5627 matches found
Multiple vulnerabilities in multiple Webmin products
Overview Multiple Webmin products contain multiple vulnerabilities listed below. sysinfo.cgi is vulnerable to cross-site scripting CWE-79 CVE-2024-36450 sessionlogin.cgi is vulnerable to cross-site scripting CWE-79 CVE-2024-36453 ajaxterm module is vulnerable to improper handling of insufficient...
Multiple vulnerabilities in Ricoh Streamline NX PC Client
Overview Ricoh Streamline NX PC Client provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below. ricoh-2024-000004 Improper restriction of communication channel to intended endpoints CWE-923 - CVE-2024-36252 ricoh-2024-000005 Use of hard-coded credentials CWE-798 -...
WordPress Plugin "Music Store - WordPress eCommerce" vulnerable to SQL injection
Overview WordPress Plugin "Music Store - WordPress eCommerce" provided by CodePeople contains an SQL injection vulnerability CWE-89. Daiki Sato of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Multiple vulnerabilities in "FreeFrom - the nostr client" App
Overview "FreeFrom - the nostr client" App provided by FreeFrom K.K. contains multiple vulnerabilities listed below. Improper verification of cryptographic signature CWE-347 - CVE-2024-36277 Reliance on obfuscation or encryption of security-relevant inputs without integrity checking CWE-649 -...
Multiple vulnerabilities in Unifier and Unifier Cast
Overview Unifier and Unifier Cast provided by Yokogawa Rental & Lease Corporation contains multiple vulnerabilities listed below. Incorrect Default Permissions configured by Cast Launcher CWE-276 - CVE-2024-23847 Missing Authorization for coejobhook Command Execution CWE-862 - CVE-2024-36246...
WordPress Plugin "WP Booking" vulnerable to cross-site scripting
Overview WordPress Plugin "WP Booking" provided by aviplugins.com contains a stored cross-site scripting vulnerability CWE-79. Daiki Sato of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal
Overview WordPress Plugin "Download Plugins and Themes from Dashboard" provided by WPFactory LLC contains a path traversal vulnerability CWE-22. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to WPFactory LLC and coordinated. After the coordination was completed, th...
Central Dogma vulnerable to cross-site scripting
Overview Central Dogma provided by LY Corporation contains a cross-site scripting vulnerability CWE-79, CVE-2024-1143 because RelayState data is not properly treated when Central Dogma processes SAML messages. LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution...
Trend Micro Maximum Security vulnerable to improper link resolution (CVE-2024-32849)
Overview Trend Micro Incorporated has released a security update for Trend Micro Maximum Security, fixing an improper link resolution vulnerabilityCWE-59, CVE-2024-32849. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact Trend...
Multiple vulnerabilities in OMRON Sysmac Studio/CX-One and CX-Programmer
Overview OMRON Sysmac Studio/CX-One and CX-Programmer contain multiple vulnerabilities listed below. Out-of-bounds read CWE-125 - CVE-2024-31412 Free of pointer not at start of buffer CWE-761 - CVE-2024-31413 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with t...
Multiple vulnerabilities in NEC Aterm series
Overview Aterm series provided by NEC Corporation contains multiple vulnerabilities listed below. Incorrect Permission Assignment for Critical Resource CWE-732 - CVE-2024-28005 Exposure of Sensitive System Information to an Unauthorized Control Sphere CWE-497 - CVE-2024-28006 Incorrect Permission...
KEYENCE VT STUDIO may insecurely load Dynamic Link Libraries
Overview VT STUDIO provided by KEYENCE CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427, CVE-2024-28099. KEYENCE CORPORATION reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact...
"Yahoo! JAPAN" App vulnerable to cross-site scripting
Overview "Yahoo! JAPAN" App provided by LY Corporation contains a cross-site scripting vulnerability CWE-79. Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Mini Thread vulnerable to cross-site scripting
Overview Mini Thread provided by Flash CGI according to the original report submitted by the reporter is a CGI script for creating a bulletin board system BBS. Mini Thread contains a cross-site scripting vulnerability CWE-79. During the meeting of Committee for authorizing the disclosure of...
OMRON NJ/NX series vulnerable to path traversal
Overview Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability CWE-22, CVE-2024-27121. OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact An arbitrary file in the affected product...
ELECOM wireless LAN routers vulnerable to OS command injection
Overview Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a logged-in user with an administrative privilege sends a...
Multiple out-of-bounds write vulnerabilities in Canon Office/Small Office Multifunction Printers and Laser Printers
Overview Office/Small Office Multifunction Printers and Laser Printers provided by Canon Inc. contain multiple out-of-bounds write vulnerabilities CWE-787, CVE-2023-6229, CVE-2023-6230, CVE-2023-6231, CVE-2023-6232, CVE-2023-6233, CVE-2023-6234, CVE-2024-0244. Canon Inc. reported these...
