5625 matches found
JVN#62111727: Pleasanter vulnerable to cross-site scripting
Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged-in user's web browser. Solution Update the software or apply the patch Update the software to the latest version according to the information provided by...
JVN#01937209: LINE WORKS Drive Explorer vulnerable to code injection
LINE WORKS Drive Explorer provided by WORKS MOBILE Japan Corp. contains a code injection vulnerability CWE-94. Impact An attacker who can login to the client where the affected product is installed may inject arbitrary code while processing the product execution. Since a full disk access privileg...
JVN#99657911: WordPress plugin "LIQUID SPEECH BALLOON” vulnerable to cross-site request forgery
WordPress plugin "LIQUID SPEECH BALLOON” provided by LIQUID DESIGN Ltd. contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Software Update the Software to the latest...
JVN#90813656: Wireshark for Windows issue where an arbitrary file may be deleted
Wireshark for Windows uses a software updating library called WinSparkle. Wireshark for Windows contains an issue where an arbitrary directory of file may be deleted due to an issue contained in WinSparkle JVN96681653. Impact An arbitrary directory or file may be deleted with the privileges of th...
JVN#03050861: EXPRESSCLUSTER X vulnerable to directory traversal
EXPRESSCLUSTER X from NEC Corporation is software to provide high availability HA clustering. EXPRESSCLUSTER X contains an issue in WebManager, which may lead to directory traversal. Impact Arbitrary files on the server may be viewed by an attacker who can access to the WebManager. Solution Updat...
JVN#02527990: Lhaplus vulnerable to directory traversal
Lhaplus is a file compression/decompression software. Lhaplus contains an issue in processing file names, which may result in a directory traversal vulnerability. Impact Decompressing a file with a specially crafted file name may result in a creation of an arbitrary file or an overwrite of an...
JVN#12798709: KENT-WEB Clip Board vulnerable to cross-site scripting
KENT-WEB Clip Board is a bulletin board software that a user can upload binary files such as image files. Clip Board contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version...
JVN#73357573: Movable Type vulnerable to cross-site scripting
Movable Type contains an issue in processing the management page, which may result in a cross-site scripting vulnerability. Impact An arbitrary script may be executed or a false form may be displayed on the administrator's web browser. Solution Update the software Update to the latest version...
JVN#07957080: Dominion KX2-101 vulnerable to denial-of-service (DoS)
Dominion KX2-101 provided by Raritan Japan, Inc. is a KVM-over-IP switch. Dominion KX2-101 contains a denial-of-service DoS vulnerability. Impact By receiving a specially crafted packet, the product may be forced to stop responding. Solution Upgrade to Dominion KX2-101 V2 The vulnerability has be...
JVN#87962145: Piwigo vulnerable to SQL injection
Piwigo is a software to manage and host image files on the web. Piwigo contains a SQL injection vulnerability. Impact An authenticated attacker may obtain information stored in the database. Solution Apply a patch Apply the patch according to the information provided by the developer. According t...
JVN#30281958: Arbitrary program execution vulnerability in TrendLink ActiveX control
TrendLink provided by Canary Labs is a tool to help visualize data for analysis. The SaveToFile method provided in the ActiveX control in TrendLink contains a vulnerability where file creation is not properly restricted. Impact A remote attacker may create an arbitrary file on the system and as a...
JVN#23256725: Opera browser for Android issue in handling intent scheme URL's
Opera browser for Android contains an issue in the handling of intent scheme URL's. Impact When a user views a specially crafted page, the Opera browser for Android cookie file may be disclosed. Solution Apply an Update Apply the appropriate update for the version of the software being used...
JVN#65312543: D-Link DES-3800 Series vulnerable to denial-of-service (DoS)
DES-3800 Series provided by D-Link Japan contains a denial-of-service DoS vulnerability due to an issue in the implementation of SSH. Impact A user who can login using SSH may cause the product to stop responding. Solution Update the Firmware Update to the latest version of firmware according to...
JVN#15973066: EC-CUBE vulnerable to directory traversal when used in Windows
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a directory traversal vulnerability when used in Windows. Impact A remote attacker may obtain arbitrary files on the server. Solution Apply the update or patch Apply the update or patch accordin...
JVN#98712361: Ichitaro series vulnerable to arbitrary code execution
The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. Impact When a user opens a specially crafted file, an arbitrary code may be executed. Solution Update the software Apply the appropriate update module...
JVN#45306814: EC-CUBE fails to restrict access permissions
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a URL handling issue in certain environments and as a result, access permissions are not restricted. Impact A remote, unauthenticated attacker may access the management screen. Solution Apply th...
