5627 matches found
The installers of ELECOM Camera Assistant and QuickFileDealer may insecurely load Dynamic Link Libraries
Overview The installers of ELECOM Camera Assistant and QuickFileDealer provided by ELECOM CO.,LTD. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Tomohisa Hasegawa of Canon IT Solutions Inc. reported this vulnerability to IPA...
pgAdmin 4 vulnerable to directory traversal
Overview PostgreSQL management tool pgAdmin 4 contains a directory traversal vulnerability CWE-22. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A user ...
File and Directory Permissions Vulnerability in Hitachi Tuning Manager
Overview A File and Directory Permissions Vulnerability CVE-2020-36611 exists in Hitachi Tuning Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
OpenAM Web Policy Agent (OpenAM Consortium Edition) vulnerable to path traversal
Overview OpenAM Web Policy Agent OpenAM Consortium Edition provided by OpenAM Consortium parses URLs improperly, leading to a path traversal vulnerability CWE-22. Furthermore, a crafted URL may be evaluated incorrectly. OpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of...
Command injection vulnerability in SHARP Multifunctional Products (MFP)
Overview SHARP Multifunctional Products MFP contain a command injection vulnerability CWE-77, CVE-2022-45796. The OS layer is affected beyond the web application component, however treating the web application component as separate from the OS layer, 'Scope' is analyzed as 'S:C'. Sharp reported...
Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)
Overview CONPROSYS HMI System CHS provided by Contec Co., Ltd. contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2022-44456 Use of Default Credentials CWE-1392 - CVE-2023-22331 Use of Password Hash Instead of Password for Authentication CWE-836 - CVE-2023-22334...
Typora fails to properly neutralize JavaScript code.
Overview Typora fails to properly neutralize JavaScript code CWE-116. Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Opening a file with the affected product may lead to...
Growi vulnerable to improper access control
Overview GROWI provided by WESEEK, Inc. contains an improper access control vulnerability CWE-284. Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A us...
IPFire WebUI vulnerable to cross-site scripting
Overview The web user interface of IPFire provided by IPFire Project contains multiple stored cross-site scripting vulnerabilities CWE-79. This analysis assumes a scenario where one administrative user prepares malicious content, and then another administrative user accesses this content, resulti...
UNIMO Technology digital video recorders vulnerable to missing authentication for critical functions
Overview Multiple digital video recorders provided by UNIMO Technology Co., Ltd do not perform authentication for some critical functions CWE-306 in the device management web interface. The reporter states that attacks exploiting this vulnerability have been observed. Yoshiki Mori, Ushimaru Hayat...
Trend Micro Endpoint security products for enterprises vulnerable to Link Following Local Privilege Escalation
Overview Trend Micro Incorporated has released security updates for Endpoint security products for enterprises. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. Impact A non-administrative user of the system where the affected product...
web2py vulnerable to open redirect
Overview web2py contains an open redirect vulnerability CWE-601. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessing a specially crafted URL, t...
T&D Data Server and THERMO RECORDER DATA SERVER contain a directory traversal vulnerability.
Overview T Data Server and THERMO RECORDER DATA SERVER provided by T Corporation contain a directory traversal vulnerability CWE-22. Shun Asai of FiveDrive, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impa...
Trend Micro Password Manager vulnerable to privilege escalation
Overview Trend Micro Incorporated has released a security update for Trend Micro Password Manager. Trend Micro Incorporated reported the vulnerability to JPCERT/CC to notify users of the solutions through JVN. Impact A non-administrative user of the system where the affected product is installed...
WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" vulnerable to cross-site request forgery
Overview WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" provided by VideoWhisper contains a cross-site request forgery vulnerability CWE-352. Kosuke Sakai reported and coordinated with the developer to fix this vulnerability. After coordination was...
Trend Micro Antivirus for Mac vulnerable to privilege escalation
Overview Trend Micro Incorporated has released a security update for Trend Micro Antivirus for Mac. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A user who can log in to the system where the affected product is installed may...
WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization
Overview WordPress Plugin "Advanced Custom Fields" provided by Delicious Brains contains a missing authorization vulnerability CWE-862. Keitaro Yamazaki of Ierae Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
AttacheCase may insecurely load Dynamic Link Libraries
Overview AttacheCase may insecurely load Dynamic Link Libraries. AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Taizoh Tsukamoto of...
