5625 matches found
SetucoCMS vulnerable to cross-site scripting
Overview SetucoCMS provided by SetucoCMS Project is a content management system CMS. SetucoCMS contains cross-site scripting vulnerability. Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. and Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
SetucoCMS vulnerable to SQL injection
Overview SetucoCMS provided by SetucoCMS Project is a content management system CMS. SetucoCMS contains an SQL injection vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning partnership. Impact An arbitrary...
SetucoCMS vulnerable to session management
Overview SetucoCMS provided by SetucoCMS Project is a content management system CMS. SetucoCMS contains session management vulnerability. Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Usermin cross-site scripting vulnerabilties
Overview Usermin is a web-based interface used to manage webmail. Usermin contains reflected cross-site scripting vulnerabilities in /filter/saveforward.cgi, /filter/save.cgi and /man/search.cgi. Toshinobu Honjo of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC...
Breadcrumb trail in Cybozu Office vulnerable vulnerable to browse restriction bypass
Overview Cybozu Office provided by Cybozu,Inc. contains a browse restriction bypass vulnerability in the breadcrumb trail. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early...
"Schedule" function in Cybozu Office vulnerable to cross-site scripting
Overview Cybozu Office provided by Cybozu,Inc. contains a cross-site scripting vulnerability. Kusano Kazuhiko reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated...
baserCMS vulnerable to cross-site scripting
Overview baserCMS provided by baserCMS User Group is an opensource content management system. baserCMS contains a stored cross-site scripting vulnerability. Masamu Asato of National Institute of Technology, Okinawa College reported this vulnerability to IPA. JPCERT/CC coordinated with the develop...
baserCMS vulnerable to cross-site request forgery
Overview baserCMS provided by baserCMS User Group is an opensource content management system. baserCMS contains a cross-site request forgery vulnerability. Norihiko Hirukawa of FiveDrive Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
baserCMS plugin Mail vulnerable to cross-site request forgery
Overview baserCMS provided by baserCMS User Group is an opensource content management system. baserCMS and bundled plugin Mail contain a cross-site request forgery vulnerability. Isao Takaesu of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with t...
baserCMS vulnerable to cross-site request forgery
Overview baserCMS provided by baserCMS User Group is an opensource content management system. baserCMS contains a cross-site request forgery vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
ManageEngine ServiceDesk Plus uses an insecure method for cookie generation
Overview ManageEngine ServiceDesk Plus provided by Zoho Corporation is a help desk software. ManageEngine ServiceDesk Plus uses an insecure method for generating cookies. Akihito Mukai and Tomoshige Hasegawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Money Forward Apps for Android vulnerable in the WebView class
Overview Money Forward Apps for Android contain a vulnerability in the WebView class. Kenta Suefusa, Akinori Konishi and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a us...
Splunk Enterprise and Splunk Light vulnerable to open redirect
Overview Splunk Enterprise and Splunk Light contain an open redirect vulnerability. Note that this vulnerability is different from JVN64800312. Noriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Splunk Enterprise and Splunk Lite vulnerable to cross-site scripting
Overview Splunk Enterprise and Splunk Lite contain a stored cross-site scripting vulnerability CWE-79. Note that this vulnerability is different from JVN74244518. Noriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
CS-Cart add-on "Twigmo" vulnerable to PHP object injection
Overview CS-Cart add-on "Twigmo" contains a PHP object injection vulnerability due to a flaw where untrusted input values are unserialized. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A remote...
"New appointment" function in Cybozu Garoon vulnerable to cross-site scripting
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. "New appointment" function in Cybozu Garoon contains a cross-site scripting vulnerability. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under...
"Response request" function in Cybozu Garoon vulnerable to cross-site scripting
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. "Response request" function in Cybozu Garoon contains a cross-site scripting vulnerability. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated unde...
OSSEC Web UI vulnerable to cross-site scripting
Overview OSSEC Web UI is a web interface for use with Open Source HIDS Security OSSEC. OSSEC Web UI contains a cross-site scripting CWE-79 vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Coordinate Plus App fails to verify SSL server certificates
Overview Coordinate Plus App provided by Toshiba Corporation fails to verify SSL server certificates. Gaku Taniguchi of RiskFinder,inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle...
EC-CUBE plugin "Coupon Plugin" vulnerable to SQL injection
Overview EC-CUBE plugin "Coupon Plugin" provided by Seed Inc. contains an SQL injection vulnerability CWE-89. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...
Vtiger CRM does not properly restrict access to application data
Overview Vtiger CRM is a customer relationship management CRM software. Vtiger CRM contains a vulnerability where it does not properly restrict access to user information data. Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with th...
QNAP QTS vulnerable to cross-site scripting
Overview QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a cross-site scripting vulnerability CWE-79. Keigo YAMAZAKI of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Apache Struts vulnerable to validation bypass in Getter method
Overview Apache Struts provided by the Apache Software Foundation is a software framework for creating web applications in Java. Web applications that are developed using Apache Struts 2 contain a validation bypass in Getter method vulnerability. JPCERT/CC Addendum Update: August 25, 2016...
Apache Struts vulnerable to remote code execution
Overview Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Web applications that are developed using Apache Struts 2 REST Plugin contain a remote code execution vulnerability. Note that the exploit code for this vulnerability is...
ETX-R vulnerable to denial-of-service (DoS)
Overview ETX-R provided by I-O DATA DEVICE, INC. is a wired LAN router. ETX-R contains a denial-of-service DoS vulnerability. Junichi MURAKAMI of FFRI, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
Cybozu Garoon fails to restrict access permissions
Overview Cybozu Garoon is a groupware. Cybozu Garoon fails to restrict access permissions in the API to retrieve the Address Book information. Note that this vulnerability is different from JVN53542912. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through...
