5625 matches found
Multiple vulnerabilities in multiple iND products
Overview Multiple products provided by iND Co.,Ltd contain multiple vulnerabilities listed below. Insecure storage of sensitive information CWE-922 - CVE-2025-53507 OS command injection CWE-78 - CVE-2025-53508 HL330-DLS, HL320-DLS Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported...
Trend Micro Endpoint security products for enterprises vulnerable to multiple OS command injection
Overview Trend Micro Endpoint security products for enterprises contain the following vulnerabilities. OS command injection vulnerability in the management console CWE-78 - CVE-2025-54948, CVE-2025-54987 Trend Micro Incorporated has reported that attacks exploiting CVE-2025-54948 have been observ...
ZXHN-F660T and ZXHN-F660A use a common credential for all installations
Overview ZXHN-F660T and ZXHN-F660A provided by ZTE Japan. K.K. are ONU Optical Network Unit. ZXHN-F660T and ZXHN-F660A contain the following vulnerability. Use a common credential for all installations CWE-1391 - CVE-2025-53558 Yuuki Miyata of YuukiJapanTech reported this vulnerability to IPA...
TP-Link VIGI NVR1104H-4P and VIGI NVR2016H-16MP vulnerable to OS command injection
Overview VIGI NVR1104H-4P and VIGI NVR2016H-16MP provided by TP-Link Systems Inc. contain multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2025-7723, CVE-2025-7724 Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the...
Real-time Bus Tracking System vulnerable to improper validation of specified quantity in input
Overview Real-time Bus Tracking System provided by SYNCK GRAPHICA contains the following vulnerability. Improper validation of specified quantity in input CWE-1284 - CVE-2025-43881 n3ddih reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
"region PAY" App for Android vulnerable to insertion of sensitive information into log file
Overview "region PAY" App for Android provided by Gift Pad Co.,Ltd. contains the following vulnerability. Insertion of sensitive information into log file CWE-532 - CVE-2025-52580 Kubo Naoki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Least Privilege Violation Vulnerability in the communications functions of NJ/NX series Machine Automation Controllers
Overview Least privilege violation vulnerability CWE-272 exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software provided by OMRON Corporation. - CVE-2025-1384 OMRON Corporation reported this vulnerability to JPCERT/CC to notify...
Multiple vulnerabilities in Trend Micro Password Manager for Windows (CVE-2025-48443, CVE-2025-52837)
Overview Trend Micro Incorporated has released a security update for Trend Micro Password Manager for Windows. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Arbitrary files may be deleted during the product installation d...
Multiple vulnerabilities in TB-eye network recorders and AHD recorders
Overview Network recorders and AHD recorders provided by TB-eye Ltd. contain multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2025-36529 Classic buffer overflow CWE-120 - CVE-2025-41418 Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported these vulnerabilities to JPCERT/C...
UpdateNavi vulnerable to improper restriction of communication channel to intended endpoints
Overview UpdateNavi provided by Fujitsu Client Computing Limited contains the following vulnerability. Improper restriction of communication channel to intended endpoints CWE-923 Shu Yoshikoshi of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Improper file access permission settings in PC Time Tracer
Overview PC Time Tracer provided by Keiyo System Co., LTD contains a vulnerability listed below. Incorrect default permissions CWE-276 - CVE-2025-46355 Ruslan Sayfiev and Masahiro Kawada of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the develop...
Improper pattern file validation in i-FILTER optional feature 'Anti-Virus & Sandbox'
Overview The optional feature 'Anti-Virus & Sandbox' of i-FILTER provided by Digital Arts Inc. validates pattern files improperly. Improper pattern file validation CWE-348 - CVE-2025-47149 Digital Arts Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC...
Passback vulnerabilities in Canon Production Printers, Office/Small Office Multifunction Printers, and Laser Printers
Overview Production Printers, Office/Small Office Multifunction Printers, and Laser Printers provided by Canon Inc. do not implement sufficient protection on credential information CWE-522. CVE-2025-3078, CVE-2025-3079 Canon Inc. reported these vulnerabilities to JPCERT/CC to notify users of the...
Multiple vulnerabilities in a-blog cms
Overview a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Path traversal CWE-22 CVE-2025-27566 This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege Cross-site scripting CWE-79...
Reflected cross-site scripting vulnerability in multiple laser printers and MFPs which implement Ricoh Web Image Monitor
Overview Web Image Monitor provided by Ricoh Company, Ltd. is an web server included and runs in laser printers and MFPs multifunction printers. Web Image Monitor contains the vulnerability listed below. Reflected cross-site scripting CWE-79 - CVE-2025-41393 Juan Pablo Gomez Postigo of Sprocket...
TP-Link Deco BE65 Pro vulnerable to OS command injection
Overview Deco BE65 Pro provided by TP-LINK contains an OS command injection vulnerability CWE-78. Chuya Hayakawa and Ryo Kamino of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact An arbitrary OS command may be executed by the user who can log...
