5625 matches found
Multiple vulnerabilities in F-RevoCRM
Overview F-RevoCRM provided by ThinkingReed inc. contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2023-41149 Cross-site scripting vulnerability CWE-79 - CVE-2023-41150 Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA. JPCERT/...
Multiple vulnerabilities in SHIRASAGI
Overview SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below. Reflected cross-site scripting CWE-79 - CVE-2023-36492 Stored cross-site scripting CWE-79 - CVE-2023-38569 Path traversal CWE-22 - CVE-2023-39448 CVE-2023-36492, CVE-2023-38569 Taiga Shirakura of Mits...
Multiple vulnerabilities in LuxCal Web Calendar
Overview LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2023-39543 SQL injection CWE-89 - CVE-2023-39939 Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated wit...
Multiple vulnerabilities in ELECOM and LOGITEC network devices
Overview Multiple network devices provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities listed below. Hidden Functionality CWE-912 - CVE-2023-32626, CVE-2023-35991, CVE-2023-39445 Telnet service access restriction failure CWE-284 - CVE-2023-38132 Hidden Functionalit...
OMRON CJ series and CS/CJ Series EtherNet/IT unit vulnerable to Denial-of-Service (DoS)
Overview Denial-of-service DoS vulnerability due to improper validation of specified type of input CWE-1287 issue exists in the built-in EtherNet/IP port of the CJ Series CJ2 CPU unit and the communication function of the CS/CJ Series EtherNet/IP unit provided by OMRON Corporation. OMRON...
Multiple vulnerabilities in Command Center RX (CCRX) of Kyocera Document Solutions MFPs and printers
Overview Command Center RX CCRX, a web interface for MFPs and printers provided by KYOCERA Document Solutions Inc., contains multiple vulnerabilities listed below. Path traversal CWE-22 - CVE-2023-34259 Path traversal CWE-22 - CVE-2023-34260 Observable response discrepancy CWE-204 - CVE-2023-3426...
Multiple vulnerabilities in ELECOM and LOGITEC wireless LAN routers
Overview Multiple wireless LAN routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities listed below. Command Injection on the web management page CWE-77 - CVE-2023-37566, CVE-2023-37568 Command Injection on a certain port of the web management page CWE-77 -...
Security updates for multiple Trend Micro products for enterprises (June 2023)
Overview Trend Micro Incorporated has released security updates for multiple Trend Micro products for enterprises. For more details, refer to the information provided by the developer. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JV...
Multiple vulnerabilities in KbDevice digital video recorders
Overview Multiple digital video recorders provided by KbDevice,Inc. contain multiple vulnerabilities listed below. Improper authentication CWE-287 - CVE-2023-30762 OS command injection CWE-78 - CVE-2023-30764 Hidden functionality CWE-912 - CVE-2023-30766 Yoshiki Mori, Ushimaru Hayato, Hiromu...
"Jiyu Kukan Toku-Toku coupon" App vulnerable to improper server certificate verification
Overview "Jiyu Kukan Toku-Toku coupon" App provided by RUNSYSTEM CO.,LTD. is vulnerable to improper server certificate verification CWE-295. Ryo Nihonyanagi of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Cross-site Scripting Vulnerability in Hitachi Ops Center Analyzer
Overview A Cross-site Scripting Vulnerability exists in Hitachi Ops Center Analyzer. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in SolarView Compact
Overview SolarView Compact provided by CONTEC CO.,LTD. contains multiple vulnerabilities listed below. Use of hard-coded credentials CWE-798 - CVE-2023-27512 OS command injection in the download page CWE-78 - CVE-2023-27514 Buffer overflow in the multiple setting pages CWE-120 - CVE-2023-27518 OS...
WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" vulnerable to cross-site scripting
Overview WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" provided by Vektor,Inc. contain multiple cross-site scripting vulnerabilities CWE-79 listed below. Cross-site scripting vulnerability in Tag edit function - CVE-2023-27923 Cross-site scripting vulnerability in Post function ...
JB Inquiry form vulnerable to exposure of private personal information to an unauthorized actor
Overview JB Inquiry form provided by Jubei Inc. contains an exposure of private personal information to an unauthorized actor vulnerability CWE-359. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Multiple vulnerabilities in Seiko Solutions SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210
Overview SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210 provided by Seiko Solutions Inc. contain multiple vulnerabilities listed below. Exposure of sensitive information to an unauthorized actor CWE-200 - CVE-2016-2183 Command injection CWE-77 - CVE-2022-36556 Unrestricted upload of file with...