JVN#05102851: Yome Collection for Android issue in management of IMEI
Yome Collection for Android contains an issue which stores the International Mobile Equipment Identity IMEI on a SD card. Applications without the READPHONESTATE permission may obtain the IMEI from the SD card. Impact If a user of the affected product uses a malicious Android application, the IME...
JVN#85695061: ALFTP may insecurely load executable files
ALFTP provided by ESTsoft Corp. is a FTP client software with the built in FTP server. ALFTP contains an issue when loading files. For example, if an user tries to open README a file without extention which exists in the same directory where README.exe a file with .exe extention exists, README.ex...
JVN#61695284: PowerChute Business Edition vulnerable to cross-site scripting
PowerChute Business Edition from Schneider Electric is a power management software. PowerChute Business Edition contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Upgrade the software Upgrade to the latest version accordin...
JVN#98467259 Ichitaro series vulnerable to arbitrary code execution
The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. Impact When opening a specially crafted file locally or through a website, an attacker may be able to execute arbitrary code. Solution Update the software...
JVN#49602378 SEIL/B1 authentication issue
The PPP Access Concentrator PPPAC function within SEIL/B1 contains an issue in the CHAP and MS-CHAP-V2 authentication processes, the same challenge value is repeatedly used for each authentication attempt. Impact A third party may be able to perform replay attacks. As a result, the third party ma...
JVN#79762947 EC-CUBE information disclosure vulnerability
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an information disclosure vulnerability. Impact A remote attacker may be able to obtain customer data that is saved by EC-CUBE. Solution Update the Software Apply the latest updates provided by...
JVN#10170564 MODx cross-site scripting vulnerability
MODx, an open source contents management system, contains multiple cross-site scripting vulnerabilities. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Apply the latest update provided by the developer. Products Affected MODx 0.9.6.2 and earlier...
JVN#02216739 Movable Type Enterprise cross-site scripting vulnerability
Movable Type Enterprise, a web log system from Six Apart KK for business users, contains a cross-site scripting vulnerability. This vulnerability is different from JVN30385652 and JVN81490697. Impact An arbitrary script may be executed on an user's web browser. Solution Update the Software Update...
JVN#36635562 nProtect : Netizen denial of service (DoS) vulnerability
nProtect : Netizen from NetMove Corporation is security software that works only while communicating with specific web pages. nProtect : Netizen contains a denial of service DoS vulnerability. Impact An remote attacker could disable nProtect : Netizen by convincing a user to open a specially...
JVN#44532794 rktSNS cross-site scripting vulnerability
rktSNS, provided by rakuto.net, is open source software for community site construction. rktSNS contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Apply the update provided by the developer. For more...
JVN#84326763: Multiple vulnerabilities in SKYSEA Client View
SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View contains multiple vulnerabilities listed below. Improper access control in the specific process CWE-266 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 7.8 CVE-2024-41139 Origin...
JVN#79213252: WordPress Plugin "Music Store - WordPress eCommerce" vulnerable to SQL injection
WordPress Plugin "Music Store - WordPress eCommerce" provided by CodePeople contains an SQL injection vulnerability CWE-89. Impact A user of the product with the administrator privilege may execute an arbitrary SQL command. Information stored in the database may be obtained or altered by the user...
JVN#35838128: WordPress Plugin "WP Booking" vulnerable to cross-site scripting
WordPress Plugin "WP Booking" provided by aviplugins.com contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the web site using the product. Solution Update the plugin Update the plugin to the late...
JVN#17176449: ffBull vulnerable to OS command injection
ffBull according to the original report submitted by the reporter provided by Fortunefield is a bulletin board system BBS. ffBull contains an OS command injection vulnerability CWE-78. Impact A remote unauthenticated attacker may execute an arbitrary OS command with the privilege of the running w...
JVN#78084105: OpenPNE plugin "opTimelinePlugin" vulnerable to cross-site scripting
OpenPNE plugin "opTimelinePlugin" provided by OpenPNE Project contains a stored cross-site scripting vulnerability CWE-79 in Edit Profile page. Impact On the site which uses the affected product, when a user configures the profile with some malicious contents, an arbitrary script may be executed ...
JVN#40049211: Improper restriction of XML external entity references (XXE) in Electronic Deliverables Creation Support Tool provided by Ministry of Defense
Electronic Deliverables Creation Support Tool provided by Ministry of Defense improperly restricts XML external entity references XXE CWE-611. Impact Processing a specially crafted XML file may lead to exposure of internal files on the system. Solution Update the Software Update the software to t...
JVN#84820712: "Rikunabi NEXT" App for Android fails to restrict custom URL schemes properly
"Rikunabi NEXT" App for Android provided by Recruit Co., Ltd. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead ...
