5625 matches found
JVN#42543427: WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization
WordPress Plugin "Advanced Custom Fields" provided by Delicious Brains contains a missing authorization vulnerability CWE-862. Impact Users of this product Editor, Author, Contributor may view the information on the database without the access permission. Solution Update the plugin Update the...
JVN#32155106: Multiple vulnerabilities in i-FILTER
i-FILTER provided by Digital Arts Inc. contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2018-16180 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base Score: 4.3 HTTP...
JVN#27978559: Multiple vulnerabilities in Pixelpost
Pixelpost provided by Pixelpost.org contains multiple vulnerabilities listed below. Arbitrary code execution - CVE-2018-0604 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L| Base Score: 4.7 CVSS v2| AV:N/AC:L/Au:S/C:P/I:P/A:P| Base Score: 6.5 Cross-site...
JVN#28804532: Multiple vulnerabilities in WordPress plugin "Ultimate Member"
The WordPress plugin "Ultimate Member" provided by Ultimate Member contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2018-0585 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N| Base Score: 5.4 CVSS v2|...
JVN#61081552: WordPress plugin "PixelYourSite" vulnerable to cross-site scripting
The WordPress plugin "PixelYourSite" provided by Minimal Work SRL contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the...
JVN#01161596: Safari vulnerable to script injection
Safari provided by Apple Inc. contains a script injection vulnerability CWE-81 in the processing of displaying an error page when it fails to verify server certificates. In an error page Safari displays when it fails to verify server certificates, a domain name of the website accessed is output...
JVN#71291160: StreamRelay.net.exe and sDNSProxy.exe vulnerable to denial-of-service (DoS)
StreamRelay.net.exe and sDNSProxy.exe fail to properly process ICMP Port Unreachable message CWE-703. Impact A remote attacker may be able to cause a denial-of-service DoS condition. Solution Update the Software Update to the latest version according to the information provided by the developer...
JVN#14926025: Installer of ”Flets Install Tool” may insecurely load Dynamic Link Libraries
Installer of "Flets Install Tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installe...
JVN#45093481: Multiple vulnerabilities in Apache Struts 2
Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating web applications in Java. Web applications that are developed using Apache Struts 2 contain multiple vulnerabilities listed below. Cross-site request forgery S2-038 - CVE-2016-4430 Version| Vector|...
JVN#85572374: pfSense-pkg-WireGuard vulnerable to directory traversal
pfSense-pkg-WireGuard provided by pfSense is an add-on package for pfSense CE and pfSense Plus. pfSense-pkg-WireGuard contains a directory traversal vulnerability CWE-22. Impact pfSense users may view files in the private folders which they do not have privileges to access. Solution Update the...
JVN#67447798: Multiple SONY Wireless Headphones allow improper Bluetooth pairing
Multiple SONY Wireless Headphones have vulnerability that someone within the Bluetooth range can make the Bluetooth pairingCWE-306. Impact When using the product, someone within the Bluetooth range may make the Bluetooth pairing and operate such as changing volume of the product. Solution Update...
JVN#88277644: Keijiban Tsumiki vulenrable to OS command injection
Keijiban Tsumiki provided by Mash room - Free CGI - is a CGI to provide Bulletin Board System BBS functions. Keijiban Tsumiki contains an OS command injection vulnerability CWE-78. Impact A remote attacker may execute an arbitrary OS command. Solution Consider stop using Keijiban Tsumiki v1.15...
JVN#88033799: WL-Enq (WEB Enquete) vulnerable to cross-site scripting
WL-Enq WEB Enquete provided by WonderLink is a CGI to provide web enquete functions. WL-Enq WEB Enquete contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing a website that uses WL-Enq WEB Enquete. Solution...
JVN#09769017: Multiple Fuji Xerox products may insecurely load Dynamic Link Libraries
Installers of multiple products, and DocuWorks self-extracting documents provided by Fuji Xerox Co.,Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the administrative...
JVN#48413726: Multiple vulnerabilities in multiple Buffalo wireless LAN routers
WMR-433 and WMR-433W provided by BUFFALO INC. are wireless LAN routers. WMR-433 and WMR-433W contain multiple vulnerabilities listed below. Cross-site Request Forgery CWE-352 - CVE-2017-2273 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L| Base Score: 4.3...
JVN#16248227: PrimeDrive Desktop Application Installer may insecurely load executable files
PrimeDrive Desktop Application is the client application for PrimeDrive online storage service provided by SoftBank Corp. The installer of PrimeDrive Desktop Application contains an issue with the file search path, which may insecurely load executable files CWE-427. Impact Arbitrary code may be...