HAProxy vulnerable to HTTP request/response smuggling
Overview HAProxy's HTTP/3 implementation fails to block a malformed HTTP header field name, and when deployed in front of a server that incorrectly process this malformed header, it may be used to conduct an HTTP request/response smuggling attack CWE-444. Yuki Mogi of FFRI Security, Inc. reported...
ELECOM WAB-MAT registers its windows service executable with an unquoted file path
Overview WAB-MAT provided by ELECOM CO.,LTD. is Access Point Management Tool for corporate users. WAB-MAT registers its windows service executable with an unquoted file path CWE-428. Tomohisa Hasegawa of Canon IT Solutions Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
Multiple vulnerabilities in Buffalo network devices
Overview Multiple network devices provided by BUFFALO INC. contain multiple vulnerabilities listed below. Use of hard-coded credentials CWE-798 - CVE-2023-26588 Improper access control CWE-284 - CVE-2023-24544 Stored cross-site scripting CWE-79 - CVE-2023-24464 Impact An attacker may access the...
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Overview Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Uploading of a large number of files to fill up the file system on the...
Multiple vulnerabilities in SS1 and Rakuraku PC Cloud
Overview SS1 is asset management software and Rakuraku PC Cloud is cloud-based asset management service. SS1 and Rakuraku PC Cloud Agent contain multiple vulnerabilities listed below. Improper Access Control CWE-284 - CVE-2023-22335 Path Traversal CWE-22 - CVE-2023-22336 Use of Hard-coded...
Multiple cross-site scripting vulnerabilities in EC-CUBE
Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability in Contents Management CWE-79 - CVE-2023-22438 Cross-site scripting vulnerability in Authentication Key Settings CWE-79 - CVE-2023-25077 Cross-site...
web2py development tool vulnerable to open redirect
Overview The admin development tool included in the web2py source code contains an open redirect vulnerability CWE-601. According to the developer, they do not recommend using the tool in operational environment or disclosing it on the Internet. Takuto Yoshikai of Aeye Security Lab reported this...
Improper restriction of XML external entity reference (XXE) vulnerability in tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools
Overview tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference XXE vulnerability CWE-611. Toyama Taku and Sakaki Ryutaro of NEC Corporation reported this vulnerability to IPA. JPCERT/CC...
Multiple vulnerabilities in JTEKT ELECTRONICS Screen Creator Advance 2
Overview Screen Creator Advance 2 provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below. Out-of-bound write CWE-787 - CVE-2023-22345 Out-of-bound read CWE-125 - CVE-2023-22346, CVE-2023-22347, CVE-2023-22349, CVE-2023-22350, CVE-2023-22353 Use-after-free CWE-416...
Ichiran App vulnerable to improper server certificate verification
Overview Ichiran App developed by Betrend Corporation and provided by ICHIRAN INC. is vulnerable to improper server certificate verification CWE-295. Ryo Nihonyanagi of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
pgAdmin 4 vulnerable to directory traversal
Overview PostgreSQL management tool pgAdmin 4 contains a directory traversal vulnerability CWE-22. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A user ...
File and Directory Permissions Vulnerability in Hitachi Tuning Manager
Overview A File and Directory Permissions Vulnerability CVE-2020-36611 exists in Hitachi Tuning Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Overview Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Privilege escalation and file deletion in Damage Cleanup Engine compone...
Command injection vulnerability in SHARP Multifunctional Products (MFP)
Overview SHARP Multifunctional Products MFP contain a command injection vulnerability CWE-77, CVE-2022-45796. The OS layer is affected beyond the web application component, however treating the web application component as separate from the OS layer, 'Scope' is analyzed as 'S:C'. Sharp reported...
Multiple vulnerabilities in DENSHI NYUSATSU CORE SYSTEM
Overview DENSHI NYUSATSU CORE SYSTEM provided by Japan Construction Information Center contains multiple vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2022-41993 Cross-site scripting vulnerability CWE-79 - CVE-2022-46287 Open redirect vulnerability CWE-601 -...
Redmine vulnerable to cross-site scripting
Overview Redmine contains a cross-site scripting vulnerability CWE-79 caused by improper Textile processing. Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Multiple vulnerabilities in UNIMO Technology digital video recorders
Overview Multiple digital video recorders provided by UNIMO Technology Co., Ltd contain multiple vulnerabilities listed below. Improper Authentication CWE-287 - CVE-2022-44620 OS Command Injection CWE-78 - CVE-2022-44606 Hidden Functionality CWE-912 - CVE-2022-43464 The reporter states that attac...