JVN#30900552: EC-CUBE plugin "Product Image Bulk Upload Plugin" vulnerable to insufficient verification in uploading files
EC-CUBE plugin "Product Image Bulk Upload Plugin", a plugin that enables to upload image files, provided by EC-CUBE CO.,LTD. contains an insufficient verification vulnerability when uploading files CWE-20. Exploiting this vulnerability allows a remote unauthenticated attacker to upload arbitrary...
JVN#87683137: Norton Security for Mac improperly processes ICMP packets
Norton Security for Mac provided by NortonLifeLock Inc. is antivirus software. Norton Security for Mac improperly processes ICMP packets, which may result in OS to crash CWE-20. Impact An unprivileged user may cause a denial-of-service DoS condition on the OS. Solution Update the Software Update...
JVN#49408248: OneThird CMS vulnerable to cross-site scripting
OneThird CMS provided by SpiQe Software contains a cross-site scripting vulnerability CWE-79 due to an issue in processing the language selection screen. Impact An arbitrary script may be executed on the user's web browser. Solution For the users who have installed OneThird CMS already: Update th...
JVN#69854312: baserCMS vulnerable to OS command injection
baserCMS is an open-source Contents Management System CMS. baserCMS contains an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed on the server by a logged in attacker. Solution Update the Software Update to the latest version according to the information...
JVN#88559134: SYNCK GRAPHICA Download Log CGI vulnerable to directory traversal
Download Log CGI provided by SYNCK GRAPHICA contains an issue in processing file names, which may result in a directory traversal vulnerability. Impact A remote attacker may obtain arbitrary files on the server. Solution Update the Software Update to the latest version according to the informatio...
JVN#27531188: Cakifo vulnerable to cross-site scripting
Cakifo is a theme for WordPress. Cakifo contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the theme Update to the latest version according to the information provided by the developer. Products Affected Cakifo 1.0 ...
JVN#22670349: AndExplorer vulnerable to directory traversal
AndExplorer provided by LYSESOFT contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to...
JVN#88313872: ZIP with Pass vulnerable to directory traversal
ZIP with Pass provided by aokitaka contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to...
JVN#22756333: Sleipnir Mobile for Android vulnerable to address bar spoofing
Sleipnir Mobile for Android contains an issue when opening a new window, which may result in the address bar being spoofed. Impact This vulnerability could be leveraged to forge the contents of the address bar for conducting phishing attacks. Solution Update the software Update to the latest...
JVN#52264310: MosP kintai kanri vulnerable to authentication bypass
MosP kintai kanri is an open source attendance management software. MosP kintai kanri contains an authentication bypass vulnerability. Impact An attacker with a MosP kintai kanri account may impersonate another user. As a result, information may be obtained and settings may be altered with the...
JVN#18397171: FeedDemon vulnerable to arbitrary script execution
FeedDemon is an RSS/Atom feed reader. FeedDemon is vulnerable to arbitrary script execution due to the improper processing during HTML page output based on feed information when using the "feed preview" option. Impact An arbitrary script embedded in an RSS/Atom feed may be executed on the user's...
JVN#38216398: osCommerce vulnerable to directory traversal
osCommerce is an open source system for creating shopping websites. osCommerce contains a directory traversal vulnerability. Impact A remote attacker may access arbitrary files on the server. Solution Update the software Update to the latest version according to the information provided by the...
JVN#43386477: WeblyGo vulnerable to cross-site scripting
WeblyGo is a groupware provided by KAWAI BUSINESS SOFTWARE CO., LTD. KBS. WeblyGo contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by...
JVN#21471805: Winny vulnerable to buffer overflow
Winny is a P2P file sharing software. Winny contains a buffer overflow vulnerability. This vulnerability is different from JVN91740962 and JVN74294680. Impact A remote attacker may be able to execute arbitary code. Solution Do not use Winny Please discontinue use of Winny. Products Affected Winny...
JVN#38687002 Compiere vulnerable to cross-site scripting
Compiere provided by Almas Inc. is an Enterprise Resource Planning ERP and Customer Relationship Management CRM software. Compiere contains a cross-site scripting vulnerability. This vulnerability is different from JVN57963254. Impact An arbitrary script may be executed on the user's web browser...
JVN#82744714 Cross-site scripting vulnerability in apricot.php from LovPop.net
apricot.php from LovPop.net is a software to analyze web access logs. apricot.php contains a cross-site scripting vulnerability. Note that future releases and maintenance of apricot.php ended on March 19, 2009. Users who wish to analyze access logs are recommended to use a different product that...
JVN#74747784 XOOPS Cube Legacy cross-site scripting vulnerability
XOOPS Cube Legacy from XOOPS Cube Project is an open source contents management system. XOOPS Cube Legacy contains a cross-site scripting vulnerability. According to the developers, a XOOPS Cube Legacy distribution "Hodajuku distribution" and "additional modules" are not affected by this...