5625 matches found
JVN#16114985: "Kura Sushi Official App Produced by EPARK" for Android uses a hard-coded cryptographic key
"Kura Sushi Official App Produced by EPARK" for Android provided by EPARK, Inc. uses a hard-coded cryptographic key CWE-321. Impact An attacker may obtain the login ID and password for the affected product. Solution Update the application Update the application to the latest version according to...
JVN#21176842: MF Teacher Performance Management System vulnerable to cross-site scripting
MF Teacher Performance Management System provided by Media Fusion Co.,Ltd. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who accessed the website using the product. Solution Apply the Patch The developer has release...
JVN#49873988: Secure Boot bypass Vulnerability in PRIMERGY
PRIMERGY is an IA server provided by Fsas Technologies Inc. PRIMERGY contains a vulnerability where Secure Boot function is bypassed. This is due to a vulnerability called "PKFail" CVE-2024-8105, which was publicly disclosed by Binarly. Impact The product's Secure Boot function may be bypassed an...
Multiple vulnerabilities in OpenBlocks IoT VX2
Overview OpenBlocks IoT VX2 provided by Plat'Home Co., Ltd. contains multiple vulnerabilities. Masahiro Murashima and Genta Kataoka of IERAE SECURITY INC. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Movable Type vulnerable to open redirect
Overview Movable Type provided by Six Apart Ltd. contains an open redirect vulnerability CWE-601. Hidetomo Hosono of EG Secure Solutions Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessing a...
JVN#09470233: Android stock browser vulnerable to denial-of-service (DoS)
The Android stock browser contains a denial-of-service DoS vulnerability. Impact When receiving a specially crafted packet, the Android stock browser may crash. Solution Do not use Android stock browser If using an affected version of the Android stock browser, it is recommended to use another...
Lhaplus vulnerable to remote code execution
Overview Lhaplus is a file compression/decompression software. Lhaplus contains a remote code execution vulnerability. Masato Kinugawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Decompressing a speciall...
JVN#72586781: ASP.NET vulnerable to cross-site scripting
ASP.NET contains an issue in the escape processes for string output. Web applications that use ASP.NET may contain a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the...
JVN#20452446 Shopping Basket Pro directory traversal vulnerability
Shopping Basket Pro from CGI RESCUE is shopping cart software. A directory traversal vulnerability exists in Shopping Basket Pro. Impact A remote attacker could obtain a list of the file and directory names on the server where Shopping Basket Pro is installed. Solution Update the Software Apply t...
JVN#91706484 Trac cross-site scripting vulnerability
Impact A remote attacker could possibly execute an arbitrary script on the user's IE where the user views a Trac wiki content. Solution Products Affected trac 0.10.3 and earlier versions trac-0.10.3-ja-1 and earlier versions...
JVN#34830904 Shobo Shobo Nikki System (sns) cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. Also, the administrator's password could be disclosed if cookie information is leaked. Solution Products Affected sns 3.11 and earlier...
JVN#41241092 Kmail CGI authentication bypass vulnerability
Impact A remote attacker may bypass Kmail CGI's user authentication, and view or delete the emails of Kmail users. Solution Products Affected Version 1.0.3 and earlier...
JVN#99776858 Multiple vulnerabilities in Webmin and Usermin
Impact A remote attacker could conduct the followings: Steal Webmin and Usermin's configuration information Execute an arbitrary script on the user's web browser Possibly conduct a session hijack attack if session information from a cookie is leaked Solution Products Affected Webmin 1.290 and...
JVN#51301450 NetCommons cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. As a result, a remote attacker could forge the web page contents. Solution Products Affected NetCommons 1.0.8 and earlier...
JVN#81108784 Geeklog cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. If session information from a cookie is leaked, an attacker could possibly conduct session hijacking. Solution Products Affected Geeklog 1.4.0sr4 and earlier Geeklog 1.3.11sr6 and earlier...
JVN#62307185 QwikiWiki cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. User credentials could be leaked as a result. Solution Products Affected QwikiWiki version 1.5.5 and earlier...
JVN#13947696 Ruby contains a vulnerability that prevents safe level 4 from functioning as a sandbox.
Impact An attacker may be able to bypass the security model of a server application and change the status of a untained object. Solution Products Affected Ruby 1.8.4-20060516 and earlier Snapshot versions As a workaround, we recommend that users update to the latest Ruby 1.8.4 snapshot version...
JVN#18282718 Hyper Estraier directory traversal/denial of service vulnerability
Impact If a remote attacker sends a specially crafted file and a user saves it in a search target directory, the attacker could register a file not to be searched in an index when the user creats an index, or cause a denial of service. Solution Products Affected Versions earlier than Hyper Estrai...
