5627 matches found
Buffalo Wi-Fi router WXR9300BE6P series vulnerable to path traversal
Overview Wi-Fi router WXR9300BE6P series provided by BUFFALO INC. contains the following vulnerability. Path traversal CWE-22 - CVE-2025-61941 Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact Arbitrary file may be altered by ...
JVN#84697061: Century HW RAID Manager registers a Windows service with an unquoted file path
RAID Manager provided by Century Corporation contains the following vulnerability. Unquoted search path or element CWE-428 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.7 CVE-2025-59307 Impact A user with t...
JVN#75307484: RICOH Streamline NX vulnerable to tampering with operation history
RICOH Streamline NX provided by Ricoh Company, Ltd. contains the following vulnerability. Use of Less Trusted Source CWE-348 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 2.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 3.1 CVE-2025-58422 Impact If an...
"Yahoo! Shopping" App for Android fails to restrict custom URL schemes properly
Overview "Yahoo! Shopping" App for Android provided by LY Corporation contains the following vulnerability. Improper authorization in handler for custom URL scheme CWE-939 - CVE-2025-41408 Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
Seiko Solutions SkyBridge BASIC MB-A130 vulnerable to OS command injection
Overview SkyBridge BASIC MB-A130 provided by Seiko Solutions Inc. contains the following vulnerability. OS command injection CWE-78 - CVE-2025-54857 Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
JVN#50585992: Multiple vulnerabilities in multiple iND products
Multiple products provided by iND Co.,Ltd contain multiple vulnerabilities listed below. Insecure storage of sensitive information CWE-922 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Base Score 6.5 CVE-2025-53507 OS...
JVN#46919949: PgManage vulnerable to injection
PgManage provided by Command Prompt, Inc. uses RestrictedPython module. The version of RestrictedPython module imported to PgManage contains vulnerabilities, which are inherited to PgManage CWE-477. Impact A user of the affected product may escape a sandbox and execute arbitrary code. Solution...
Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)
Overview CONPROSYS HMI System CHS provided by Contec Co.,Ltd. contains multiple vulnerabilities listed below. Reflected cross-site scripting CWE-79 - CVE-2025-34080 Insertion of sensitive information into debugging code CWE-215 - CVE-2025-34081 Alex Williams of Converge Technology Solutions...
SLNX Help Documentation of RICOH Streamline NX vulnerable to reflected cross-site scripting
Overview SLNX Help Documentation of RICOH Streamline NX provided by Ricoh Company, Ltd. contains a reflected cross-site scripting vulnerability. Reflected cross-site scripting via a specific parameter CWE-79 - CVE-2025-41439 Matteo Santini reported this vulnerability to Ricoh Company, Ltd. direct...
Multiple vulnerabilities in iroha Board
Overview iroha Board provided by iroha Soft Co., Ltd. contains multiple vulnerabilities listed below. Forced browsing CWE-425 - CVE-2025-41404 Cross-site request forgery CWE-352 - CVE-2025-48497 Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC...
Inefficient regular expressions in GROWI
Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Inefficient regular expression complexity CWE-1333 - CVE-2025-43880 Takanori Okamoto of FFRI Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
JVN#17860456: UpdateNavi vulnerable to improper restriction of communication channel to intended endpoints
UpdateNavi provided by Fujitsu Client Computing Limited contains the following vulnerability. Improper restriction of communication channel to intended endpoints CWE-923 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 6.9 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Bas...
Multiple vulnerabilities in FutureNet AS series (Industrial Routers) and FA series (Protocol Conversion Machine)
Overview FutureNet AS series Industrial Routers and FA series Protocol Conversion Machine provided by Century Systems Co., Ltd. contain multiple vulnerabilities listed below. Authentication Bypass CWE-288 - CVE-2025-24846 Buffer Overflow CWE-120 - CVE-2025-25280 Chuya Hayakawa and Ryo Kamino of...
JVN#94806805: WordPress Plugin "Activity Log WinterLock" vulnerable to cross-site request forgery
WordPress Plugin "Activity Log WinterLock" provided by SWIT contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, the log data may be deleted. Solution Update the plugin Update the plugin according to the information provided by the...
Multiple out-of-bounds write vulnerabilities in Canon Office/Small Office Multifunction Printers and Laser Printers
Overview Office/Small Office Multifunction Printers and Laser Printers provided by Canon Inc. contain multiple out-of-bounds write vulnerabilities CWE-787, CVE-2024-12647, CVE-2024-12648, CVE-2024-12649, CVE-2025-2146. Canon Inc. reported these vulnerabilities to JPCERT/CC to notify users of the...
