5627 matches found
Multiple vulnerabilities in Group-Office
Overview Group-Office provided by Intermesh BV contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2025-53504 Path traversal CWE-22 - CVE-2025-53505 Rikuto Tauchi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
FUJIFILM Healthcare Americas Synapse Mobility vulnerable to Privilege Escalation
Overview Synapse Mobility provided by FUJIFILM Healthcare Americas Corporation is vulnerable to privilege escalation. Privilege escalation vulnerability through external control of Web parameter CWE-472 - CVE-2025-54551 Christopher Alejandro Moroco reported this vulnerability to CISA ICS...
Multiple vulnerabilities in Movable Type
Overview Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. Use of less trusted source CWE-348 - CVE-2025-53522 Open redirect CWE-601 - CVE-2025-55706 Six Apart Ltd. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN...
JVN#46919949: PgManage vulnerable to injection
PgManage provided by Command Prompt, Inc. uses RestrictedPython module. The version of RestrictedPython module imported to PgManage contains vulnerabilities, which are inherited to PgManage CWE-477. Impact A user of the affected product may escape a sandbox and execute arbitrary code. Solution...
Seagate Toolkit registers a Windows service with an unquoted file path
Overview Seagate Toolkit provided by Seagate Technology contains the following vulnerability. Unquoted search path or element CWE-428 - CVE-2025-9043 Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to the developer and IPA. JPCERT/CC coordinated with the developer...
Multiple vulnerabilities in PowerCMS
Overview PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. Reflected cross-site scripting CWE-79 - CVE-2025-36563 Stored cross-site scripting CWE-79 - CVE-2025-41391 Path traversal in file uploading CWE-22 - CVE-2025-41396 Path traversal in backup restore CWE-22 -...
TP-Link Archer C1200 vulnerable to clickjacking
Overview Archer C1200 provided by TP-Link Systems Inc. contains the following vulnerability. Clickjacking CWE-1021 - CVE-2025-6983 Daimon Kawashima reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user...
Security updates for Trend Micro products (June 2025)
Overview Trend Micro Incorporated has released security updates for multiple Trend Micro products. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. Impact Key memory-mapped files may be overwritten due to an insecure access control...
Firebox T15 contains an issue with hidden functionality
Overview Firebox T15 provided by WatchGuard Technologies contains the following vulnerability. Hidden functionality CWE-912 - CVE-2025-4106 Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact An attacker may log...
Multiple vulnerabilities in Nimesa Backup and Recovery
Overview Nimesa Backup and Recovery provided by Nimesa contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2025-48501 Server-side request forgery CWE-918 - CVE-2025-53473 Kentaro Kawane of GMO Cybersecurity by Ierae reported this vulnerability to IPA. JPCERT/CC...
Pass-Back Attack vulnerability in Konica Minorta bizhub series
Overview Konica Minorta bizhub series provided by Konica Minolta, Inc. contains the following vulnerability. Vulnerability that could allow a Pass-Back Attack CWE-522 - CVE-2025-6081 Konica Minolta, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact...
Multiple vulnerabilities in multiple BROTHER products
Overview Multiple BROTHER products provided by BROTHER INDUSTRIES, LTD. contain multiple vulnerabilities listed below. Exposure of sensitive system information to an unauthorized control sphere CWE-497 - CVE-2024-51977 Use of weak credentials CWE-1391 - CVE-2024-51978 Stack-based buffer overflow...
Multiple vulnerabilities in ELECOM wireless LAN routers
Overview Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Unrestricted upload of file with dangerous type CWE-434 - CVE-2025-36519 OS command injection in Connection Diagnostics page CWE-78 - CVE-2025-41427 Stored cross-site scripting in...
Trend Micro Internet Security and Trend Micro Maximum Security vulnerable to link following local privilege escalation (CVE-2025-49384, CVE-2025-49385)
Overview Trend Micro Incorporated has released security updates for Trend Micro Internet Security and Trend Micro Maximum Security that contains a fix for a link following local privilege escalation vulnerability CVE-2025-49384, CVE-2025-49385. Trend Micro Incorporated reported this vulnerability...
