5625 matches found
Multiple vulnerabilities in Panasonic BN-SDWBP3
Overview BN-SDWBP3 provided by Panasonic Corporation is a Wi-Fi Reader/Writer for SD Memory Cards. BN-SDWBP3 contains multiple vulnerabilities listed below. Improper Authentication CWE-287 - CVE-2018-0676 OS Command InjectionCWE-78 - CVE-2018-0677 Buffer Overflow CWE-119 - CVE-2018-0678 Taizoh...
WordPress plugin "Google XML Sitemaps" vulnerable to cross-site scripting
Overview The WordPress plugin "Google XML Sitemaps" provided by Arne Brachhold contains a stored cross-site scripting vulnerability CWE-79. takagisan reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact In the ca...
PgpoolAdmin fails to restrict access permissions
Overview PgpoolAdmin provided by PgPool Global Development Group fails to restrict access permissions CWE-264. Fotios Rogkotis of DarkMatter reported this vulnerability to PgPool Global Development Group, and PgPool Global Development Group reported this vulnerability to IPA to notify users of it...
Multiple vulnerabilities in Toshiba Lighting & Technology Corporation Home gateway
Overview Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below. Improper access control CWE-284 - CVE-2018-16197 Hidden functionality CWE-912 - CVE-2018-16198 Cross-site scripting CWE-79 - CVE-2018-16199 OS command injection CWE-78 -...
Multiple vulnerabilities in WordPress plugin "LearnPress"
Overview WordPress LMS plugin "LearnPress" contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2018-16173 Open Redirect CWE-601 - CVE-2018-16174 SQL Injection CWE-89 - CVE-2018-16175 Daiki Sueyoshi of Cryptography Laboratory, Department of Information and Communicati...
SecureCore Standard Edition vulnerable to authentication bypass
Overview SecureCore Standard Edition provided by Feitian Japan Co., Ltd. contains an authentication bypass vulnerability CWE-287. Daisuke Ota of BizReach, inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...
Multiple vulnerabilities in FileZen
Overview FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface. FileZen contains multiple vulnerabilities listed below. Directory traversal CWE-22 - CVE-2018-0693 OS command injection CWE-78 - CVE-2018-0694 Soliton Systems K.K...
Multiple vulnerabilities in Denbun
Overview Denbun provided by NEOJAPAN Inc. is a WebMail System. Denbun contains multiple vulnerabilities listed below. Hard-coded credentials for user account CWE-798 - CVE-2018-0680 Hard-coded credentials for the configuration management page CWE-798 - CVE-2018-0681 Improper session management...
Movable Type vulnerable to cross-site scripting
Overview Movable Type provided by Six Apart, Ltd. is a content management system. Movable Type contains a cross-site scripting vulnerability CWE-79. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
Multiple directory traversal vulnerabilities in AttacheCase
Overview AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains a directory traversal vulnerability CWE-22 due to a flaw in processing filenames in ATC files. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported CVE-2018-0660...
Explzh vulnerable to directory traversal
Overview Explzh is a file compression/extraction software supporting multiple file formats. Explzh contains a directory traversal vulnerability CWE-22. Explzh is not vulnerable to relative path traversal but to absolute path traversal. Therefore, an attacker may create new files or overwrite...
Multiple vulnerabilities in Aterm HC100RC
Overview Aterm HC100RC provided by NEC Corporation contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2018-0634, CVE-2018-0635, CVE-2018-0636, CVE-2018-0637, CVE-2018-0638, CVE-2018-0639 Buffer Overflow CWE-119 - CVE-2018-0640, CVE-2018-0641 Taizoh Tsukamoto of Mits...
LINE for Windows may insecurely load Dynamic Link Libraries
Overview LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software. If a user launches LINE for Windows by clicking the specially crafted link prepared by a remote attacker, it may result in insecurely loading Dynamic Link Libraries CWE-427. LINE...
Information Disclosure Vulnerability in Hitachi Automation Director
Overview An Information Disclosure Vulnerability was found in Hitachi Automation Director. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Self-Extracting Archive files created by IExpress may insecurely load Dynamic Link Libraries
Overview Self-extracting archive files created by IExpress provided Microsoft contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Microsoft states that the root cause of this vulnerability is "Application Directory App Dir DLL planting"...
WordPress plugin "Open Graph for Facebook, Google+ and Twitter Card Tags" vulnerable to cross-site scripting
Overview The WordPress plugin "Open Graph for Facebook, Google+ and Twitter Card Tags" provided by Webdados contains a reflected cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warni...
