5625 matches found
JVN#29471697: Android App "TP-Link Tether" and "TP-Link Tapo" vulnerable to improper server certificate verification
Android App "TP-Link Tether" and "TP-Link Tapo" provided by TP-LINK GLOBAL INC. are vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update the...
JVN#69107517: TvRock vulnerable to cross-site scripting
TvRock provided by TvRock according to the original report submitted by the reporter is a tool to set a timer recording for a TV program. TvRock contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user accessing the website th...
JVN#41129639: Payment EX vulnerable to information disclosure
Payment EX provided by Simplesite contains an information disclosure vulnerability CWE-200. Impact A remote unauthenticated attacker may obtain the information of the user who purchases merchandise using Payment EX. Solution Update the Software Update the software to the latest version according ...
JVN#53880182: TVer App for Android fails to verify SSL server certificates
TVer App for Android provided by PRESENTCAST INC. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by the...
ManageEngine ServiceDesk Plus vulnerable to cross-site scripting
Overview ManageEngine ServiceDesk Plus provided by Zoho Corporation is a help desk software. ManageEngine ServiceDesk Plus contains a stored cross-site scripting CWE-79 vulnerability. Akihito Mukai and Tomoshige Hasegawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...
ManageEngine Firewall Analyzer vulnerable to directory traversal
Overview ManageEngine Firewall Analyzer provided by Zoho Corporation is a log analytics and configuration management software for network security devices. ManageEngine Firewall Analyzer contains a directory traversal vulnerability. Mukai Akihito and Hasegawa Tomoshige reported this vulnerability...
JVN#20355129: niconico App for iOS fails to verify SSL server certificates
niconico App for iOS provided by DWANGO Co., Ltd. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#47662377: Sybase EAServer vulnerable to cross-site scripting
EAServer provided by Sybase is an application server. EAServer contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer...
Aipo vulnerable to SQL injection
Overview Aipo contains SQL injection vulnerability. Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-office blogging. Aipo contains a SQL injection vulnerability. Impact Contents that are managed by Aipo may be viewed by a user that can login to Aipo. Solution...
JVN#31723154 LacoodaST from SpaceTag, Inc. session fixation vulnerability
LacoodaST from SpaceTag, Inc. is groupware providing schedule and task managements, etc. LacoodaST contains a session fixation vulnerability. Impact A remote attacker impersonating a logged in user could manipulate the operation with the user's privilege. As a result, disclosure or alteration of...
JVN#72065744 K's CGI Access Log Kaiseki (Jcode.pm) vulnerable to cross-site scripting
K's CGI Access Log Kaiseki is a program to analyze access to a web page. analysis.cgi included in Access Log Kaiseki Jcode.pm contains a cross-site scripting vulnerability. Impact An arbitrary script could be executed on the user's web browser. Solution Update the Software Apply the latest update...
JVN#43906021 WEB MART from KENT WEB vulnerable to cross-site scripting
WEB MART provided by KENT WEB is shopping cart software. WEB MART contains a cross-site scripting vulnerability. Impact An arbitrary script could be executed on the user's web browser. Solution Update the Software Apply the latest update provided by the vendor. Products Affected WEB MART 1.61 and...
JVN#01162446 Cross-site scripting vulnerabilities in multiple Hal Networks shopping cart products
Multiple Hal Networks shopping cart software products are vulnerable to cross-site scripting. Impact An arbitrary script can be executed on the user's web browser. Solution Update the Software Apply the latest updates provided by the vendor. For more information, refer to the vendor's website...
JVN#99453765 Cross-site scripting vulnerability in updir.php in UPDIR.NET
updir.php from UPDIR.NET is software for publishing and managing image files, etc. on web servers. By installing updir.php on a web server, users are able to upload image files, etc. on the web server and publish and manage the uploaded files. updir.php contains a cross-site scripting vulnerabili...
JVN#50495547 Ichitaro series buffer overflow vulnerability
The "Ichitaro" series word processing software, from JustSystems Corporation, contains a buffer overflow vulnerability. If a user opens a specially crafted jtd file or views it on a web browser, an attacker could execute arbitrary code with the privileges of the user. Impact An attacker could...
JVN#43615794 Yayoi Kaikei improper handling of credential information
Yayoi Kaikei Quick Navigator makes the user log into the vendor's server, and sends the user credentials unencrypted. Impact By monitoring the communication between Quick Navigator and the vendor's server, an attacker can obtain the customer number and the phone number to impersonate the user on...
JVN#90438169 RaidenHTTPD cross-site scripting vulnerability
RaidenHTTPD is a multipurpose web server for Windows provided by TEAM JOHNLONG. RaidenHTTPD contains a cross-site scripting vulnerability. Impact Arbitrary code could be executed on the user's web browser. Solution Update the Software Apply the update provided by the vendor. For more information,...