Multiple vulnerabilities in Inaba Denki Sangyo Wi-Fi AP UNIT 'AC-WPS-11ac series'
Overview Wi-Fi AP UNIT 'AC-WPS-11ac series' provided by Inaba Denki Sangyo Co., Ltd. contain multiple vulnerabilities listed below. Incorrect privilege assignment in the WEB UI the setting page CWE-266 - CVE-2025-23407 OS command injection in the WEB UI the setting page CWE-78 - CVE-2025-25053...
WinRAR vulnerable to the symbolic link based "Mark of the Web" check bypass
Overview WinRAR provided by RARLAB contains a vulnerability that bypasses the "Mark of the Web" CWE-356 security warning function for files when opening a symbolic link that points to an executable file. In the initial Windows configuration, only administrators have the privilege to create symbol...
Multiple vulnerabilities in PowerCMS
Overview PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. Injection CWE-74 - CVE-2025-29993 Dependency on vulnerable third-party component CWE-1395 - CVE-2021-21252 Alfasado Inc. reported this vulnerability to IPA to notify users of its solution through JVN...
hostapd vulnerable to improper processing of RADIUS packets
Overview hostapd provided by Jouni Malinen fails to process crafted RADIUS packets properly CWE-826. KUSABA Takeshi of Internet Initiative Japan Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When...
Multiple vulnerabilities in RemoteView Agent (for Windows)
Overview RemoteView allows a local PC to connect and control remote PCs through the cloud service provided by RSUPPORT Co.,Ltd. On the remote PCs should be installed RemoteView Agent. The following vulnerabilities are reported on RemoteView Agent installation. Incorrect access permission of a...
Out-of-bounds write vulnerability in FUJIFILM Business Innovation Corp. MFPs
Overview Multiple MFPs multifunction printers provided by FUJIFILM Business Innovation Corp. contain an out-of-bounds vulnerability CWE-787, CVE-2024-45320 due to a flaw in verifying the length of data. Jia-Ju Bai, Rui-Nan Hu, Cheng Li, Dong Zhang, Yu-Chen Sun, Wen-Han Xu, Zhen-Yu Guan, and...
Clickjacking Vulnerability in JP1/ServerConductor/Deployment Manager
Overview A Clickjacking Vulnerability was found in JP1/ServerConductor/Deployment Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple out-of-bounds write vulnerabilities in Canon Office/Small Office Multifunction Printers and Laser Printers
Overview Office/Small Office Multifunction Printers and Laser Printers provided by Canon Inc. contain multiple out-of-bounds write vulnerabilities CWE-787, CVE-2024-12647, CVE-2024-12648, CVE-2024-12649, CVE-2025-2146. Canon Inc. reported these vulnerabilities to JPCERT/CC to notify users of the...
Linux Ratfor vulnerable to stack-based buffer overflow
Overview Linux Ratfor provided by the Dimensional Gate contains a stack-based buffer overflow vulnerability CWE-121. Yuhei Kawakoya of NTT Social Informatics Laboratories / NTT Security Holdings Corporation reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact...
Multiple vulnerabilities in SHARP routers
Overview SHARP routers contain multiple vulnerabilities listed below. OS command injection vulnerability in the HOST name configuration screen CWE-78 - CVE-2024-45721 The hidden debug function is enabled CWE-489 - CVE-2024-46873 Buffer overflow vulnerability in the hidden debug function CWE-120 -...
Multiple vulnerabilities in Rakuten Turbo 5G
Overview Rakuten Turbo 5G provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below. Missing authentication for critical function CWE-306 - CVE-2024-47865 OS command injection CWE-78 - CVE-2024-48895 Exposure of sensitive system information to an unauthorized control sphere...
REST-APIs unintentionally enabled in Century Systems FutureNet NXR series routers
Overview FutureNet NXR series routers provided by Century Systems Co., Ltd. have REST-APIs, which are configured as disabled in the initial factory default configuration. But, REST-APIs are unexpectedly enabled when the affected product is powered up, provided either http-server GUI or Web...
MUSASI version 3 performing authentication on client-side
Overview MUSASI provided by NEUMANN CO.LTD. is an e-learning system for driving schools. MUSASI version 3 performs authentication within the client-side code CWE-603, and the client in pre-authentication state retrieves the credential information from the server just when a user ID is input. This...
SNMP service is enabled by default in Sharp NEC Display Solutions projectors
Overview Multiple projectors provided by Sharp NEC Display Solutions, Ltd. are configured with SNMP service enabled by default, therefore can be accessed by specifying SNMP community name "public" CWE-1242 ,CVE-2024-7011. SNMP service configuration enable/disable cannot be changed on the manageme...
The installer of e-Tax software(common program) vulnerable to privilege escalation
Overview The installer of e-Tax softwarecommon program provided by National Tax Agency contains a vulnerability which allows uploading a malicious DLL to be executed with higher privileges than that of an general user by altering registry CWE-268. Takashi Yoshikawa of Mitsui Bussan Secure...
Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce"
Overview WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains multiple vulnerabilities listed below. SQL injection CWE-89 - CVE-2024-42404 Cross-site scripting CWE-79 - CVE-2024-45366 Shogo Kumamaru of LAC CyberLink Co., Ltd. reported this vulnerability to IPA. JPCERT/CC...