DoS Vulnerability in JP1/ServerConductor/Deployment Manager and Hitachi Compute Systems Manager
Overview A DoS Vulnerability was found in JP1/ServerConductor/Deployment Manager and Hitachi Compute Systems Manager Deployment Manager Plug-in. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the...
QQQ SYSTEMS vulnerable to cross-site scripting
Overview QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. quiz.cgi of QQQ SYSTEMS contains a cross-site scripting vulnerability CWE-79. When a user accesses a malicious page and is redirected to a page created with the product, an arbitrary script may be executed on t...
GroupSession vulnerable to open redirect
Overview GroupSession provided by Japan Total System Co.,Ltd. is an open source groupware. GroupSession contains an open redirect vulnerability CWE-601. Norihiko Hirukawa of FiveDrive Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Earl...
The installer of Music Center for PC may insecurely load Dynamic Link Libraries
Overview Music Center for PC provided by Sony Video & Sound Products Inc. is a file management tool. The installer of Music Center for PC contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Note that this vulnerability is different from...
Fluentd vulenrable to escape sequence injection
Overview Fluentd provided by Cloud Native Computing Foundation CNCF contains an escape sequence injection vulnerability. Fluentd is an open source data collector provided by Cloud Native Computing Foundation CNCF. The parse Filter Plugin for Fluentd contains an escape sequence injection...
Qt for Android vulnerable to OS command injection
Overview Qt for Android provided by The Qt Company contains an OS command injection vulnerability CWE-78. Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
Multiple vulnerabilities in multiple Buffalo broadband routers
Overview BBR-4HG and BBR-4MG provided by BUFFALO INC. are wireless LAN routers. BBR-4HG and BBR-4MG contain multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2017-10896 Improper Input Validation CWE-20 - CVE-2017-10897 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions,...
Movable Type plugin A-Member and A-Reserve vulnerable to SQL injection
Overview A-Member and A-Reserve provided by ARK-Web co., ltd. are plugins for Movable Type which provide functions to build a membership website or a reservation website. A-Member and A-Reserve contain SQL injection CWE-89 vulnerability due to the issue in processing cookie values. Yuuta Watanabe...
Multiple vulnerabilities in Wireless mobile storage "Digizo ShAirDisk" PTW-WMS1
Overview Wireless mobile storage "Digizo ShAirDisk" PTW-WMS1 provided by Princeton Ltd. is a Wi-Fi storage. Wireless mobile storage "Digizo ShAirDisk" PTW-WMS1 contains multiple vulnerabilities listed below. Improper Access Restriction CWE-284 - CVE-2017-10900 Buffer Overflow CWE-119 -...
StreamRelay.net.exe and sDNSProxy.exe vulnerable to denial-of-service (DoS)
Overview StreamRelay.net.exe and sDNSProxy.exe fail to properly process ICMP Port Unreachable message CWE-703. Tomoki Sanaki reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Tomoki Sanaki coordinated under the Information Security Early Warning...
PWR-Q200 vulnerable to DNS cache poisoning attacks
Overview PWR-Q200 provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION is a mobile WiFi router. PWR-Q200 is vulnerable to DNS cache poisoning attacks as DNS queries are done with a fixed source port CWE-330. Toshifumi Sakaguchi reported this vulnerability to IPA. JPCERT/CC coordinated with...
WordPress plugin "TablePress" vulnerable to improper restriction of XML external entity (XXE) references
Overview The WordPress plugin "TablePress" is a plugin to create and manage tables on WordPress site. TablePress contains a vulnerability where XML external entity XXE references are not properly restricted CWE-611. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA...
OpenAM (Open Source Edition) vulnerable to authentication bypass
Overview OpenAM Open Source Edition contains an authentication bypass vulnerability. Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A user may...
Memory corruption vulnerability in Rakuraku Hagaki and Rakuraku Hagaki Select for Ichitaro
Overview Rakuraku Hagaki and Rakuraku Hagaki Select for Ichitaro contain a memory corruption vulnerability. Impact If a user opens a specially crafted Rakuraku Hagaki file or Rakuraku Hagaki Select for Ichitaro file, arbitrary code may be executed with the privilege of running the application...
Home unit KX-HJB1000 contains multiple vulnerabilities
Overview Home unit KX-HJB1000 provided by Panasonic Corporation is a control system for home network. Home unit KX-HJB1000 contains multiple vulnerabilities listed below. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
Marp vulnerable to improper access control in JavaScript execution
Overview Marp is a tool to create a presentation PDF with Markdown. Marp executes JavaScript inside the Markdown contents. Marp allows JavaScript to access local resources and files CWE-284. Keitaro Yamazaki of Kyoto University reported this vulnerability to IPA. JPCERT/CC coordinated with the...