ELECOM wireless LAN routers vulnerable to OS command injection
Overview Multiple ELECOM wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a logged-in user with an administrative privilege...
Yamaha wireless LAN access point devices vulnerable to active debug code
Overview Active debug code CWE-489 exists in wireless LAN access point devices provided by Yamaha Corporation. The debug function can be enabled by performing specific operations. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer...
Multiple vulnerabilities in a-blog cms
Overview a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Improper input validation CWE-20 - CVE-2024-23180 Cross-site scripting CWE-79 - CVE-2024-23181 Relative path traversal CWE-23 - CVE-2024-23182 Cross-site scripting CWE-79 - CVE-2024-23183 Improper input...
Pleasanter vulnerable to cross-site scripting
Overview Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability CWE-79. Masamitsu Kushi of Operation Group, Communication Technology Department, Digital Innovation HQ at Mitsubishi Heavy Industries, Ltd. reported this vulnerability to Implem Inc. and coordinated. After t...
Brother iPrint&Scan Desktop for Windows vulnerable to improper link resolution before file access
Overview iPrint Desktop for Windows provided by Brother Industries, Ltd. outputs logs to a certain log file. The affected version of the product does not check whether the log file is a normal file or a symbolic link to a certain file CWE-59. Chris Au reported this vulnerability to Brother...
Multiple vulnerabilities in GROWI
Overview GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in the presentation feature CWE-79 - CVE-2023-42436 Stored cross-site scripting vulnerability in the App Settings /admin/app page and the Markdown Settings...
Multiple denial-of-service (DoS) vulnerabilities in JTEKT ELECTRONICS HMI GC-A2 series
Overview HMI GC-A2 series provided by JTEKT ELECTRONICS CORPORATION contains multiple denial-of-service DoS vulnerabilities listed below. Denial-of-service DoS vulnerability in FTP service CWE-400 - CVE-2023-41963 Denial-of-service DoS vulnerability in commplex-link service CWE-400 - CVE-2023-491...
OS command injection vulnerability in DT900
Overview DT900 contains an OS command injection vulnerability. reported by Mr. Gianluca Altomani. for NEC-PSIRT Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Multiple vulnerabilities in CubeCart
Overview CubeCart provided by CubeCart Limited contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2023-38130 Directory traversal CWE-22 - CVE-2023-42428 Directory traversal CWE-22 - CVE-2023-47283 OS command injection CWE-78 - CVE-2023-47675 Gen Sato of Mitsu...
ASUSTeK COMPUTER RT-AC87U vulnerable to improper access control
Overview RT-AC87U provided by ASUSTeK COMPUTER INC. contains an improper access control vulnerability CWE-284. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact An attacker may read or write files that are not intended to be...
Multiple vulnerabilities in Pleasanter
Overview Pleasanter provided by Implem Inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2023-34439 Improper access control vulnerability CWE-284 - CVE-2023-45210 Open redirect vulnerability CWE-601 - CVE-2023-46688 Authentication bypass...
Remarshal unlimitedly expanding YAML alias nodes
Overview Remarshal provided by Remarshal Project expands YAML alias nodes unlimitedly CWE-674, hence Remarshal is vulnerable to Billion Laughs Attack. Taichi Kotake of Sterra Security Co.,Ltd. / Akatsuki Games Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Improper restriction of XML external entity references (XXE) in e-Tax software
Overview e-Tax software provided by National Tax Agency improperly restricts XML external entity references XXE CWE-611 due to the configuration of the embedded XML parser. Toyama Taku of NEC Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Informatio...
Scanning evasion issue in Cisco Secure Email Gateway
Overview Cisco Secure Email Gateway provides anti-virus scanning facility for e-mail attachments. It was reported that a certain crafted file can evade anti-virus scanning facility. This issue was found by Takahiro Ohtani and Michael Joshua Telloyan in the Bug Bounty program at the University of...
web2py vulnerable to OS command injection
Overview web2py web application framework contains an OS command injection vulnerability CWE-78. Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When web2py is configured to u...
Out-of-bounds read vulnerability in Keyence KV STUDIO and KV REPLAY VIEWER
Overview KV STUDIO and KV REPLAY VIEWER provided by KEYENCE CORPORATION contain an out-of-bounds read vulnerability CWE-125, CVE-2023-42138. Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If this vulnerability is exploited, information ma...
Information Exposure Vulnerability in Hitachi Ops Center Administrator
Overview A vulnerability CVE-2023-3335 exists in Hitachi Ops Center Administrator. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Citadel WebCit vulnerable to cross-site scripting on Instant Messaging facility
Overview Citadel WebCit provided by Citadel contains a cross-site scripting vulnerability CWE-79. Tomoro Taniguchi of FiveDrive, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When a malicious user sen...
