5625 matches found
"RoboForm Password Manager" App for Android vulnerable to authentication bypass using an alternate path or channel
Overview "RoboForm Password Manager" App for Android provided by Siber Systems, Inc. is vulnerable to authentication bypass using an alternate path or channel CWE-288. Johan Francsics reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact An attacker with acces...
Multiple vulnerabilities in The LuxCal Web Calendar
Overview The LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below. SQL injection in pdf.php CWE-89 - CVE-2025-25221 SQL injection in retrieve.php CWE-89 - CVE-2025-25222 Path traversal in dloader.php CWE-22 - CVE-2025-25223 Missing authentication in dloader.php...
Multiple vulnerabilities in NEC Aterm series (NV25-003)
Overview Aterm series provided by NEC Corporation contains multiple vulnerabilities listed below. Stored Cross-site Scripting CWE-79 - CVE-2025-0354 Missing Authentication for Critical Function CWE-306 - CVE-2025-0355 OOS Command Injection CWE-78 - CVE-2025-0356 CVE-2025-0354, CVE-2025-0355...
acmailer vulnerable to cross-site scripting
Overview acmailer provided by Extra Innovation Inc. contains a cross-site scripting vulnerability CWE-79. This vulnerability was reported to IPA, and JPCERT/CC started coordination with the developer in 2023. The developer released the fixed version on 2023. The coordination between JPCERT/CC and...
Multiple security updates for Trend Micro Apex One and Apex One as a Service (December 2024)
Overview Trend Micro Apex One and Apex One as a Service contain multiple vulnerabilities. Trend Micro Incorporated has released multiple security updates for Trend Micro Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the...
"Kura Sushi Official App Produced by EPARK" for Android uses a hard-coded cryptographic key
Overview "Kura Sushi Official App Produced by EPARK" for Android provided by EPARK, Inc. uses a hard-coded cryptographic key CWE-321. Nishimura Reiji of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Vulnerability in Cosminexus
Overview Vulnerability has been found in Cosminexus. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in PLANEX COMMUNICATIONS network devices
Overview Multiple network devices network cameras and a router provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2024-45372 Cross-site scripting vulnerability in the web management page CWE-79 - CVE-2024-45836...
Multiple vulnerabilities in TAKENAKA ENGINEERING digital video recorders
Overview Multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. contain multiple vulnerabilities listed below. Improper authentication CWE-287 - CVE-2024-41929 OS command injection CWE-78 - CVE-2024-43778 Hidden functionality CWE-912 - CVE-2024-47001 Yoshiki Mori, Ushimaru...
Security Problem in Web Browser Permission Mechanism
Overview A research team of Waseda University and NTT Social Informatics Laboratories conducted a systematic analysis of the permission mechanisms of 5 different Operating Systems both mobile and desktop OS and 22 major browsers running on each OS. The results show that they have multiple problem...
Packetbeat vulnerable to denial-of-service (DoS)
Overview Packetbeat provided by Elastic contains a denial-of-service DoS vulnerability. Packetbeat provided by Elastic is a network packet analyzer. Packetbeat contains a flaw in processing the PostgreSQL handler CWE-129 . Impact Processing a specially crafted packet may lead to a denial-of-servi...
"Rakuten Ichiba App" fails to restrict custom URL schemes properly
Overview "Rakuten Ichiba App" provided by Rakuten Group, Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Shiga Takuma of BroadBand Security...
EC-CUBE 4 Series improper input validation when installing plugins
Overview EC-CUBE 4 series provided by EC-CUBE CO.,LTD improperly validates inputs when installing plugins CWE-349. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early...
Multiple products from Check Point Software Technologies vulnerable to information disclosure
Overview Multiple products from Check Point Software Technologies contain an information disclosure vulnerability CWE-200,CVE-2024-24919. JPCERT/CC coordinated with Check Point Software Technologies to publish this advisory in order to notify users of this vulnerability. Impact A remote attacker...
Multiple vulnerabilities in multiple Trend Micro products
Overview Trend Micro Incorporated has released security updates for multiple Trend Micro products. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Apex One 2019 On-prem, Apex One as a Service Local privilege escalation due ...
OMRON NJ/NX series vulnerable to insufficient verification of data authenticity
Overview Machine Automation Controller NJ/NX series provided by OMRON Corporation contain an issue with insufficient verification of data authenticity CWE-345. OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact If a user program in the...
Android App "TP-Link Tether" and "TP-Link Tapo" vulnerable to improper server certificate verification
Overview Android App "TP-Link Tether" and "TP-Link Tapo" provided by TP-LINK GLOBAL INC. are vulnerable to improper server certificate verification CWE-295. Kenichiro Ito of TDU Cryptography Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Securi...