Multiple SQL injection vulnerabilities in Trend Micro Deep Discovery Inspector
Overview Trend Micro Incorporated has released a security update for Trend Micro Deep Discovery Inspector. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Information disclosure due to multiple SQL injection vulnerabilities...
Vulnerability in Cosminexus
Overview Vulnerability has been found in Cosminexus. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
WindLDR and WindO/I-NV4 store sensitive information in cleartext
Overview PLC programming software "WindLDR" and Operator Interfaces' Touchscreen Programming Software "WindO/I-NV4" provided by IDEC Corporation store sensitive information in cleartext form CWE-312. Yuki Meguro of Toinx Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
Multiple vulnerabilities in LogonTracer
Overview LogonTracer provided by JPCERT Coordination Center is a tool to investigate malicious Windows logon by visualizing and analyzing Windows event log. LogonTracer contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2018-16165 CVSS v3...
"Rakuten Ichiba App" fails to restrict custom URL schemes properly
Overview "Rakuten Ichiba App" provided by Rakuten Group, Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Shiga Takuma of BroadBand Security...
Multiple vulnerabilities in ZEXELON ZWX-2000CSW2-HN
Overview ZWX-2000CSW2-HN provided by ZEXELON CO., LTD. is a high-speed coaxial modem with wireless LAN functions. ZWX-2000CSW2-HN contains multiple vulnerabilities listed below. Use of hard-coded credentials CWE-798 - CVE-2024-39838 Incorrect permission assignment for critical resource CWE-732 -...
Multiple vulnerabilities in SKYSEA Client View
Overview SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View contains multiple vulnerabilities listed below. Improper access control in the specific process CWE-266 - CVE-2024-41139 Origin validation error in shared memory data exchanges CWE-3...
Multiple vulnerabilities in UNIVERSAL PASSPORT RX
Overview UNIVERSAL PASSPORT RX provided by Japan System Techniques Co., Ltd. contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2023-42427 Dependency on vulnerable third-party component CWE-1395 Known vulnerability in Primefaces library used in the product Cross-sit...
ELECOM wireless LAN routers vulnerable to OS command injection
Overview Wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability CWE-78. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a user who can log in to the product sends a specially crafte...
OMRON NJ/NX series vulnerable to insufficient verification of data authenticity
Overview Machine Automation Controller NJ/NX series provided by OMRON Corporation contain an issue with insufficient verification of data authenticity CWE-345. OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact If a user program in the...
Toyoko Inn official App vulnerable to improper server certificate verification
Overview Toyoko Inn official App provided by Toyoko Inn IT Solution Co., Ltd. is vulnerable to improper server certificate verification CWE-295. Ryo Nihonyanagi of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Earl...
"Mercari" App for Android fails to restrict custom URL schemes properly
Overview "Mercari" App for Android by Mercari, Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Shiga Takuma of BroadBand Security Inc...
EC-CUBE 3 series and 4 series vulnerable to arbitrary code execution
Overview EC-CUBE 3 series and 4 series provided by EC-CUBE CO.,LTD. contain an arbitrary code execution vulnerability CWE-94 due to improper settings of the product's template engine "Twig". Takeshi Miura of N.F.Laboratories Inc. reported this vulnerability to EC-CUBE CO.,LTD. EC-CUBE CO.,LTD. In...
Cybozu Remote Service vulnerable to uncontrolled resource consumption
Overview Cybozu Remote Service provided by Cybozu, Inc. is vulnerable to uncontrolled resource consumption CWE-400. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact Certain operations performed by a logged-in user may lead to huge storage...
Multiple vulnerabilities in Panasonic KW Watcher
Overview KW Watcher provided by Panasonic contains multiple vulnerabilities listed below. Improper restriction of operations within the bounds of a memory buffer CWE-119 - CVE-2023-3471 Use after free CWE-416 - CVE-2023-3472 Michael Heinzl reported these vulnerabilities to Panasonic and...
Shihonkanri Plus vulnerable to relative path traversal
Overview Shihonkanri Plus provided by EKAKIN contains a relative path traversal vulnerability CWE-23. Shimizu Yutaro of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An attack...
"WPS Office" vulnerable to OS command injection
Overview "WPS Office" which was provided by KINGSOFT JAPAN, INC. contains an OS command injection vulnerability CWE-78. Impact If a remote attacker who can conduct a man-in-the-middle attack connects the product to a malicious server and sends a specially crafted data, an arbitrary OS command may...
