5625 matches found
Hibernate ORM vulnerable to SQL injection
Overview Hibernate ORM is an ORM framework for Java. Hibernate ORM can be configured hibernate.usesqlcomments to true, which is false by default to add comments to generated SQL statements, aimed at debugging purpose. When hibernate.usesqlcomments is configured to true, malicious input may produc...
Multiple vulnerabilities in WordPress Plugin "Simple Download Monitor"
Overview WordPress Plugin "Simple Download Monitor" provided by Tips and Tricks HQ contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2020-5650 SQL Injection CWE-89 - CVE-2020-5651 Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the...
ServerProtect for Linux vulnerable to OS command injection
Overview ServerProtect for Linux provided by Trend Micro Incorporated contains an OS command injection vulnerability CWE-78. Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact A remote authenticated attacker may execute arbitrary code. Soluti...
Multiple access restriction bypass vulnerabilities in UNIQLO App
Overview UNIQLO App provided by UNIQLO CO., LTD. contains multiple access restriction bypass vulnerabilities below. A remote attacker may be able to lead a user to access an arbitrary website via the vulnerable App. The App launched by a Custom URL Scheme may lead a user to access an arbitrary UR...
Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center
Overview Multiple vulnerabilities have been found in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution...
FANUC i Series CNC vulnerable to denial-of-service (DoS)
Overview Fanuc i Series CNC provided by FANUC CORPORATION contains a denial-of-service DoS CWE-400 vulnerability. Industrial Control Security Laboratory of Qi An Xin Technology Group Inc. from China reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Multiple vulnerabilities in TCP/IP function on Mitsubishi Electric GOT2000 series
Overview TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series GT27, GT25, and GT23 contains multiple vulnerabilities listed below. Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119 - CVE-2020-5595 Session Fixation CWE-384 - CVE-2020-5596 NUL...
Multiple vulnerabilities in Zenphoto
Overview Zenphoto is a content management system CMS. Zenphoto contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2020-5592 Code Injection CWE-94 - CVE-2020-5593 Tomohisa Maeda of Panasonic Corporation, Product Security Center reported this vulnerability to IPA...
PALLET CONTROL vulnerable to arbitrary code execution
Overview PALLET CONTROL provided by JAL Information Technology Co., Ltd. is IT asset management software. PALLET CONTROL contains an arbitrary code execution vulnerability due to improper file access permission CWE-284. Yoshimasa Obana reported this vulnerability to IPA. JPCERT/CC coordinated wit...
Cybozu Garoon contains multiple vulnerabilities
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Authentication bypass in the API used to specify the fields CWE-287 - CVE-2020-5563 Cross-site scripting in the application "E-mail" CWE-79 - CVE-2020-5564 Input validation bypass in the applications...
Toshiba Electronic Devices & Storage software registers unquoted service paths
Overview Some of Toshiba Electronic Devices & Storage software registers Windows services with unquoted file paths CWE-428. Toshiba Electronic Devices & Storage Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and TOSHIBA ELECTRONIC DEVIC...
CuteNews vulnerable to cross-site scripting
Overview Cute News provided by CutePHP.com is a system to manage news. Cute News contains a cross-site scripting vulnerability CWE-79. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on January 16, 2020, it was judged that an advisory for this...
Improper Authentication Vulnerability in RICOH printers
Overview Multiple RICOH printers contain Improper Authentication Vulnerability CWE-287. RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership. Impac...
HtmlUnit vulenerable to arbitrary code execution
Overview HtmlUnit is a Java-based library which provides web browser functionality to Java programs, and it supports JavaScript evaluation with embedded Mozilla Rhino engine. Mozilla Rhino engine offers a feature to make Java objects available from JavaScript. HtmlUnit initializes Rhino engine...
AWMS Mobile App vulnerable to improper server certificate verification
Overview AWMS Mobile App is vulnerable to improper server certificate verification CWE-295. Dai Nakamura of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Multiple Fuji Xerox mobile applications fails to verify SSL server certificates
Overview Multiple Fuji Xerox mobile applications fail to verify SSL server certificates CWE-295. Hirotaka Niisato reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an...