Proscend Communications M330-W and M330-W5 vulnerable to OS command injection
Overview M330-W and M330-W5 provided by Proscend Communications Inc. are LTE Industrial Cellular Routers. M330-W and M330-W5 contain an OS command injection vulnerability CWE-78. CYNEX Analysis Team of National Institute of Information and Communications Technology reported this vulnerability to...
Multiple vulnerabilities in WordPress Plugin "Ninja Forms"
Overview WordPress Plugin "Ninja Forms" provided by Saturday Drive contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2024-25572 Stored cross-site scripting in submit processing CWE-79 - CVE-2024-26019 Stored cross-site scripting in custom fields for labels...
FURUNO SYSTEMS Managed Switch ACERA 9010 running in non MS mode with the initial configuration has no password
Overview In the initial configuration of Managed Switch ACERA 9010 provided by FURUNO Systems Co., Ltd., the password is empty CWE-258 and the remote access service is enabled. The products are affected only when running in non MS mode with the initial configuration. FURUNO SYSTEMS Co.,Ltd...
Multiple vulnerabilities in KEYENCE KV STUDIO, KV REPLAY VIEWER, and VT5-WX15/WX12
Overview KV STUDIO, KV REPLAY VIEWER, and VT5-WX15/WX12 provided by KEYENCE CORPORATION contain multiple vulnerabilities listed below. Out-of-bounds write CWE-787 - CVE-2024-29218 Out-of-bounds read CWE-125 - CVE-2024-29219 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC...
ffBull vulnerable to OS command injection
Overview ffBull according to the original report submitted by the reporter provided by Fortunefield is a bulletin board system BBS. ffBull contains an OS command injection vulnerability CWE-78. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on...
BUFFALO LinkStation 200 series vulnerable to arbitrary code execution
Overview LinkStation 200 series provided by BUFFALO INC. is a network attached storage NAS. LinkStation 200 series contains an arbitrary code execution vulnerability CWE-354, CVE-2023-51073 due to insufficient verification of data authenticity during firmware update. BUFFALO INC. reported this...
Multiple vulnerabilities in FitNesse
Overview FitNesse contains multiple vulnerabilities listed below. Multiple cross-site scripting CWE-79 - CVE-2024-23604, CVE-2024-28128 Improper restriction of XML external entity references CWE-611 -CVE-2024-28039 OS command injection CWE-78 - CVE-2024-28125 CVE-2024-23604, CVE-2024-28039,...
Oracle WebLogic Server vulnerable to HTTP header injection
Overview Oracle WebLogic Server provided by Oracle contains an HTTP header injection vulnerability CWE-113. Professional Service Department of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warnin...
Multiple vulnerabilities in ELECOM and LOGITEC routers
Overview Multiple routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2023-43752 Inadequate Encryption Strength CWE-326 - CVE-2023-43757 CVE-2023-43752 Chuya Hayakawa of 00One, Inc. reported this vulnerabilit...
FUJIFILM Business Innovation Corp. and Xerox Corporation MFPs export Address Books with insufficient encryption strength
Overview Multiple MFPs multifunction printers provided by FUJIFILM Business Innovation Corp. and Xerox Corporation provide a facility to export the contents of their Address Book with encrypted form, but the encryption strength is insufficient CWE-1391. Kunal Thakrar and Ceri Coburn of Pen Test...
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official...
Multiple server-side request forgery vulnerabilities in Trend Micro Apex Central (July 2023)
Overview Trend Micro Apex Central is vulnerable to multiple server-side request forgeries. Trend Micro Incorporated has released Patch 5 build 6481 for Trend Micro Apex Central. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact...
Multiple vulnerabilities in SoftEther VPN and PacketiX VPN
Overview SoftEther VPN provided by University of Tsukuba SoftEther VPN Project and PacketiX VPN provided by SoftEther Corporation contain multiple vulnerabilities listed below in VPN Client function, and Dynamic DNS Client function included in the VPN server. Heap-based buffer overflow CWE-122 -...
Null pointer dereference vulnerability in multiple printers and MFPs which implement BROTHER debut web server
Overview Multiple printers and MFPs multifunction printers which implement Brother debut web server contain a null pointer dereference vulnerability CWE-476, CVE-2023-29984. Darren Johnson directly reported this vulnerability to BROTHER INDUSTRIES, LTD. and FUJIFILM Business Innovation Corp., and...
Multiple vulnerabilities in WAVLINK WL-WN531AX2
Overview WL-WN531AX2 provided by WAVLINK contains multiple vulnerabilities listed below. Client-side enforcement of server-side security CWE-602 - CVE-2023-32612 Exposure of resource to wrong sphere CWE-668 - CVE-2023-32613 Improper authentication CWE-287 - CVE-2023-32620 Unrestricted upload of...
"WPS Office" vulnerable to OS command injection
Overview "WPS Office" which was provided by KINGSOFT JAPAN, INC. contains an OS command injection vulnerability CWE-78. Impact If a remote attacker who can conduct a man-in-the-middle attack connects the product to a malicious server and sends a specially crafted data, an arbitrary OS command may...