Multiple vulnerabilities in OMRON CX-Programmer
Overview CX-Programmer provided by OMRON Corporation contains multiple vulnerabilities listed below. Out-of-bounds Write CWE-787 - CVE-2022-21124 Use After Free CWE-416 - CVE-2022-25230 Use After Free CWE-416 - CVE-2022-25325 Out-of-bounds Read CWE-125 - CVE-2022-21219 Out-of-bounds Write CWE-787...
Multiple vulnerabilities in Trend Micro ServerProtect
Overview Trend Micro Incorporated has released security updates for ServerProtect. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Remote control execution due to insufficiently protected static credentials Denial-of-servic...
Norton Security for Mac improperly processes ICMP packets
Overview Norton Security for Mac provided by NortonLifeLock Inc. is antivirus software. Norton Security for Mac improperly processes ICMP packets, which may result in OS to crash CWE-20. Yuki Meguro of Tohoku Information Systems Company, Incorporated reported this vulnerability to IPA. JPCERT/CC...
EC-CUBE improperly handles HTTP Host header values
Overview EC-CUBE provided by EC-CUBE CO.,LTD. improperly handles HTTP Host header values CWE-913. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning...
Multiple vulnerabilities in multiple ELECOM LAN routers
Overview Multiple ELECOM LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Hidden functionality CWE-912 - CVE-2022-21173 Cross-site scripting CWE-79 - CVE-2022-21799 CVE-2022-21173 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this...
Multiple ESET products for macOS vulnerable to improper server certificate verification
Overview Multiple ESET products for macOS are vulnerable to improper server certificate verification CWE-295. KOBAYASHI Yasuyuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may...
Jimoty App for Android uses a hard-coded API key for an external service
Overview Jimoty App for Android provided by Jimoty, Inc. uses a hard-coded API key for an external service CWE-798. Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact API key for...
Multiple vulnerabilities in QNAP VioStar NVR
Overview VioStar series NVR provided by QNAP Systems contains multiple vulnerabilities listed below. Command injection CWE-77 - CVE-2021-38685 Improper authentication CWE-287 - CVE-2021-38686 Impact An arbitrary command may be executed by a remote attacker. - CVE-2021-38685 A remote attacker can...
Multiple vulnerabilities in Trend Micro Security 2021 family (Consumer)
Overview Trend Micro Incorporated has released security updates for Trend Micro Security 2021 family Consumer. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Maximum Security 2021 A user who can log in to the system where...
Multiple vulnerabilities in multiple ELECOM routers
Overview Multiple routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Improper access control leading to unauthorized activation of telnet service CWE-284 - CVE-2021-20862 OS command injection CWE-78 - CVE-2021-20863 Improper access control leading to unauthorized...
Multiple vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2021-41243 Arbitrary code upload vulnerability in Database restore CWE-434 - CVE-2021-41279 CVE-2021-41243 Akagi Yusuke of NTT-ME CORPORATION reported this...
Multiple vulnerabilities in EC-CUBE 2 series
Overview EC-CUBE 2 series provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below. Improper access control in Management screen CWE-284 - CVE-2021-20841 Cross-site request forgery vulnerability in Management screen CWE-352 - CVE-2021-20842 EC-CUBE CO.,LTD. reported these...
Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X
Overview CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities listed below. Buffer overflow in the Disk Agent CWE-119 - CVE-2021-20700, CVE-2021-20701 Buffer overflow in the Transaction Server CWE-119 - CVE-2021-20702, CVE-2021-20703 Buffer overflow in th...
ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS)
Overview ESET Cyber Security and ESET Endpoint series are antivirus software. ESET Cyber Security and ESET Endpoint series for macOS contain a denial-of-service DoS vulnerability CWE-404. Zhou Tingrui of Kaijo Junior & Senior High School reported this vulnerability to the developer and IPA...
Multiple vulnerabilities in Cybozu Remote Service
Overview Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-525 Cross-site request forgery vulnerability in the management screen CWE-352 - CVE-2021-20795 CyVDB-1742 Path traversal vulnerability in the management screen CWE-22 - CVE-2021-20796...