Multiple vulnerabilities in a-blog cms
Overview a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Reflected cross-site scripting CWE-79 - CVE-2019-6033 Script injection due to a flaw in processing cookie CWE-74 - CVE-2019-6034 Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this...
Android App "NTV News24" fails to verify SSL server certificates
Overview Android App "NTV News24" provided by Nippon Television Network Corporation fails to verify SSL server certificates CWE-295. Shinnosuke Tokusho of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA...
Athenz vulnerable to open redirect
Overview Athenz provided by Verizon Media contains an open redirect vulnerability CWE-601. Akaki Tsunoda reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessing a specially crafted URL, the user may b...
Kinza vulnerable to cross-site scripting
Overview Kinza provided by Dayz Inc. contains a cross-site scripting vulnerability CWE-79. RyotaK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If CSP Content Security Policy on the affected product is...
PowerCMS vulnerable to open redirect
Overview PowerCMS provided by Alfasado Inc. contains an open redirect vulnerability CWE-601. Hidetomo Hosono of EG Secure Solutions Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessing a...
Multiple vulnerabilities in WordPress Plugin "wpDataTables Lite"
Overview WordPress Plugin "wpDataTables Lite" provided by TMS-Plugins contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-6011 SQL Injection CWE-89 - CVE-2019-6012 Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and...
Multiple OS command injection vulnerabilities in DBA-1510P
Overview DBA-1510P provided by D-Link Japan K.K. contains multiple OS command injection vulnerabilities listed below. OS command injection vulnerability in Command Line Interface CLI CWE-78 - CVE-2019-6013 OS command injection vulnerability in Web User Interface CWE-78 - CVE-2019-6014 Katsuhiko...
SHIRASAGI vulnerable to open redirect
Overview SHIRASAGI provided by SHIRASAGI Project contains an open redirect vulnerability CWE-601. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...
ApeosWare Management Suite and ApeosWare Management Suite 2 contain open redirect vulnerability
Overview ApeosWare Management Suite and ApeosWare Management Suite 2 provided by Fuji Xerox Co.,Ltd. are software products to manage devices and their usages; providing authentication, printing, log accounting, and document distribution. These software products contain an open redirect...
WonderCMS vulnerable to directory traversal
Overview WonderCMS contains a directory traversal vulnerability CWE-22. Note that the original fix for this vulnerability was insufficient CVE-2018-7172. However, an updated version of the software, which completely addressed this vulnerability has been released by the developer. Sosuke Tokuda...
WordPress Plugin "Category Specific RSS feed Subscription" vulnerable to cross-site request forgery
Overview WordPress Plugin "Category Specific RSS feed Subscription" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability CWE-352. Gota Abe of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this...
A map plugin for Mincraft server "Dynmap" fails to restrict access permissions
Overview A map plugin for Mincraft server "Dynmap" fails to restrict access permissions CWE-284. RyotaK directly reported this vulnerability to the developer and coordinated on his own. After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer f...
Vulnerability in Cosminexus HTTP Server and Hitachi Web Server
Overview A vulnerability CVE-2019-0220 exists in Cosminexus HTTP Server and Hitachi Web Server. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate...
Multiple vulnerabilities in WordPress Plugin "Zoho SalesIQ"
Overview WordPress Plugin "Zoho SalesIQ" provided by Zoho SalesIQ Team contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5962 Cross-site Request Forgery CWE-352 - CVE-2019-5963 Kouhei Ikeda of Cryptography Laboratory,Department of Information and Communication...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Cross-site scripting in the additional processing of Customize Item function CWE-79 - CVE-2019-5928 Cross-site scripting in the application "Memo" CWE-79 - CVE-2019-5929 Browse restriction bypass in th...
Multiple vulnerabilities in Nablarch
Overview Nablarch provided by TIS Inc. contains multiple vulnerabilities listed below. The vulnerability in the function of generic formatter by XXE attacks CWE-611 - CVE-2019-5918 An incomplete cryptography of the data store function by using hidden tag CWE-310 - CVE-2019-5919 TIS Inc. reported...