Improper restriction of XML external entity references (XXE) in FD Application
Overview FD Application provided by Ministry of Health, Labour and Welfare improperly restricts XML external entity references XXE CWE-611. Toyama Taku and Sakaki Ryutaro of NEC Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Ear...
Trend Micro Mobile Security vulnerable to cross-site scripting
Overview Trend Micro Incorporated has released a security update for Trend Micro Mobile Security. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A cross-site scripting attack may be conducted if a user who is logged in to the...
Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce"
Overview WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains multiple vulnerabilities listed below. Unrestricted Upload of File with Dangerous Type CWE-434 - CVE-2023-40219 Path Traversal CWE-22 - CVE-2023-40532 Cross-site Scripting in registration process of Item List page...
Multiple vulnerabilities in F-RevoCRM
Overview F-RevoCRM provided by ThinkingReed inc. contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2023-41149 Cross-site scripting vulnerability CWE-79 - CVE-2023-41150 Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA. JPCERT/...
Multiple vulnerabilities in CGIs of PMailServer and PMailServer2
Overview CGIs included with PMailServer and PMailServer2 provided by A.K.I Software contain multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2023-39223 Insufficient verification vulnerability in Broadcast Mail CGI pmc.exe CWE-434 - CVE-2023-39933...
Multiple vulnerabilities in SHIRASAGI
Overview SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below. Reflected cross-site scripting CWE-79 - CVE-2023-36492 Stored cross-site scripting CWE-79 - CVE-2023-38569 Path traversal CWE-22 - CVE-2023-39448 CVE-2023-36492, CVE-2023-38569 Taiga Shirakura of Mits...
Multiple vulnerabilities in LuxCal Web Calendar
Overview LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2023-39543 SQL injection CWE-89 - CVE-2023-39939 Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated wit...
Multiple vulnerabilities in ELECOM and LOGITEC network devices
Overview Multiple network devices provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities listed below. Hidden Functionality CWE-912 - CVE-2023-32626, CVE-2023-35991, CVE-2023-39445 Telnet service access restriction failure CWE-284 - CVE-2023-38132 Hidden Functionalit...
OMRON CJ series and CS/CJ Series EtherNet/IT unit vulnerable to Denial-of-Service (DoS)
Overview Denial-of-service DoS vulnerability due to improper validation of specified type of input CWE-1287 issue exists in the built-in EtherNet/IP port of the CJ Series CJ2 CPU unit and the communication function of the CS/CJ Series EtherNet/IP unit provided by OMRON Corporation. OMRON...
SEIKO EPSON printer Web Config vulnerable to denial-of-service (DoS)
Overview SEIKO EPSON printer Web Config contains a denial-of-service DoS vulnerability due to improper input validation CWE-20. SEIKO EPSON CORPORATION reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and SEIKO EPSON CORPORATION coordinated under the...
Multiple vulnerabilities in Command Center RX (CCRX) of Kyocera Document Solutions MFPs and printers
Overview Command Center RX CCRX, a web interface for MFPs and printers provided by KYOCERA Document Solutions Inc., contains multiple vulnerabilities listed below. Path traversal CWE-22 - CVE-2023-34259 Path traversal CWE-22 - CVE-2023-34260 Observable response discrepancy CWE-204 - CVE-2023-3426...
Multiple vulnerabilities in ELECOM and LOGITEC wireless LAN routers
Overview Multiple wireless LAN routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION contain multiple vulnerabilities listed below. Command Injection on the web management page CWE-77 - CVE-2023-37566, CVE-2023-37568 Command Injection on a certain port of the web management page CWE-77 -...
Security updates for multiple Trend Micro products for enterprises (June 2023)
Overview Trend Micro Incorporated has released security updates for multiple Trend Micro products for enterprises. For more details, refer to the information provided by the developer. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JV...
Multiple vulnerabilities in KbDevice digital video recorders
Overview Multiple digital video recorders provided by KbDevice,Inc. contain multiple vulnerabilities listed below. Improper authentication CWE-287 - CVE-2023-30762 OS command injection CWE-78 - CVE-2023-30764 Hidden functionality CWE-912 - CVE-2023-30766 Yoshiki Mori, Ushimaru Hayato, Hiromu...
"Jiyu Kukan Toku-Toku coupon" App vulnerable to improper server certificate verification
Overview "Jiyu Kukan Toku-Toku coupon" App provided by RUNSYSTEM CO.,LTD. is vulnerable to improper server certificate verification CWE-295. Ryo Nihonyanagi of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...