Vulnerability in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer and Hitachi Ops Center Analyzer viewpoint
Overview Vulnerability has been found in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer and Hitachi Ops Center Analyzer viewpoint. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' sectio...
Android App "RoboForm Password Manager" insufficient validation of Android intents
Overview Android App "RoboForm Password Manager" provided by Siber Systems, Inc. accepts intents from other applications to open relevant web pages e.g., login pages, but without sufficient URL validation, user confirmation nor notification. Insufficient UI Warning of Dangerous Operations CWE-357...
Multiple vulnerabilities in silex technology SD-330AC and AMC Manager
Overview SD-330AC and AMC Manager provided by silex technology, Inc. contain multiple vulnerabilities listed below. Stack-based buffer overflow in processing the redirect URLs CWE-121 - CVE-2026-32955 Heap-based buffer overflow in processing the redirect URLs CWE-122 - CVE-2026-32956 Missing...
SKYSEA Client View and SKYMEC IT Manager improper file access permission settings
Overview SKYSEA Client View and SKYMEC IT Manager provided by Sky Co.,LTD. are Enterprise IT Asset Management Tools. SKYSEA Client View and SKYMEC IT Manager contain the following vulnerability. Incorrect default permissions in the installation folder CWE-276 - CVE-2026-39454 Takashi Matsumoto of...
Vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview Vulnerability exists in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Multiple Vulnerabilities in Cosminexus HTTP Server
Overview Multiple vulnerabilities have been found in Cosminexus HTTP Server. CVE-2025-49630, CVE-2025-53020 These vulnerabilities does not apply if HTTP/2 protocol is disabled. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the...
Multiple Vulnerabilities in Cosminexus
Overview Multiple vulnerabilities exist in Cosminexus Component Container. CVE-2025-48988, CVE-2025-48976 Affected products and versions are listed below. Please upgrade your version to the appropriate version. These vulnerabilities exist in Cosminexus Component Container which is a component...
JVN#41633999: Obsidian GitHub Copilot Plugin stores sensitive information in cleartext
Obsidian GitHub Copilot Plugin provided by Pierre-Adrien Vasseur is vulnerable to the following vulnerability. Cleartext storage of sensitive information CWE-312 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L Base Score 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Base Score...
Out-of-bounds write vulnerability in FUJIFILM Business Innovation MFPs
Overview Multiple MFPs multifunction printers provided by FUJIFILM Business Innovation Corp. contain the following vulnerability. Out-of-bounds Write CWE-787 - CVE-2025-48499 Jia-Ju Bai, Rui-Nan Hu, Dong Zhang, and Zhen-Yu Guan of School of Cyber Science and Technology of Beihang University...
JVN#88251376: Multiple vulnerabilities in Nimesa Backup and Recovery
Nimesa Backup and Recovery provided by Nimesa contains multiple vulnerabilities listed below. OS command injection CWE-78 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8 CVE-2025-48501 Server-side request...
JVN#05562338: Improper file access permission settings in PC Time Tracer
PC Time Tracer provided by Keiyo System Co., LTD contains a vulnerability listed below. Incorrect default permissions CWE-276 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 7.0 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Base Score 7.3 CVE-2025-46355 Impact Arbitrary...
Multiple vulnerabilities in V-SFT
Overview V-SFT provided by FUJI ELECTRIC CO., LTD. contains multiple vulnerabilities listed below. Free of Pointer not at Start of Buffer in VS6EditData.dll!CWinFontInf::WinFontMsgCheck function CWE-761 CVE-2025-47749 Out-of-bounds Write in VS6MemInIF!settemptypedefault function CWE-787...
JVN#11230428: +F FS010M vulnerable to OS command injection
+F FS010M provided by FUJI SOFT INCORPORATED contains multiple OS command injection vulnerabilities listed below. OS command injection CWE-78 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2 CVE-2025-24306 OS command injection CWE-78 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base...
JVN#48742353: Multiple cross-site scripting vulnerabilities in Movable Type
Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in the custom block edit page of MT Block Editor CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4 CVE-2025-22888 Stored cross-si...
JVN#61635834: Multiple vulnerabilities in SHARP routers
SHARP routers contain multiple vulnerabilities listed below. OS command injection vulnerability in the HOST name configuration screen CWE-78 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2 CVE-2024-45721 The hidden debug function is enabled CWE-489...
JVN#08430039: "Shonen Jump+" App for Android fails to restrict custom URL schemes properly
"Shonen Jump+" App for Android provided by SHUEISHA INC. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a use...