Multiple vulnerabilities in CG-WLR300NM
Overview CG-WLR300NM provided by Corega Inc. is a wireless LAN router. CG-WLR300NM contains multiple vulnerabilities listed below. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Earl...
Multiple Fuji Xerox products may insecurely load Dynamic Link Libraries
Overview Installers of multiple products, and DocuWorks self-extracting documents provided by Fuji Xerox Co.,Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA...
Installer of "Remote Support Tool (Enkaku Support Tool)" may insecurely load Dynamic Link Libraries
Overview Installer of "Remote Support Tool Enkaku Support Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili...
Installer of "Flets Setsuzoku Tool" may insecurely load Dynamic Link Libraries
Overview Installer of "Flets Setsuzoku Tool"provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC...
The installer of the Ministry of Justice [The electronic authentication system based on the commercial registration system "The CRCA user's Software"] may insecurely load Dynamic Link Libraries
Overview The electronic authentication system based on the commercial registration system "The CRCA user's Software" provided by the Ministry of Justice contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. DigiGnome and BlackWingCat of...
Installer of Shin Kikan Toukei Houkoku Data Nyuryokuyou Program may insecurely load Dynamic Link Libraries
Overview Installer of Shin Kikan Toukei Houkoku Data Nyuryokuyou Program provided by Agency for Natural Resources and Energy of METI contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this...
Installer of Qua station connection tool for Windows may insecurely load Dynamic Link Libraries
Overview Qua station provided KDDI CORPORATION is a 4G LTE photostrage. Qua station connection tool is used to view data saved on Qua station from a PC and/or save data on a PC. Installer of Qua station connection tool for Windows contains an issue with the DLL search path, which may lead to...
NFC Port Software remover may insecurely load Dynamic Link Libraries
Overview NFC Port Software remover provided by Sony Corporation is an application to remove NFC Port Software. NFC Port Software remover contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this...
Multiple cross-site scripting vulnerabilities in ScreenOS
Overview ScreenOS provided by Juniper Networks contains multiple cross-site scripting vulnerabilities. Toshitsugu Yoneyama and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Multiple vulnerabilities SONY Portable Wireless Server WG-C10
Overview Portable Wireless Server WG-C10 provided by Sony Corporation contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2017-2275 Buffer overflow CWE-119 - CVE-2017-2276 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA...
FileCapsule Deluxe Portable and Encrypted Files in Self-Decryption Format created by FileCapsule Deluxe Portable may insecurely load Dynamic Link Libraries
Overview FileCapsule Deluxe Portable is a file encryption software. FileCapsule Deluxe Portable contains the following vulnerabilities. FileCapsule Deluxe Portable insecurely load Dynamic Link Libraries CWE-427 - CVE-2017-2265, CVE-2017-2267, CVE-2017-2269 Encrypted files in self-decryption forma...
Microsoft IME may insecurely load Dynamic Link Libraries
Overview Microsoft IME, bundled with Microsoft Windows, contains an issue in loading DLLs. When some application programs are invoked, they may initiate Microsoft IME. This IME, when initiated, checks a certain registry key for a file path to a DLL file and loads it. This registry key does not...
Cybozu Garoon fails to restrict access permission
Overview Cybozu Garoon provided by Cybozu, Inc. contains an improper access restriction. Jun Kokatsu of KDDI Singapore Dubai Branch reported vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. Impact When a logged-in user accesses ...
Installer of Setup file of advance preparation for e-Tax software (WEB version) may insecurely load Dynamic Link Libraries
Overview Installer of Setup file of advance preparation for e-Tax software WEB version provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. BlackWingCat of Pink Flying Whale reported this vulnerability to IPA...
WordPress plugin "Event Calendar WD" vulnerable to cross-site scripting
Overview The WordPress plugin "Event Calendar WD" provided by Web-Dorado contains a cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script ma...
WordPress plugin "WP-Members" vulnerable to cross-site scripting
Overview The WordPress plugin "WP-Members" contains a cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on a logged in...
Open redirect vulnerability in WordPress plugin "WordPress Download Manager"
Overview The WordPress plugin "WordPress Download Manager" provided by W3 Eden, Inc. contains an open redirect vulnerability CWE-601. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Installer of QuickTime for Windows may insecurely load Dynamic Link Libraries
Overview Installer of QuickTime for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...