Assimp vulnerable to heap-based buffer overflow
Overview PlyLoader.cpp of Assimp provided by Open Asset Import Library contains a heap-based buffer overflow vulnerability CWE-122. Yuhei Kawakoya of NTT Security Holdings reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Falsification and eavesdropping of contents across multiple websites via Web Rehosting services
Overview Researchers at NTT Secure Platform Laboratories and Waseda University have identified multiple security issues that lead to content being tampered with and eavesdropped on a service called Web Rehosting. These issues have been published in NDSS 2020. "Web Rehosting" is the name of a grou...
"@cosme" App fails to restrict custom URL schemes properly
Overview "@cosme" App provided by istyle Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Pantuhong Sorasiri of LAC Co., Ltd. reported this...
WordPress Plugin "Forminator" vulnerable to cross-site scripting
Overview WordPress Plugin "Forminator" provided by WPMU DEV assists building web forms. When accessing the page including the web form created with Forminator, some information from the URL may be embedded to the web form. This feature processes the embedded information improperly, leading to...
Multiple products from KINGSOFT JAPAN vulnerable to path traversal
Overview KINGSOFT JAPAN, INC. provides Kingsoft Office Software's WPS Office and its related products localized for Japan. WPS Office and its related products provided by KINGSOFT JAPAN, INC. contain a path traversal vulnerability CWE-22, CVE-2024-7262, CVE-2024-7263 due to inadequate file path...
Secure Boot bypass Vulnerability in PRIMERGY
Overview PRIMERGY is an IA server provided by Fsas Technologies Inc. PRIMERGY contains a vulnerability where Secure Boot function is bypassed. This is due to a vulnerability called "PKFail" CVE-2024-8105, which was publicly disclosed by Binarly. Fsas Technologies Inc. reported this vulnerability ...
WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting
Overview The field labels in WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability CWE-79. Ryo Sotoyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
WindLDR and WindO/I-NV4 store sensitive information in cleartext
Overview PLC programming software "WindLDR" and Operator Interfaces' Touchscreen Programming Software "WindO/I-NV4" provided by IDEC Corporation store sensitive information in cleartext form CWE-312. Yuki Meguro of Toinx Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
Authentication Bypass Vulnerability in Hitachi Ops Center Common Services
Overview Authentication bypass vulnerability exists in Hitachi Ops Center Common Services. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
BUFFALO wireless LAN routers and wireless LAN repeaters vulnerable to OS command injection
Overview Wireless LAN routers and wireless LAN repeaters provided by BUFFALO INC. contain an OS command injection vulnerability CWE-78. Yoshiki Mori and Masaki Kubo of National Institute of Information and Communications Technology, Cybersecurity Research Laboratory reported this vulnerability to...
A vulnerability in TOYOTA MOTOR's DCU (Display Control Unit)
Overview TOYOTA MOTOR's DCU contains a vulnerability which is triggered by BlueBorne vulnerability. TOYOTA MOTER CORPORATION reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact An unauthenticated attacker may cause a denial of service DoS condition or...
WAON service app for Android fails to verify SSL server certificates
Overview WAON service app for Android provided by AEON CO., LTD. fails to verify SSL server certificates. Gaku Taniguchi of RiskFinder,inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle...
Pimax Play and PiTool accept WebSocket connections from unintended endpoints
Overview Pimax Play and PiTool provided by Pimax accept WebSocket connections from unintended endpoints CWE-923. Rei Yano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Arbitrary code may be executed by a...
Multiple vulnerabilities in ELECOM wireless LAN routers
Overview Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Unrestricted Upload of File with Dangerous Type CWE-434 CVE-2024-34021 OS Command Injection CWE-78 CVE-2024-39607 Cross-Site Request Forgery CWE-352 CVE-2024-40883 CVE-2024-34021 Toya...
Out-of-bounds write vulnerability in Ricoh MFPs and printers
Overview MFPs multifunction printers and printers provided by Ricoh Company, Ltd. contain an out-of-bounds write vulnerability CWE-787. Ricoh Company, Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Ricoh Company, Ltd. coordinated under the...
Multiple vulnerabilities in multiple Webmin products
Overview Multiple Webmin products contain multiple vulnerabilities listed below. sysinfo.cgi is vulnerable to cross-site scripting CWE-79 CVE-2024-36450 sessionlogin.cgi is vulnerable to cross-site scripting CWE-79 CVE-2024-36453 ajaxterm module is vulnerable to improper handling of insufficient...
Multiple vulnerabilities in Ricoh Streamline NX PC Client
Overview Ricoh Streamline NX PC Client provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below. ricoh-2024-000004 Improper restriction of communication channel to intended endpoints CWE-923 - CVE-2024-36252 ricoh-2024-000005 Use of hard-coded credentials CWE-798 -...
WordPress Plugin "Music Store - WordPress eCommerce" vulnerable to SQL injection
Overview WordPress Plugin "Music Store - WordPress eCommerce" provided by CodePeople contains an SQL injection vulnerability CWE-89. Daiki Sato of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...