Multiple vulnerabilities in Sharp NEC Display Solutions' public displays
Overview Multiple public displays provided by Sharp NEC Display Solutions, Ltd. contain multiple vulnerabilities listed below. Command Injection CWE-77 - CVE-2021-20698 Buffer Overflow CWE-120 - CVE-2021-20699 Howard McGreehan of Aon's Cyber Solutions reported these vulnerabilities to Sharp NEC...
Multiple cross-site scripting vulnerabilities in Movable Type
Overview Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability in Search screen CWE-79 - CVE-2021-20808 Cross-site scripting vulnerability in Create screens of Entry, Page, and Content Type CWE-79 -...
Multiple vulnerabilities in multiple Trend Micro Endpoint security products for enterprises
Overview Multiple Endpoint security products for enterprises provided by Trend Micro Incorporated contain multiple vulnerabilities listed below. Incorrect Permission Assignment CWE-732 - CVE-2021-32464 Improper Preservation of Permissions CWE-281 - CVE-2021-32465 Improper Input Validation CWE-20 ...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-1782 Cross-site scripting vulnerability in Scheduler CWE-79 - CVE-2021-20753 CyVDB-2029 Improper input validation vulnerability in Workflow CWE-20 - CVE-2021-20754 CyVDB-2071 Viewing restrictions...
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) vulnerable to cross-site scripting
Overview Trend Micro Incorporated has released a security update for InterScan Web Security Virtual Appliance IWSVA. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. Impact A user may be redirected to an arbitrary website due to the...
Multiple cross-site scripting vulnerabilities in EC-CUBE
Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20750 Cross-site scripting vulnerability CWE-79 - CVE-2021-20751 hibiki moriyama of STNet, Incorporated reported these...
Multiple ETUNA EC-CUBE plugins vulnerable to cross-site scripting
Overview Multiple EC-CUBE plugins provided by ETUNA contain a cross-site scripting vulnerability CWE-79. An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE. As of 2021 June 15, an attack exploting this vulnerability has been observed in the wil...
Multiple vulnerabilities in GROWI
Overview GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. NoSQL injection CWE-943 - CVE-2021-20736 Improper authentication CWE-287 - CVE-2021-20737 Impact The expected impact depends on each vulnerability, but it may be affected as follows. A user who can access the...
WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting
Overview WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a stored cross-site scripting vulnerability CWE-79. Yu Iwama of Secure Sky Technology Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
mod_auth_openidc vulnerable to denial-of-service (DoS)
Overview modauthopenidc provided by ZmartZone is an OpenID Connect's Relying Party module for Apache HTTP Server. This module contains a denial-of-service DoS vulnerability CWE-400. Tatsuhiko Yasumatsu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
EC-CUBE vulnerable to cross-site scripting
Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains a cross-site scripting vulnerability CWE-79. An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE. As of 2021 May 10, an attack exploting this vulnerability has been observed in the wild...
D-Link DAP-1880AC contains multiple vulnerabilities
Overview DAP-1880AC provided by D-Link Japan K.K. contains multiple vulnerabilities listed below. Improper access control CWE-284 - CVE-2021-20694 Improper privilege management CWE-269 - CVE-2021-20695 OS command injection CWE-78 - CVE-2021-20696 Missing authentication for critical function CWE-3...
Yomi-Search vulnerable to cross-site scripting
Overview Yomi-Search provided by WonderLink is a directory type search engine program. Yomi-Search contains a cross-site scripting vulnerability CWE-79. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on January 22, 2021, it was judged that an...
Wekan vulnerable to cross-site scripting
Overview Wekan, open source kanban board system, is vulnerable to cross-site scripting CWE-79. This vulnerability is treated as one of multiple cross-site scripting vulnerabilities, named "Fieldbleed". Ryoya Koyama at Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA...
WordPress Plugin "Name Directory" vulnerable to cross-site request forgery
Overview WordPress Plugin "Name Directory" provided by J. Peters contains a cross-site request forgery vulnerability CWE-352. Yuta Asai of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to the developer and...
Panasonic Video Insight VMS vulnerable to arbitrary code execution
Overview Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability CWE-94 because unencrypted communication exists in the communication using non-well known ports. Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its...
Multiple vulnerabilities in multiple ELECOM products
Overview Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Improper Access Control CWE-284 - CVE-2021-20643 Script injection in web setup page CWE-74 - CVE-2021-20644 Stored cross-site scripting CWE-79 - CVE-2021-20645 Cross-site request forgery CWE-352 ...