DMM.com Securities FX Apps for Android fail to verify SSL server certificates
Overview Multiple Android Applications provided by DMM.com Securities Co.,Ltd. fail to verify SSL server certificates. Gaku Taniguchi of RiskFinder,inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
Multiple Buffalo wireless LAN routers vulnerable to directory traversal
Overview Multiple wireless LAN routers provided by BUFFALO INC. contain a directory traversal vulnerability CWE-22. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
NetCommons vulnerable to privilege escalation
Overview NetCommons provided by the NetCommons Project contains a privilege escalation vulnerability. Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A user wi...
a-blog cms vulnerable to session management
Overview a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a vulnerability in session management of the comment functionality. Yuya Yoshida of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
WN-G300R Series vulnerable to cross-site scripting
Overview WN-G300R Series provided by I-O DATA DEVICE, INC. contains a cross-site scripting vulnerability. WN-G300R Series provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-G300R Series contains a stored cross-site scripting vulnerability CWE-79. Satoshi Ogawa of Mitsui Bussan Secure...
EC-CUBE vulnerable to cross-site request forgery
Overview EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site request forgery vulnerability CWE-352. LOCKON CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LOCKON CO.,LTD...
Aterm WF800HP vulnerable to cross-site request forgery
Overview Aterm WF800HP provided by NEC Corporation contains a cross-site request forgery vulnerability CWE-352. Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
WordPress plugin "WP Favorite Posts" vulnerable to cross-site scripting
Overview "WP Favorite Posts" is a plugin for WordPress. WP Favorite Posts contains a cross-site scripting vulnerability. Note that this vulnerability cannot be exploited on the default settings. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC...
Multiple Corega wireless LAN routers vulnerable to cross-site request forgery
Overview Multiple wireless LAN routers provided by Corega Inc contain a cross-site request forgery vulnerability CWE-352. Yutaka Kokubu and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. and Ueki Shuya reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Internet Explorer cross-domain policy bypass
Overview Internet Explorer contains a flaw that may allow an attacker to bypass cross-domain policies. Yosuke HASEGAWA of Secure Sky Technology Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When a...
HOME SPOT CUBE vulnerable to HTTP header injection
Overview HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE contains a HTTP header injection vulnerability. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
EC-CUBE plugin BbAdminViewsControl vulnerable to SQL injection
Overview BbAdminViewsControl from BOKUBLOCK CO., LTD. is an EC-CUBE plugin. BbAdminViewsControl contains an SQL injection vulnerability CWE-89. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
File Encryption Software "ED" where encrypted data may be easier to decipher when files of small size are encrypted
Overview File encyption software "ED" contains an issue when files of small size are encyrpted, they may become easier to decipher in comparison to when files of a larger size are encrypted. When encrypting small files that are smaller than the block size 128 bits, file encryption software "ED"...
yoyaku_v41 vulnerable to OS command injection
Overview yoyakuv41 provided by Webservice-DIC is a software to manage conference room reservations. yoyakuv41 contains an OS command injection vulnerability CWE-78. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Welcart vulnerable to SQL injection
Overview Welcart provided by Collne Inc. is a WordPress plugin for creating shopping websites. Welcart contains a SQL injection CWE-89 vulnerability due to the processing of changeSort parameter in admin.php. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...
LoadLibrary function in Microsoft Windows fails to validate input properly
Overview The LoadLibrary function in Microsoft Windows fails to validate input properly. As a result, it may load a specially crafted DLL file CWE-114. Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Informati...
NetFlow Analyzer vulnerable to cross-site request forgery
Overview NetFlow Analyzer provided by Zoho Corporation contains a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in, various administrative functions may be performed. Solution Update the software build and apply the patch Update the software to bui...
iLogScanner vulnerable to cross-site scripting
Overview iLogScanner contains a cross-site scripting vulnerability. iLogScanner provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA is a software that checks access logs to detect suspected attacks against a web server. iLogScanner contains a cross-site scripting vulnerability CWE-79 d...
Huawei E5332 vulnerable to denial-of-service (DoS)
Overview Huawei E5332 contains a denial-of-service DoS vulnerability. Huawei E5332 provided by Huawei Technologies is a mobile router. Huawei E5332 contain an issue when processing a URL that is extremely long, which may lead to the device to terminate abnormally. Shuto Imai of Chukyo Univ...
TERASOLUNA Server Framework for Java(Web) vulnerable to ClassLoader manipulation
Overview TERASOLUNA Server Framework for JavaWeb provided by NTT DATA Corporation is a software framework for creating Java web applications. TERASOLUNA Server Framework for JavaWeb bundles Apache Struts 1.2.9, which contains a vulnerability where the ClassLoader may be manipulated CVE-2014-0114...
ASP.NET vulnerable to open redirect
Overview ASP.NET provided by Microsoft contains an open redirect vulnerability due to an issue in the login component. ASP.NET provided by Microsoft contains an open redirect vulnerability due to an issue in the login component. Therefore a web application that implements ASP.NET may be vulnerabl...
Arbitrary Commands Execution Vulnerability in JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2
Overview The JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2 contain a vulnerability where arbitrary commands may be executed when they receive request messages from unexpected hosts in the network. Impact Malicious users can exploit this vulnerability to execute...
OpenPNE vulnerable to cross-site scripting
Overview The management screen in OpenPNE contains an issue in the processing of data input into the "mobile version color scheme configuration" item, which may result in a cross-site scripting vulnerability. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...
Multiple Cybozu products vulnerable to cross-site request forgery
Overview Multiple Cybozu products contain a cross-site request forgery vulnerability. Impact If a user accesses a specially crafted URL while logged in, user passwords or administrator passwords may be altered. Solution Update the Software Update to the latest version according to the information...