX and RevoWorks Browser provided by J's Communication Co., Ltd. enable users to execute web browsers in the sandboxed environment isolated from the client's local environment. In the products, file exchange between the sandboxed environment and local environment is prohibited in...
JVN#02058996: HP ThinUpdate vulnerable to improper server certificate verification
HP ThinUpdate provided by HP Development Company, L.P. is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication or alter the communication. Solution Update the Software Update the software...
JVN#44726469: Improper restriction of XML external entity references (XXE) in XBRL data create application
XBRL data create application provided by Financial Services Agency improperly restricts XML external entity references XXE CWE-611. Impact By processing a specially crafted XBRL file, arbitrary files on the system may be read by an attacker. Solution Update the Software Update the software to the...
JVN#31701509: Multiple vulnerabilities in MicroEngine Mailform
MicroEngine Mailform provided by MicroEngine Inc. contains multiple vulnerabilities listed below. Unrestricted upload of file with dangerous type CWE-434 - CVE-2023-27397 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N| Base Score: 3.7 CVSS v2|...
JVN#59341308: WordPress Plugin "Newsletter" vulnerable to cross-site scripting
WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin. Solution Update the plugin Update the...
JVN#76257155: Trend Micro Security may insecurely load Dynamic Link Libraries
Trend Micro Security provided by Trend Micro Incorporated contains an insecure DLL loading issue CWE-427. While the affected version of Trend Micro Security is installed and a malicious DLL is placed in a directory where some application executable resides, invoking the application executable may...
JVN#78481846: TP-Link SG105PE vulnerable to authentication bypass
TP-Link SG105PE contains an authentication bypass vulnerability CWE-287. Impact Under certain conditions, an attacker may impersonate an administrator of the product. As a result, information may be obtained and the product's settings may be altered with the privilege of the administrator. Soluti...
JVN#60211811: Redmine vulnerable to cross-site scripting
Redmine contains a cross-site scripting vulnerability CWE-79 caused by improper Textile processing. Impact An arbitrary script may be executed on the web browser of the user using the product. Solution Update the Software Update the software to the latest version according to the information...
JVN#43979089: PukiWiki vulnerable to cross-site scripting
PukiWiki provided by PukiWiki Developers Team contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who accessed the site using the product. Solution Update the Software Update the Software to the latest version...
JVN#31606885: WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" vulnerable to cross-site request forgery
WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" provided by VideoWhisper contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in with the administrative privilege, unintended operations may b...
JVN#48413554: WordPress Plugin "WordPress Meta Data Filter & Taxonomies Filter" vulnerable to cross-site request forgery
WordPress Plugin "WordPress Meta Data Filter & Taxonomies Filter" provided by realmag777 contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update t...
JVN#91438377: SSL Visibility Appliance may generate illegal RST packets
SSL Visibility Appliance provided by Blue Coat Systems, Inc. is used as a transparent proxy for encrypted traffic management. It is reported that the appliance generates RST packets with incorrect sequence numbers when it receives HTTPS requests from certain web browsers. When the web server behi...
JVN#78980598: Apache ActiveMQ vulnerable to cross-site scripting
Apache ActiveMQ provided by the Apache Software Foundation is a middleware that implements Java Message Service. Apache ActiveMQ contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update t...
JVN#51565015: LINE for Windows may insecurely load Dynamic Link Libraries
LINE for Windows provided by LINE Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be executed with the privileges of the running application. Solution Update the Software For cuurent users of LINE for...
JVN#75813272: Multiple Buffalo wireless LAN routers vulnerable to information disclosure
Multiple Buffalo wireless LAN routers contain an information disclosure vulnerability. Impact Information such as authentication credentials may be disclosed by an unauthenticated remote attacker. Solution Update the Firmware Apply the appropriate firmware update provided by the developer. Produc...
JVN#42545812: MP Form Mail CGI Professional Edition vulnerable to directory traversal
MP Form Mail CGI Professional Edition provided by futomi Co., Ltd. contains a directory traversal vulnerability CWE-22. Impact Arbitrary files on the server may be viewed by the product's administrator. Solution Update the software Update to the latest version according to the information provide...
JVN#47473944: EC-CUBE fails to restrict access permissions
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE fails to restrict access permissions. Impact A remote attacker may bypass IP address restrictions and access the login page to the management screen. Solution Apply the update or the patch Apply the upda...
JVN#34780384: Kirby vulnerable to arbitrary file creation
Kirby is a content management system CMS. Kirby contains a vulnerability that may allow a remote attacker to create arbitrary files. Impact An arbitrary file created by a logged in attacker may result in arbitrary PHP code being executed on the server. Solution Update the Software Update to the...
JVN#07427376: PIXMA MG7500 Series vulnerable to cross-site request forgery
PIXMA MG7500 Series provided by Canon Inc. contain a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged into the Remote UI, unintended operations may be performed. Solution Apply a Workaround The following workaround can mitigate the affects of this...
JVN#62078684: ELPhoneBtnV6 ActiveX control vulnerable to buffer overflow
ELPhoneBtnV6 ActiveX control was used for "Click to Live" service provided by FreeBit Co., Ltd. Although "Click to Live" service has been discontinued, PCs that used the "Click to Live" service may still have the ActiveX control installed. ELPhoneBtnV6 ActiveX control, which is provided by the fi...
JVN#17522792: yoyaku_v41 vulnerable to OS command injection
yoyakuv41 provided by Webservice-DIC is a software to manage conference room reservations. yoyakuv41 contains an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed with the privileges of the web server on the server where yoyakuv41 is running. Solution Do no...
JVN#16409640: MilkyStep fails to restrict access permissions
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions CWE-264. Impact A remote attacker may obtain files managed by the product. Solution Update the Software Update to the latest version according to the informatio...
JVN#71903938: bBlog vulnerable to cross-site request forgery
bBlog is weblog software. bBlog contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Do not use bBlog bBlog is no longer being developed or maintained. It is recommended to stop using...
JVN#87204433: All In One WP Security & Firewall vulnerable to cross-site request forgery
All In One WP Security & Firewall is WordPress plugin that provides security functionality. All In One WP Security & Firewall contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, access logs 404 events maintained by the product may ...
JVN#17637243: Kindle App for Android fails to verify SSL server certificates
Kindle App for Android fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected...
JVN#94409737: MailPoet Newsletters vulnerable to cross-site request forgery
MailPoet Newsletters is a plugin for WordPress. MailPoet Newsletters contains a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in, unintended operations may be conducted. Solution Update the Software Update to the latest version according to the...
JVN#02213197: Webmin vulnerable to cross-site scripting
Webmin is a web-based system management tool. Webmin contains a cross-site scripting vulnerability when "referrer checking" is turned off. Note that "referrer checking" is enabled by default. Impact An arbitrary script may be executed on a user's web browser who is logged into Webmin. Solution...
JVN#55438786: Content Provider in CamiApp for Android fails to restrict access permissions
The Content Provider in CamiApp for Android provided by KOKUYO S&T Co.,Ltd. contains an issue where access permissions are not restricted. Impact If a user of the affected product uses another malicious Android application, information stored in the database may be obtained or altered. Solution...