Multiple vulnerabilities in wivia 5
Overview wivia 5 provided by UCHIDA YOKO CO., LTD. contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2025-41385 Cross-site Scripting CWE-79 - CVE-2025-41406 Client-Side Enforcement of Server-Side Security CWE-602 - CVE-2025-47697 Shogo Iyota of GMO Cybersecurity by...
Improper access permission settings in multiple SEIKO EPSON printer drivers for Windows OS
Overview Multiple SEIKO EPSON printer drivers for Windows OS are configured with an improper access permission settings when installed or used in a language other than English. Incorrect default permissions CWE-276 - CVE-2025-42598 Private security researcher Erkan Ekici reported this vulnerabili...
Multiple vulnerabilities in Quick Agent
Overview Quick Agent provided by SIOS Technology, Inc. is a Windows application for the following Ricoh MFPs' multifunction printers scan solutions. Quick Scan Easy FAX Speedoc Smart eco FAX Quick Agent contains multiple vulnerabilities listed below. Path traversal vulnerability in the file uploa...
i-PRO Configuration Tool vulnerable to use of hard-coded cryptographic key
Overview i-PRO Configuration Tool provided by i-PRO Co., Ltd. contains a vulnerability below. Use of hard-coded cryptographic key CWE-321 Diego Giubertoni of Nozomi Networks Inc. reported this vulnerability to i-PRO Co., Ltd. and coordinated. After the coordination was completed, i-PRO Co., Ltd...
Multiple vulnerabilities in JTEKT ELECTRONICS CORPORATION's products
Overview HMI ViewJet C-more series and HMI GC-A2 series provided by JTEKT ELECTRONICS CORPORATION contain multiple vulnerabilities listed below. Improper Restriction of Rendered UI Layers or Frames CWE-1021 - CVE-2025-24310 Allocation of Resources Without Limits or Throttling CWE-770 -...
Improper symbolic link file handling in FutureNet NXR series, VXR series and WXR series routers
Overview FutureNet NXR series, VXR series and WXR series routers provided by Century Systems Co., Ltd. fail to properly handle symbolic link files CWE-61. Century Systems Co., Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact Attaching to the affect...
a-blog cms vulnerable to untrusted data deserialization
Overview a-blog cms provided by appleple inc. contains untrusted data deserialization vulnerability CWE-502. The developer states that attacks exploiting the vulnerability has been observed on a-blog cms Ver.2.8.x series or later. appleple inc. reported this vulnerability to JPCERT/CC to notify...
Multiple vulnerabilities in CHOCO TEI WATCHER mini
Overview CHOCO TEI WATCHER mini provided by Inaba Denki Sangyo Co., Ltd. contains multiple vulnerabilities listed below. Use of client-side authentication CWE-603 - CVE-2025-24517 Storing passwords in a recoverable format CWE-257 - CVE-2025-24852 Weak password requirements CWE-521 - CVE-2025-2521...
Multiple vulnerabilities in AssetView
Overview AssetView provided by Hammock Corporation contains multiple vulnerabilities listed below. Missing authentication for critical function CWE-306 - CVE-2025-25060 Acquiring sensitive information from sent data to the developer CWE-201 - CVE-2025-27244 Takao Kondo of VeriServe Corporation...
"RoboForm Password Manager" App for Android vulnerable to authentication bypass using an alternate path or channel
Overview "RoboForm Password Manager" App for Android provided by Siber Systems, Inc. is vulnerable to authentication bypass using an alternate path or channel CWE-288. Johan Francsics reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact An attacker with acces...
Multiple vulnerabilities in The LuxCal Web Calendar
Overview The LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below. SQL injection in pdf.php CWE-89 - CVE-2025-25221 SQL injection in retrieve.php CWE-89 - CVE-2025-25222 Path traversal in dloader.php CWE-22 - CVE-2025-25223 Missing authentication in dloader.php...