DataSpider Servista uses a hard-coded cryptographic key
Overview DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. is a data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazo...
Multiple vulnerabilities in T&D and ESPEC MIC data logger products
Overview Multiple data logger products provided by T Corporation and ESPEC MIC CORP. contain multiple vulnerabilities listed below. Client-side enforcement of server-side security CWE-602 - CVE-2023-22654 Improper authentication CWE-287 - CVE-2023-27388 Missing authentication for critical functio...
OS command injection vulnerability in Inaba Denki Sangyo Wi-Fi AP UNIT
Overview Wi-Fi AP UNIT provided by Inaba Denki Sangyo Co., Ltd. contains an OS command injection vulnerability CWE-78. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact An arbitrary OS command may be executed by an authenticat...
Heap-based buffer overflow vulnerability in OMRON CX-Drive
Overview CX-Drive provided by OMRON Corporation contains a heap-based buffer overflow vulnerability CWE-122, CVE-2023-27385. Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact By having a user open a specially crafted SDD file, arbitrary code...
EC-CUBE plugin "NEXT ENGINE Integration Plugin (for EC-CUBE 2.0 series)" vulnerable to authentication bypass
Overview EC-CUBE plugin "NEXT ENGINE Integration Plugin for EC-CUBE 2.0 series" provided by NE Inc. contains an authentication bypass vulnerability CWE-287. TSUKADA Nobuhisa of Seasoft reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Security Issues in FINS protocol
Overview FINS Factory Interface Network Service is a message communication protocol, which is designed to be used in closed FA Factory Automation networks, and is used in FA networks composed of Omron products. FINS commands enable to read/write information, conduct various operations and set the...
Improper restriction of XML external entity references (XXE) in National land numerical information data conversion tool
Overview National land numerical information data conversion tool provided by MLIT improperly restricts XML external entity references XXE CWE-611. Taku Toyama and Kohei Matsumoto of NEC Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Multiple vulnerabilities in Contec CONPROSYS IoT Gateway products
Overview CONPROSYS IoT Gateway products provided by Contec CO.,LTD. contain multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2023-27917 Network Maintenance page validates input values improperly, resulting in OS command injection. Inadequate Encryption Strength CWE-326 -...
The installers of ELECOM Camera Assistant and QuickFileDealer may insecurely load Dynamic Link Libraries
Overview The installers of ELECOM Camera Assistant and QuickFileDealer provided by ELECOM CO.,LTD. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Tomohisa Hasegawa of Canon IT Solutions Inc. reported this vulnerability to IPA...
Typora fails to properly neutralize JavaScript code.
Overview Typora fails to properly neutralize JavaScript code CWE-116. Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Opening a file with the affected product may lead to...
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Overview Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Privilege escalation due to a Time-of-check Time-of-use TOCTOU Race...
Multiple vulnerabilities in SVMPC1 and SVMPC2
Overview SVMPC1 and SVMPC2 provided by Daikin Holdings Singapore Pte Ltd. contain multiple vulnerabilities listed below. Use of hard-coded password CWE-259 - CVE-2022-41653 Improper access control CWE-284 - CVE-2022-38355 Impact Exploiting these vulnerabilities may allow an attacker on the same L...
Growi vulnerable to improper access control
Overview GROWI provided by WESEEK, Inc. contains an improper access control vulnerability CWE-284. Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A us...
IPFire WebUI vulnerable to cross-site scripting
Overview The web user interface of IPFire provided by IPFire Project contains multiple stored cross-site scripting vulnerabilities CWE-79. This analysis assumes a scenario where one administrative user prepares malicious content, and then another administrative user accesses this content, resulti...
UNIMO Technology digital video recorders vulnerable to missing authentication for critical functions
Overview Multiple digital video recorders provided by UNIMO Technology Co., Ltd do not perform authentication for some critical functions CWE-306 in the device management web interface. The reporter states that attacks exploiting this vulnerability have been observed. Yoshiki Mori, Ushimaru Hayat...
T&D Data Server and THERMO RECORDER DATA SERVER contain a directory traversal vulnerability.
Overview T Data Server and THERMO RECORDER DATA SERVER provided by T Corporation contain a directory traversal vulnerability CWE-22. Shun Asai of FiveDrive, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impa...
Multiple vulnerabilities in OMRON CX-Programmer
Overview CX-Programmer provided by OMRON Corporation contains multiple vulnerabilities listed below. Out-of-bounds Write CWE-787 - CVE-2022-21124 Use After Free CWE-416 - CVE-2022-25230 Use After Free CWE-416 - CVE-2022-25325 Out-of-bounds Read CWE-125 - CVE-2022-21219 Out-of-bounds Write CWE-787...