Multiple vulnerabilities in OMRON CX-Programmer
Overview CX-Programmer provided by Omron Corporation contains multiple vulnerabilities listed below. Use-after-free CWE-416 - CVE-2022-43508, CVE-2023-22277, CVE-2023-22317, CVE-2023-22314 Out-of-bounds Write CWE-787 - CVE-2022-43509 Stack-based Buffer Overflow CWE-121 - CVE-2022-43667 Michael...
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Overview Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Information disclosure due to Out-of-Bounds read vulnerabilities...
Multiple vulnerabilities in WordPress
Overview WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature. Stored Cross-site scripting CWE-79 - CVE-2022-43497 Stored Cross-site scripting CWE-79 - CVE-2022-43500 Improper authentication CWE-287 - CVE-2022-43504 Toshitsugu Yoneyama of Mitsu...
Multiple vulnerabilities in SHIRASAGI
Overview SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below. Open Redirect CWE-601 - CVE-2022-43479 Stored Cross-site Scripting CWE-79 - CVE-2022-43499 SHIGA TAKUMA of BroadBand Security, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with th...
BookStack vulnerable to cross-site scripting
Overview BookStack contains a cross-site scripting vulnerability CWE-79. Kenichi Okuno of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be...
Multiple vulnerabilities in EC-CUBE
Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below. Directory traversal vulnerability CWE-22 - CVE-2022-40199 DOM-based cross-site scripting vulnerability CWE-79 - CVE-2022-38975 Noriaki Iwasaki of Cyber Defense Institute, Inc. reported these...
Movable Type XMLRPC API vulnerable to command injection
Overview Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability CWE-74. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. According...
WordPress Plugin "Newsletter" vulnerable to cross-site scripting
Overview WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability CWE-79. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Multiple vulnerabilities in Cybozu Office
Overview Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-839CyVDB-2300CyVDB-3109 Browse restriction bypass vulnerability in Cabinet CWE-284 - CVE-2022-32283 CyVDB-1795 Operation restriction bypass vulnerability in Project CWE-285 - CVE-2022-32544...
U-Boot squashfs filesystem implementation vulnerable to heap-based buffer overflow
Overview U-Boot is a boot loader for multiple platforms, and squashfs filesystem feature is provided since v2020.10-rc2 commit c5100613. squashfs filesystem implementation of U-Boot contains a heap-based buffer overflow vulnerability CWE-122 due to a defect in the metadata reading process...
web2py vulnerable to open redirect
Overview web2py contains an open redirect vulnerability CWE-601. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessing a specially crafted URL, t...
Growi vulnerable to weak password requirements
Overview GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability CWE-521, CVE-2022-1236. 418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed,...
FreeBSD vulnerable to denial-of-service (DoS)
Overview FreeBSD contains a denial-of-service DoS vulnerability CWE-400 due to improper handling of TSopt on TCP connections. Impact A remote attacker may be able to cause a denial-of-service DoS condition. Solution Update the software Update the software to the latest version according to the...
WordPress Plugin "Modern Events Calendar Lite" vulnerable to cross-site scripting
Overview WordPress Plugin "Modern Events Calendar Lite" provided by Webnus contains a stored cross-site scripting vulnerability CWE-79. Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Mobaoku-Auction & Flea Market App for iOS vulnerable to improper server certificate verification
Overview Mobaoku-Auction & Flea Market App for iOS provided by DeNA Co., Ltd. is vulnerable to improper server certificate verification CWE-295. Okazawa Yoshihiro reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Multiple vulnerabilities in Fuji Electric V-SFT, V-Server and V-Server Lite
Overview Multiple vulnerabilities listed below exist in the simulator module contained in the graphic editor "V-SFT" and the remote monitoring software "V-Server" and "V-Server Lite" provided by FUJI ELECTRIC CO., LTD. Out-of-bounds Read in V-SFT CWE-125 - CVE-2022-29506 Out-of-bounds Read in...
Multiple vulnerabilities in CONTEC SolarView Compact
Overview SolarView Compact provided by CONTEC CO., LTD. is PV Measurement System. SolarView Compact contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2022-29303 Improper validation of input values on the send test mail console of the product's web server may result...
Trend Micro Password Manager vulnerable to privilege escalation
Overview Trend Micro Incorporated has released a security update for Trend Micro Password Manager. Trend Micro Incorporated reported the vulnerability to JPCERT/CC to notify users of the solutions through JVN. Impact A non-administrative user of the system where the affected product is installed...