JVN#47272891 Hanako buffer overflow vulnerability
Impact An arbitrary code could be executed on the PCs of Hanako user, if the user opens a specially crafted Hanako file sent by a remote attacker. Solution Products Affected Hanako 2004 Hanako 2005 Hanako 2006 Hanako Viewer 1.0 For more information, refer to the vendor's website...
JVN#63999575 NEC MultiWriter 1700C web server authentication bypass vulnerability
Impact A remote attacker could change the system configuration of the printer's built-in web server. Solution Products Affected NEC MultiWriter 1700C model number: PR-L1700C Network Expansion Card PR-L1700C-MC For more information, refer to the vendor's website...
JVN#35274905 FreeStyleWiki cross-site scripting vulnerability
Impact An rbitrary script may be executed on the user's web browser. In addition, if session information from a cookie is leaked, an attacker could possibly conduct session hijacking. Solution Products Affected FreeStyleWiki 3.5.10 and earlier...
JVN#87830692 WebNote Clip vulnerable to OS command injection
Impact An attacker could execute an arbitrary OS command on the server with WebNote Clip installed. Solution Products Affected WebNote Clip 4.1.7 and earlier...
JVN#15243167 Problem with referer header handling on mobile phone web browsers
Impact Referer information may be unintendedly sent to a server under certain operating conditions. Solution Products Affected For more information, refer to the vendors' websites...
JVN#29273468 QRcode Perl CGI & PHP script vulnerable to denial of service attack
Impact A remote attacker may cause a denial of service DoS attack. Solution Products Affected QRcode Perl/CGI & PHP script ver. 0.50f and earlier including both Perl versions and PHP versions...
Security information for Hitachi Disk Array Systems
Overview CVE-2026-23667 | Broadcast DVR Elevation of Privilege Vulnerability CVE-2026-23668 | Windows Graphics Component Elevation of Privilege Vulnerability CVE-2026-23669 | Windows Print Spooler Remote Code Execution Vulnerability CVE-2026-23671 | Windows Bluetooth RFCOM Protocol Driver Elevati...
Android App "Anshin Filter for au" vulnerable to cleartext transmission of sensitive information
Overview Android App "Anshin Filter for au" provided by KDDI CORPORATION contains the following vulnerability. Cleartext transmission of sensitive information CWE-319 - CVE-2026-41281 Impact A man-in-the-middle attacker may access and modify communications transmitted in plaintext, potentially...
GROWI vulnerable to path traversal
Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Path traversal CWE-22 - CVE-2026-41951 GROWI, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and GROWI, Inc. coordinated under the Information Security Early Warning...
JVN#76729865: Multiple vulnerabilities in Movable Type
Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. Use of less trusted source(CWE-348) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 6.9 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 5.3 CVE-2025-53522 Open...
JVN#30641875: Multiple vulnerabilities in BizRobo!
BizRobo! is an RPA Robotic Process Automation software provided by OPEN, Inc. Users compile an automation flow using DesignStudio, a development application that runs on Windows, and create robot files. A web application Management Console is provided to schedule RPA execution and to check the...
JVN#83440451: Multiple Safie products vulnerable to improper server certificate verification
Multiple Safie products are vulnerable to improper server certificate verification CWE-295. The product can be operated via port 11029/TCP and Bluetooth, and its communications are AES encrypted. The product user can obtain the encryption key from the cloud server based on the device-specific...
JVN#87710540: Assimp vulnerable to heap-based buffer overflow
Assimp provided by Open Asset Import Library contains a heap-based buffer overflow vulnerability CWE-122. Impact An attacker may execute arbitrary code by inputting a specially crafted file into the product. Solution Update the Software Update the software to the latest version according to the...
JVN#60331535: WordPress plugin "SiteGuard WP Plugin" may leak the customized path to the login page
WordPress plugin "SiteGuard WP Plugin" provided by EG Secure Solutions Inc. provides a functionality to customize the path to the login page wp-login.php. The plugin implements a measure to avoid redirection from other URLs, but missed to implement a measure to avoid redirection from...
JVN#55045256: Multiple vulnerabilities in "FreeFrom - the nostr client" App
"FreeFrom - the nostr client" App provided by FreeFrom K.K. contains multiple vulnerabilities listed below. Improper verification of cryptographic signature CWE-347 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 5.3 CVE-2024-36277 Reliance on obfuscation or encryption of security-relevan...
JVN#17680667: Multiple vulnerabilities in Unifier and Unifier Cast
Unifier and Unifier Cast provided by Yokogawa Rental & Lease Corporation contains multiple vulnerabilities listed below. Incorrect Default Permissions configured by Cast Launcher CWE-276 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 7.8 CVE-2024-23847 Missing Authorization for coejobhoo...