JVN#55121369: CentreCOM AR260S V2 vulnerable to privilege escalation
CentreCOM AR260S V2 provided by Allied Telesis K.K. is a wired LAN router. CentreCOM AR260S V2 contains a privilege escalation vulnerability. Impact Unintended operations may be performed with administrative privileges by a user who can log into the product with "guest" account. Solution Apply...
JVN#97545738: Multiple cross-site scripting vulnerabilities in Movable Type
Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability in Search screen CWE-79 - CVE-2021-20808 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS...
JVN#74686032: QND vulnerable to privilege escalation
QND provided by QualitySoft Corporation contains a privilege escalation vulnerability CWE-268. Impact A user who can log in to the PC where the product's Windows client is installed may obtain administrative privileges. As a result, sensitive information may be modified/obtained or unintended...
JVN#07426151: InfoCage SiteShell installs their files with improper access permissions
InfoCage SiteShell provided by NEC Corporation installs their files with improper access permissions CWE-732. Especially, the service executable files can be modified by Everyone users. Impact The service executable files may be modified by local users, resulting in arbitrary code execution with ...
JVN#95423049: The installer of Content Manager Assistant for PlayStation may insecurely load Dynamic Link Libraries
Content Manager Assistant for PlayStation provided by Sony Interactive Entertainment Inc. is a data transfer tool. The installer of Content Manager Assistant for PlayStation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact...
JVN#39628662: Multiple vulnerabilities in SEO Panel
SEO Panel provided by SEO Panel contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2017-10838 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base Score: 2.6 SQL injection...
JVN#35240327: WordPress plugin "WP Fastest Cache" vulnerable to directory traversal
WordPress plugin "WP Fastest Cache" provided by Emre Vona contains a directory traversal vulnerability CWE-22. Impact Arbitrary files on the server may be deleted by a user with an administrative privilege. Solution Update the plugin Update the plugin according to the information provided by the...
JVN#42252698: Panasonic Video Insight VMS vulnerable to arbitrary code execution
Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability CWE-94 because unencrypted communication exists in the communication using non-well known ports. Impact By sending a specially crafted request to the vulnerable product, a remoto attacker may...
JVN#56450373: Multiple vulnerabilities in GROWI
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Information disclosure CWE-200 - CVE-2020-5676 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N| Base Score: 5.3 CVSS v2| AV:N/AC:L/Au:N/C:P/I:N/A:N| Base Score: 5.0 Reflected...
JVN#31864411: Multiple access restriction bypass vulnerabilities in UNIQLO App
UNIQLO App provided by UNIQLO CO., LTD. contains multiple access restriction bypass vulnerabilities below. A remote attacker may be able to lead a user to access an arbitrary website via the vulnerable App. The App launched by a Custom URL Scheme may lead a user to access an arbitrary URL -...
JVN#96493183: GROWI vulnerable to cross-site scripting
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability CWE-79. The settings option for enabling and disabling the measures against cross-site scripting "Enable XSS prevention" option was introduced in v3.1.12. However, there was an issue with the implementation where the...
JVN#81196185: The installer of Visual C++ Redistributable may insecurely load Dynamic Link Libraries
The installer of Visual C++ Redistributable provided Microsoft contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the same directory as the installer CWE-427. Microsoft states that the root cause of this vulnerability is "Application Directo...
JVN#14151222: Multiple vulnerabilities SONY Portable Wireless Server WG-C10
Portable Wireless Server WG-C10 provided by Sony Corporation contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2017-2275 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H| Base Score: 6.8 CVSS v2| AV:A/AC:L/Au:S/C:P/I:P/A:P|...
JVN#06770361: Installer of Tera Term may insecurely load Dynamic Link Libraries
The installer of Tera Term provided by TeraTerm Project contains an issue with the DLL search path, which may lead to insecurely load Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the latest installer Use...
JVN#19294237: Apache Struts vulnerable to ClassLoader manipulation
Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated. Impact On a server where Apache Struts in running, a remote attacker may steal information or execu...
JVN#79013771 Safari allows access from HTTP to HTTPS
Safari is a default web browser installed in Mac OS X and iPhone. Safari contains a vulnerability that allows a remote attacker to access web page contents protected by SSL/TLS from an HTTP page in the same domain. Impact A remote attacker could obtain or change the web page contents protected by...
JVN#51106450: Apache HTTP Server vulnerable to directory traversal
Apache HTTP Server provided by The Apache Software Foundation contains a directory traversal vulnerability CWE-22. Impact A remote attacker may access the unprotected files in "require all denied" placed outside of the document root. Moreover, if CGI scripts are enabled, arbitrary code may be...