Multiple vulnerabilities in NEC Aterm series (NV25-003)
Overview Aterm series provided by NEC Corporation contains multiple vulnerabilities listed below. Stored Cross-site Scripting CWE-79 - CVE-2025-0354 Missing Authentication for Critical Function CWE-306 - CVE-2025-0355 OOS Command Injection CWE-78 - CVE-2025-0356 CVE-2025-0354, CVE-2025-0355...
acmailer vulnerable to cross-site scripting
Overview acmailer provided by Extra Innovation Inc. contains a cross-site scripting vulnerability CWE-79. This vulnerability was reported to IPA, and JPCERT/CC started coordination with the developer in 2023. The developer released the fixed version on 2023. The coordination between JPCERT/CC and...
Multiple security updates for Trend Micro Apex One and Apex One as a Service (December 2024)
Overview Trend Micro Apex One and Apex One as a Service contain multiple vulnerabilities. Trend Micro Incorporated has released multiple security updates for Trend Micro Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the...
Multiple vulnerabilities in SHARP routers
Overview SHARP routers contain multiple vulnerabilities listed below. OS command injection vulnerability in the HOST name configuration screen CWE-78 - CVE-2024-45721 The hidden debug function is enabled CWE-489 - CVE-2024-46873 Buffer overflow vulnerability in the hidden debug function CWE-120 -...
"Kura Sushi Official App Produced by EPARK" for Android uses a hard-coded cryptographic key
Overview "Kura Sushi Official App Produced by EPARK" for Android provided by EPARK, Inc. uses a hard-coded cryptographic key CWE-321. Nishimura Reiji of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Multiple vulnerabilities in AIPHONE IX SYSTEM, IXG SYSTEM, and System Support Software
Overview AIPHONE IX SYSTEM is an IP Network Audio-Video Intercom and IXG SYSTEM is an IP-based Residential System. IX SYSTEM, IXG SYSTEM, and System Support Software contain multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2024-31408 Insufficiently protected credentials...
Multiple vulnerabilities in PLANEX COMMUNICATIONS network devices
Overview Multiple network devices network cameras and a router provided by PLANEX COMMUNICATIONS INC. contain multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2024-45372 Cross-site scripting vulnerability in the web management page CWE-79 - CVE-2024-45836...
Multiple vulnerabilities in TAKENAKA ENGINEERING digital video recorders
Overview Multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. contain multiple vulnerabilities listed below. Improper authentication CWE-287 - CVE-2024-41929 OS command injection CWE-78 - CVE-2024-43778 Hidden functionality CWE-912 - CVE-2024-47001 Yoshiki Mori, Ushimaru...
Security Problem in Web Browser Permission Mechanism
Overview A research team of Waseda University and NTT Social Informatics Laboratories conducted a systematic analysis of the permission mechanisms of 5 different Operating Systems both mobile and desktop OS and 22 major browsers running on each OS. The results show that they have multiple problem...
Packetbeat vulnerable to denial-of-service (DoS)
Overview Packetbeat provided by Elastic contains a denial-of-service DoS vulnerability. Packetbeat provided by Elastic is a network packet analyzer. Packetbeat contains a flaw in processing the PostgreSQL handler CWE-129 . Impact Processing a specially crafted packet may lead to a denial-of-servi...
EC-CUBE plugin (for EC-CUBE 4 series) "EC-CUBE Web API Plugin" vulnerable to stored cross-site scripting
Overview EC-CUBE plugin for EC-CUBE 4 series "EC-CUBE Web API Plugin" provided by EC-CUBE CO.,LTD. contains a stored cross-site scripting vulnerability CWE-79 in OAuth Management feature. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN...
EC-CUBE 4 Series improper input validation when installing plugins
Overview EC-CUBE 4 series provided by EC-CUBE CO.,LTD improperly validates inputs when installing plugins CWE-349. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early...