Multiple vulnerabilities in Inaba Denki Sangyo Wi-Fi AP UNIT
Overview Wi-Fi AP UNIT provided by Inaba Denki Sangyo Co., Ltd. contains multiple vulnerabilities listed below. Missing authentication for critical function CWE-306 - CVE-2023-31196 OS command injection CWE-78 - CVE-2023-31198 OS command injection CWE-78 - CVE-2023-28392 MASAHIRO IIDA of LAC Co.,...
baserCMS vulnerable to arbitrary file uploads
Overview baserCMS provided by baserCMS Users Community allows an authenticated user to upload arbitrary files CWE-434. Taisei Inoue of GMO Cybersecurity by Ierae, Inc. and Yusuke Akagi of Mitsui Bussan Secure Directions, Inc., Shiga Takuma of BroadBand Security, Inc. reported this vulnerability t...
Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config
Overview Web Config for printers/network interface provided by SEIKO EPSON CORPORATION contains multiple vulnerabilities listed below. Stored cross-site Scripting CWE-79 - CVE-2023-23572 Cross-Site Request Forgery CWE-352 - CVE-2023-27520 Takaya Noma, Yudai Morii, Hiroki Yasui, Takayuki Sasaki, a...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-2909 Operation restriction bypass in multiple applications CWE-285 - CVE-2022-30602 CyVDB-3042 Information disclosure in multiple applications CWE-200 - CVE-2022-29512 CyVDB-3111 Improper input...
Multiple vulnerabilities in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux
Overview Deep Security and Cloud One - Workload Security Agent for Linux provided by Trend Micro Incorporated contain multiple vulnerabilities listed below. Directory Traversal CWE-22 - CVE-2022-23119 Code Injection CWE-94 - CVE-2022-23120 As of 2022 January 24, a Proof-of-Concept PoC code...
GROWI vulnerable to authorization bypass through user-controlled key
Overview GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability CWE-639, CVE-2021-3852. huntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEE...
Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master"
Overview WordPress Plugin "Quiz And Survey Master" provided by ExpressTech contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2022-0180 Reflected cross-site scripting CWE-79 - CVE-2022-0181 Stored cross-site scripting CWE-79 - CVE-2022-0182 CVE-2022-0180,...
TP-Link TL-WR802N V4(JP) vulnerable to OS command injection
Overview TP-Link TL-WR802N is a wifi router for home networks. The firmware version 170705 is reported vulnerable to OS command injection CWE-78. Impact Any user who can login to the web interface of the affected product may execute any OS commands. Solution Update the Firmware Update to the late...
Trend Micro ServerProtect family vulnerable to authentication bypass
Overview Trend Micro Incorporated has released security updates for ServerProtect family. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A remote attacker may bypass authentication for the products. For more information, refer...
baserCMS vulnerable to cross-site scripting
Overview baserCMS provided by baserCMS Users Community contains a cross-site scripting vulnerability CWE-79. Akagi Yusuke of NTT-ME CORPORATION reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
Multiple vulnerabilities in GroupSession
Overview GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20785 Cross-site request forgery CWE-352 - CVE-2021-20786 Cross-site scripting vulnerability CWE-79 - CVE-2021-20787 Sever-side reques...
Multiple vulnerabilities in Trend Micro Password Manager
Overview Trend Micro Incorporated has released a security update for Trend Micro Password Manager. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Privilege escalation and buffer overflow due to improper processing of integ...
boastMachine vulnerable to cross-site scripting
Overview boastMachine provided by knadh contains a cross-site scripting vulnerability CWE-79. Daiki Fukumori reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on the user's...
IkaIka RSS Reader vulnerable to cross-site scripting
Overview IkaIka RSS Reader contains a cross-site scripting vulnerability CWE-79, due to the improper processing of RSS registration. LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a malicio...
Trend Micro Password Manager may insecurely load Dynamic Link Libraries
Overview Password Manager provided by Trend Micro Incorporated contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact...
Multiple vulnerabilities in UNIVERGE SV9500/SV8500 series
Overview Remote system maintenance feature of UNIVERGE SV9500/SV8500 series' Web based remote maintenance console contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2020-5685 Incorrect Implementation of Authentication Algorithm CWE-303 - CVE-2020-5686 NEC Platforms,...
Cross-site Scripting Vulnerability in Hitachi Command Suite
Overview A Cross-site Scripting vulnerability was found in Hitachi Command Suite. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Trend Micro Antivirus for Mac vulnerable to a privilege escalation
Overview Antivirus for Mac provided by Trend Micro Incorporated contain a symbolic link privilege escalation vulnerability CWE-61. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated unde...