UNLHA32.DLL, UNARJ32.DLL, LHMelting and LMLzh32.DLL may insecurely load Dynamic Link Libraries
Overview UNLHA32.DLL, UNARJ32.DLL, LHMelting and LMLzh32.DLL provided by Micco contain vulnerabilities listed below. Self-Extracting Archives created by UNLHA32.DLL may insecurely load Dynamic Link Libraries CWE-427 - CVE-2018-16189 Insecurely load specific DLL file in the same directory CWE-427 ...
The installers of UNLHA32.DLL, UNARJ32.DLL and LHMelting may insecurely load Dynamic Link Libraries
Overview The installers of UNLHA32.DLL, UNARJ32.DLL and LHMelting provided by Micco use the old version of Self-Extracting Archives created by UNLHA32.DLL. They contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427, CVE-2018-16189. Eili...
GROWI vulnerable to cross-site scripting
Overview GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability CWE-79. The settings option for enabling and disabling the measures against cross-site scripting "Enable XSS prevention" option was introduced in v3.1.12. However, there was an issue with the implementation wher...
PgpoolAdmin fails to restrict access permissions
Overview PgpoolAdmin provided by PgPool Global Development Group fails to restrict access permissions CWE-264. Fotios Rogkotis of DarkMatter reported this vulnerability to PgPool Global Development Group, and PgPool Global Development Group reported this vulnerability to IPA to notify users of it...
Multiple Vulnerabilities in JP1/VERITAS
Overview Multiple vulnerabilities have been found in JP1/VERITAS. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Cybozu Dezie vulnerable to directory traversal
Overview Cybozu Dezie provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing parameter of the HTTP request. Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its...
BlueStacks App Player fails to restrict access permissions
Overview BlueStacks App Player fails to restrict access permissions CWE-284. Masaki Kubo and Yoshiki Mori of Cybersecurity Laboratory, National Institute of Information and Communications Technology reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Multiple vulnerabilities in YukiWiki
Overview YukiWiki is a Wiki engine. YukiWiki contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2018-0699 Processing a particular request consumes large amounts of CPU and memory resources CWE-400 - CVE-2018-0700 Tanaka Akira of National Institute of Advanced...
Multiple vulnerabilities in FileZen
Overview FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface. FileZen contains multiple vulnerabilities listed below. Directory traversal CWE-22 - CVE-2018-0693 OS command injection CWE-78 - CVE-2018-0694 Soliton Systems K.K...
Cybozu Garoon vulnerable to directory traversal
Overview Cybozu Garoon provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing of the session information. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated und...
AttacheCase vulnerable to arbitrary script execution
Overview AttacheCase is an open source file encryption software provided by HiBARA Software. If a setting file AtcCase.ini is specially crafted and it resides in the same folder where ATC file resides, it is leveraged to execute an arbitrary script when ATC file is decrypted. Taizoh Tsukamoto of...
Multiple script injection vulnerabilities in multiple Yamaha network devices
Overview The management screen of multiple network devices provided by Yamaha Corporation contains multiple script injection vulnerabilities CWE-74. The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Information Disclosure Vulnerability in Hitachi Command Suite
Overview An Information Disclosure Vulnerability was found in Hitachi Command Suite. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE
Overview EC-CUBE Payment Module and GMO-PG Payment Module PG Multi-Payment Service, which are additional modules for EC-CUBE, provided by GMO Payment Gateway, Inc. contain multiple vulnerabilities listed below. Cross-site scripting vulnerability in the management screen CWE-79 - CVE-2018-0657 Inp...
Multiple vulnerabilities in multiple I-O DATA network camera products
Overview Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below. Permissions, Privileges, and Access Controls CWE-264 - CVE-2018-0661 Insufficient Verification of Data Authenticity CWE-345 - CVE-2018-0662 Use of Hard-coded Credentials...
The installers of multiple Canon IT Solutions Inc. software programs may insecurely load Dynamic Link Libraries
Overview The installers of multiple software programs provided by Canon IT Solutions Inc. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC...
Cybozu Garoon vulnerable to SQL injection
Overview Cybozu Garoon provided by Cybozu, Inc. contains an SQL injection vulnerability CWE-89 in application "Notifications". Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security...
ANA App for iOS fails to verify SSL server certificates
Overview ANA App for iOS provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates CWE-295. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...