Trend Micro Deep Security 20 Agent for Windows vulnerable to improper access control
Overview Trend Micro Incorporated has released a security update for Deep Security 20 Agent for Windows to fix a improper access control vulnerability CVE-2024-48903. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A...
JVN#78335885: Chatwork Desktop Application (Windows) uses a potentially dangerous function
Chatwork Desktop Application Windows provided by kubell Co., Ltd. contains an issue with use of potentially dangerous function CWE-676, which allows a user to access an external website via a link in the application. Impact If a user clicks a specially crafted link in the application, an arbitrar...
JVN#19766555: Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce"
WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains multiple vulnerabilities listed below. SQL injection CWE-89 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8 CVE-2024-42404 Cross-site scripting CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1...
Installer of MagicConnect Client program may insecurely load Dynamic Link Libraries
Overview Installer of MagicConnect Client program provided by NTT TechnoCross Corporation contains a vulnerability which may lead to insecurely loading Dynamic Link Libraries CWE-427 when a terminal is connected remotely using Remote desktop. Yuji Tounai of Mitsui Bussan Secure Directions, Inc...
The installers of E START products may insecurely load Dynamic Link Libraries
Overview The installers of E START products by GMO INSIGHT Inc. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the folder specified by the TEMP environment variable or where the installer resides CWE-427, CVE-2015-9267, and CVE-2015-9268...
WordPress plugin "Shortcodes Ultimate" vulnerable to directory traversal
Overview The WordPress plugin "Shortcodes Ultimate" contains a directory traversal vulnerability CWE-22 in the Examples page. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Arbitrary local files o...
JVN#92395431: Java (OGNL) code execution in Apache Struts 2 when devMode is enabled
Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating Java web applications. There is a known risk that arbitrary Java OGNL code may be executed in Apache Struts 2 when devMode is enabled in production environment. It is confirmed that proof-of-concept co...
JVN#06212291: Android OS Contacts app fails to restrict access permissions
The Contacts app within the Android OS receives requests for outgoing calls through Intents and calls the Dialer app. The Contacts app contains a vulnerability where it fails to restrict access permissions, since it receives and processes Intents from apps without CALLPHONE permissions. Impact Wh...
ManageEngine Firewall Analyzer vulnerable to directory traversal
Overview ManageEngine Firewall Analyzer provided by Zoho Corporation is a log analytics and configuration management software for network security devices. ManageEngine Firewall Analyzer contains a directory traversal vulnerability. Mukai Akihito and Hasegawa Tomoshige reported this vulnerability...
Arbitrary program execution vulnerability in TrendLink ActiveX control
Overview TrendLink provided by Canary Labs is a tool to help visualize data for analysis. The SaveToFile method provided in the ActiveX control in TrendLink contains a vulnerability where file creation is not properly restricted. Security Research and Service Institute - Information and...
Opera Mini / Opera Mobile for Android vulnerable in the WebView class
Overview Opera Mini and Opera Mobile for Android contain a vulnerability in the WebView class. Opera Mini and Opera Mobile are web browsers for mobile devices. Opera Mini and Opera Mobile for Android contain a vulnerability in the WebView class. Gaku Mochizuki of Mitsui Bussan Secure Directions,...
JVN#75345069: Mac OS X OpenSSH vulnerable to denial-of-service (DoS)
The OpenSSH implementation in Mac OS X is vulnerable to denial-of-service. Impact A remote attacker may cause a denial-of-service. Solution Update the software Update to the latest version according to the information provided by the developer. According to the developer, versions Mac OS X 10.6 a...
JVN#79114735 Google Desktop cross-site scripting vulnerability
Google Desktop, software for searching information on local computers, contains a cross-site scripting vulnerability. Impact An arbitrary script could be executed on the web browser of a user who uses Google Desktop. Solution According to the vendor, this vulnerability has been fixed in Google...
JVN#23120863 Rainboard cross-site scripting vulnerability
The Rainboard bulletin board software provided by UDON is vulnerable to cross-site scripting. Impact An arbitrary script can be executed on the user's web browser. Solution Update the Software Apply the latest update provided by the developer. Products Affected Rainboard 2.02 and earlier...
JVN#13939411 Drupal cross-site scripting vulnerability
Impact An arbitrary script could be executed on the browser of the user who logged into Drupal. In addition, if session information from a cookie is leaked, a remote attacker could possibly conduct session hijacking. Solution Products Affected Drupal 4.6.10 and earlier Drupal 4.7.4 and earlier...
JVN#47223461 tDiary cross-site scripting vulnerability
Impact An arbitrary script may be executed on the user's web browser. Solution Products Affected 2.0.2 stable and earlier 2.1.4.20061115 developer version and earlier...