JVN#50804280: Plone vulnerable to open redirect
Plone provided by Plone Foundation contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Apply the Patch Apply the patch according...
JVN#64869876: Multiple vulnerabilities in baserCMS
baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. Improper Neutralization of JavaScript input in the page editing function CWE-79 - CVE-2021-20681 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N| Base Score: 5.4...
JVN#41035278: BookStack vulnerable to cross-site scripting
BookStack contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update the software to the latest version according to the information provided by the developer. The developer states as follows; Aft...
JVN#61849442: PALLET CONTROL vulnerable to arbitrary code execution
PALLET CONTROL provided by JAL Information Technology Co., Ltd. is IT asset management software. PALLET CONTROL contains an arbitrary code execution vulnerability due to improper file access permission CWE-284. Impact A user who can login to the computer where the vulnerable product is installed...
JVN#47668991: Sales Force Assistant vulnerable to cross-site scripting
Sales Force Assistant provided by NI Consulting CO.,Ltd. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser while logging in Sales Force Assistant. Solution Update the Software Update the software to the latest version...
JVN#63834780: Shihonkanri Plus GOOUT vulnerable to OS command injection
Shihonkanri Plus GOOUT provided by EKAKIN is a CGI that enables to view data stored in Shihonkanri Plus outside. Shihonkanri Plus GOOUT contains an OS command injection CWE-78 vulnerability. Impact A remote attacker may execute an arbitrary OS command. Solution Consider stop using Shihonkanri Plu...
JVN#89259622: WordPress Plugin "Easy Property Listings" vulnerable to cross-site request forgery
WordPress Plugin "Easy Property Listings" provided by Merv Barrett contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the informatio...
JVN#75929834: Install program and Installer of i-フィルター 6.0 may insecurely load Dynamic Link Libraries and invoke executable files
i-フィルター 6.0 provided by Digital Arts Inc. is web filtering and parental control software. The install program is designed to download the installer via the internet and execute it. The i-フィルター 6.0 install program and installer contain the following vulnerabilities. Lead to insecurely loading...
JVN#34565930: Multiple vulnerabilities in a-blog cms
a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Improper input validation CWE-20 - CVE-2024-23180 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N| Base Score: 3.5 CVSS v2| AV:N/AC:M/Au:S/C:N/I:P/A:N| Base Score: 3.5...
JVN#64316789: Multiple vulnerabilities in SoftEther VPN and PacketiX VPN
SoftEther VPN provided by University of Tsukuba SoftEther VPN Project and PacketiX VPN provided by SoftEther Corporation contain multiple vulnerabilities listed below in VPN Client function, and Dynamic DNS Client function included in the VPN server. Heap-based buffer overflow CWE-122 -...
JVN#29949691: Inkdrop vulnerable to OS command injection
Inkdrop provided by Takuya Matsuyama is a Markdown editor. Inkdrop contains an OS command injection vulnerability CWE-78. Impact If a file or code snippet containing an invalid iframe is loaded into Inkdrop, an arbitrary OS command may be executed on the system where it runs. Solution Update the...
JVN#50470170: WordPress Plugin "Name Directory" vulnerable to cross-site request forgery
WordPress Plugin "Name Directory" provided by J. Peters contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin...
JVN#69635538: The installer of SKYSEA Client View may insecurely load Dynamic Link Libraries
SKYSEA Client View provided by Sky Co., LTD. is an Enterprise IT Asset Management Tool. The installer of SKYSEA Client View contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of...
JVN#89224521: Multiple vulnerabilities in EasyBlocks IPv6
EasyBlocks IPv6 provided by Plat'Home Co., Ltd. contains multiple vulnerabilities listed below. Cross site request forgeryCWE-352 - CVE-2020-5549 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N| Base Score: 4.3 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base...
JVN#76692689: SEIL Series routers vulnerable to denial-of-service (DoS)
The IPsec/IKE function in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service DoS vulnerability due to a flaw in processing certain packets. Impact Receiving a specially crafted packet may result in a temporary failure of the device's encrypted communication...
JVN#52422792: Direct Web Remoting (DWR) vulnerable to cross-site scripting
Direct Web Remoting DWR is a Java framework for developing Ajax into web applications. DWR contains a cross-site scripting vulnerability CWE-79. Impact Arbitrary JavaScript may be executed on the user's web browser. Solution Update the Software Update to the latest version of DWR according to the...
JVN#53278122: Minecraft Java Edition vulnerable to directory traversal
Minecraft Java Edition provided by Mojang Studios contains a directory traversal vulnerability CWE-22. Impact Arbitrary JSON files on the system using the product may be deleted by an attacker. Solution Update Minecraft Update Minecraft to the latest version according to the information provided ...