Multiple products from Check Point Software Technologies vulnerable to information disclosure
Overview Multiple products from Check Point Software Technologies contain an information disclosure vulnerability CWE-200,CVE-2024-24919. JPCERT/CC coordinated with Check Point Software Technologies to publish this advisory in order to notify users of this vulnerability. Impact A remote attacker...
Multiple vulnerabilities in multiple Trend Micro products
Overview Trend Micro Incorporated has released security updates for multiple Trend Micro products. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Apex One 2019 On-prem, Apex One as a Service Local privilege escalation due ...
ELECOM wireless LAN routers vulnerable to OS command injection
Overview Wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability CWE-78. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a user who can log in to the product sends a specially crafte...
Android App "TP-Link Tether" and "TP-Link Tapo" vulnerable to improper server certificate verification
Overview Android App "TP-Link Tether" and "TP-Link Tapo" provided by TP-LINK GLOBAL INC. are vulnerable to improper server certificate verification CWE-295. Kenichiro Ito of TDU Cryptography Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Securi...
Panasonic KW Watcher vulnerable to memory buffer error
Overview KW Watcher provided by Panasonic contains a vulnerability due to improper restriction of operations within the bounds of a memory buffer CWE-119, CVE-2024-4162. Michael Heinzl reported this vulnerability to Panasonic and coordinated. After the coordination was completed, Panasonic report...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-3167 Improper handling of data in Mail CWE-231 - CVE-2024-31397 CyVDB-3221 Improper restriction on the output of some API CWE-201 - CVE-2024-31398 CyVDB-3238 Excessive resource consumption in Mai...
Multiple vulnerabilities in WordPress Plugin "Ninja Forms"
Overview WordPress Plugin "Ninja Forms" provided by Saturday Drive contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2024-25572 Stored cross-site scripting in submit processing CWE-79 - CVE-2024-26019 Stored cross-site scripting in custom fields for labels...
FURUNO SYSTEMS Managed Switch ACERA 9010 running in non MS mode with the initial configuration has no password
Overview In the initial configuration of Managed Switch ACERA 9010 provided by FURUNO Systems Co., Ltd., the password is empty CWE-258 and the remote access service is enabled. The products are affected only when running in non MS mode with the initial configuration. FURUNO SYSTEMS Co.,Ltd...
Multiple vulnerabilities in KEYENCE KV STUDIO, KV REPLAY VIEWER, and VT5-WX15/WX12
Overview KV STUDIO, KV REPLAY VIEWER, and VT5-WX15/WX12 provided by KEYENCE CORPORATION contain multiple vulnerabilities listed below. Out-of-bounds write CWE-787 - CVE-2024-29218 Out-of-bounds read CWE-125 - CVE-2024-29219 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC...
ffBull vulnerable to OS command injection
Overview ffBull according to the original report submitted by the reporter provided by Fortunefield is a bulletin board system BBS. ffBull contains an OS command injection vulnerability CWE-78. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on...
BUFFALO LinkStation 200 series vulnerable to arbitrary code execution
Overview LinkStation 200 series provided by BUFFALO INC. is a network attached storage NAS. LinkStation 200 series contains an arbitrary code execution vulnerability CWE-354, CVE-2023-51073 due to insufficient verification of data authenticity during firmware update. BUFFALO INC. reported this...
Multiple vulnerabilities in FitNesse
Overview FitNesse contains multiple vulnerabilities listed below. Multiple cross-site scripting CWE-79 - CVE-2024-23604, CVE-2024-28128 Improper restriction of XML external entity references CWE-611 -CVE-2024-28039 OS command injection CWE-78 - CVE-2024-28125 CVE-2024-23604, CVE-2024-28039,...
Oracle WebLogic Server vulnerable to HTTP header injection
Overview Oracle WebLogic Server provided by Oracle contains an HTTP header injection vulnerability CWE-113. Professional Service Department of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warnin...