JVN#56781258: Splunk Config Explorer vulnerable to cross-site scripting
Splunk Config Explorer provided by Chris Younger contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is using the product. Solution Update the software Update the software to the latest version according to...
JVN#13113728: "EasyRange" may insecurely load executable files
"EasyRange" provided by sira.jp according to the original report submitted by the reporter is a tool to extract compressed files. "EasyRange" contains an issue with the executable file search path when displaying an extracted file on Explorer, which may lead to loading an executable file resides ...
JVN#86206017: WordPress Plugin "easy-popup-show" vulnerable to cross-site request forgery
WordPress Plugin "easy-popup-show" provided by Ari Susanto contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Stop using the plugin The developer...
Multiple vulnerabilities in PowerCMS
Overview PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in the management screen CWE-79 - CVE-2023-49117 Open redirect vulnerability in the members' site CWE-601 - CVE-2023-50297 Alfasado Inc. reported these...
JVN#73178249: Improper restriction of XML external entity references (XXE) in Shinseiyo Sogo Soft
Shinseiyo Sogo Soft provided by The Ministry of Justice improperly restricts XML external entity references XXE CWE-611. Impact By processing a specially crafted XML file, arbitrary files on the PC may be accessed by an attacker. Solution Update the Software Update the software to the latest...
JVN#36340790: JB Inquiry form vulnerable to exposure of private personal information to an unauthorized actor
JB Inquiry form provided by Jubei Inc. contains an exposure of private personal information to an unauthorized actor vulnerability CWE-359 . Impact A remote attacker may obtain information entered from forms created using the affected product. Solution Update the Software Update to the latest...
Installers of Sony PaSoRi related software may insecurely load Dynamic Link Libraries
Overview PaSoRi provided by Sony Corporation is contactless IC card reader/writer. Installers of PaSoRi driver and other related software for Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab...
JVN#26026353: WordPress plugin "Markdown on Save Improved" vulnerable to cross-site scripting
The WordPress plugin "Markdown on Save Improved" contains a stored cross-site scripting CWE-79 vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the plugin Update the plugin according to the information provided by the developer. While the...
JVN#65668004: Dotclear vulnerable to cross-site scripting
Dotclear is a weblog software. Dotclear contains a cross-site scripting vulnerability. Impact If a user views a specially crafted page while logged in, an arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the...
JVN#81094176: Android OS may behave as an open resolver
A device that runs as a DNS cache server, which responds to any recursive DNS queries that are received is referred to as an open resolver. Android OS contains an issue where it may behave as an open resolver when the tethering function is enabled. Impact The Android device may be used in a DNS...
JVN#54775800: FAST/TOOLS vulnerable to improper restriction of XML external entity references
FAST/TOOLS provided by Yokogawa Electric Corporation contains a vulnerability where XML external entity XXE references are not properly restricted CWE-611. Impact When opening a project with a specially crafted XML file, information managed by the product may be disclosed or may become a victim o...
JVN#64764004: Clipboard contents alteration vulnerability in Sleipnir
Sleipnir, a web browser provided by Fenrir, contains a vulnerability in which the contents of the clipboard may be altered. As a result, when Sleipnir is being used under certain settings, the contents of the clipboard may be read or written from a website. Impact Contents contained in the...
JVN#80436657 Webservice-DIC yoyaku_v41 vulnerable to command injection
yoyakuv41 from Webservice-DIC is a software to manage conference room reservations. yoyakuv41 contains a command injection vulnerability. Impact An arbitrary command could be executed with the privilege of the server where yoyakuv41 runs. Solution Update the Software Update to the latest version...
lv Arbitrary Command Execution Vulnerability
Overview lv contains a vulnerability of reading and running a .lv file in the current directry. Impact An attacker could execute arbitrary command as other users with the privilege of the user running lv. Solution Please refer to the 'Vendor Information' section of this advisory for official...
JVN#95014590 Zimbra Collaboration Suite script execution vulnerability
Zimbra Collaboration Suite is a web collaboration tool that provides calendar, address book, webmail, and other functions. Zimbra Collaboration Suite 4.0.3 and 4.5.6 contain a vulnerability that could allow a remote attacker to execute an arbitrary script on the user's web browser. Impact If a us...
JVN#02854109 HttpLogger vulnerable to cross-site scripting
Klab HttpLogger is full-text search software for web browser histories. HttpLogger is vulnerable to cross-site scripting. Impact An arbitrary script can be executed on the user's web browser. Solution Update the Software Apply the latest update provided by the developer. For more information, ref...
JVN#71872818 AirStation series and BroadStation series vulnerable to cross-site request forgery
Buffalo's AirStation series and BroadStation series routers have a web administration interface that can be accessed from a web browser to configure their functional settings. The web administration interface is vulnerable to cross-site request forgery. Impact If the administrator of such a produ...