5625 matches found
Cross-site scripting vulnerability in WordPress plugin WP-OliveCart
Overview WP-OliveCart provided by Olive Design is a WordPress plugin to construct a shopping site. WP-OliveCart contains cross-site scripting vulnerability. Gen Sato of TRADE WORKS Co.,Ltd Security Dept. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under...
The installer of e-Tax Software may insecurely load Dynamic Link Libraries
Overview The installer of e-Tax Software provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the...
SetucoCMS vulnerable to denial-of-service (DoS)
Overview SetucoCMS provided by SetucoCMS Project is a content management system CMS. SetucoCMS contains denial-of-service DoS vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning partnership. Impact A remot...
SetucoCMS vulnerable to code injection
Overview SetucoCMS provided by SetucoCMS Project is a content management system CMS. SetucoCMS contains code injection vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning partnership. Impact Arbitrary code...
Cybozu Office vulnerable to Reflected File Download (RFD)
Overview Cybozu Office contains a Reflected File Download RFD vulnerability. Jun Kokatsu of KDDI Singapore Dubai Branch reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc...
Cybozu Office vulnerable to denial-of-service (DoS)
Overview Cybozu Office contains a denial-of-service DoS vulnerability. Shuichi Uruma reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information...
"Project" function in Cybozu Office vulnerable vulnerable to access restriction bypass
Overview Cybozu Office provided by Cybozu,Inc. contains an access restriction bypass vulnerability in the "Project" function. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security...
"Project" function in Cybozu Office vulnerable to cross-site scripting
Overview Cybozu Office provided by Cybozu,Inc. contains a cross-site scripting vulnerability. Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated unde...
baserCMS plugin Uploader vulnerable to cross-site request forgery
Overview baserCMS provided by baserCMS User Group is an opensource content management system. baserCMS and bundled plugin Uploader contain a cross-site request forgery vulnerability. Masamu Asato of National Institute of Technology, Okinawa College reported this vulnerability to IPA. JPCERT/CC...
baserCMS plugin Mail vulnerable to cross-site request forgery
Overview baserCMS provided by baserCMS User Group is an opensource content management system. baserCMS and bundled plugin Mail contain a cross-site request forgery vulnerability. Masamu Asato of National Institute of Technology, Okinawa College reported this vulnerability to IPA. JPCERT/CC...
baserCMS plugin Feed vulnerable to cross-site request forgery
Overview baserCMS provided by baserCMS User Group is an opensource content management system. baserCMS and bundled plugin Feed contain a cross-site request forgery vulnerability. Masamu Asato of National Institute of Technology, Okinawa College reported this vulnerability to IPA. JPCERT/CC...
ManageEngine ServiceDesk Plus fails to restrict access permissions
Overview ManageEngine ServiceDesk Plus provided by Zoho Corporation is a help desk software. ManageEngine ServiceDesk Plus fails to restrict access permissions. Akihito Mukai and Tomoshige Hasegawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Splunk Enterprise and Splunk Light vulnerable to open redirect
Overview Splunk Enterprise and Splunk Light contain an open redirect vulnerability. Note that this vulnerability is different from JVN39926655. Noriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
ADOdb vulnerable to cross-site scripting
Overview ADOdb is a database abstraction layer for PHP. The library's test script test.php contains a cross-site scripting CWE-79 vulnerability. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
YoruFukurou (NightOwl) vulnerable to denial-of-service (DoS)
Overview YoruFukurou NightOwl is a Twitter client application for OS X. YoruFukurou uses OS X API CTFramesetter to render text contents. CTFramesetter has a problem in processing a certain emoji character sequence, which may cause YoruFukurou to crash. This problem was verified on OS X v10.9...
simple chat vulnerable to cross-site scripting
Overview simple chat provided by Let's PHP! contains a cross-site scripting vulnerability CWE-79. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
Cybozu Garoon fails to restrict access permissions
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon fails to restrict access permissions in the error page. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information...
"User details" function in Cybozu Garoon vulnerable to cross-site scripting
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. "User details" function in Cybozu Garoon contains a cross-site scripting vulnerability. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under th...
ClipBucket vulnerable to cross-site scripting
Overview Clipbucket is open source video sharing script. ClipBucket contains a cross-site scripting CWE-79 vulnerability. Yoshinori Matsumoto of Kobe Digital Labo, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnershi...
Cybozu Mailwise vulnerable to information disclosure
Overview Cybozu Mailwise contains an information disclosure vulnerability in the mail view page. Masato Kinugawa reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinat...
Multiple I-O DATA Recording Hard disk products vulnerable to cross-site request forgery
Overview Multiple Recording Hard disk products provided by I-O DATA DEVICE, INC. contain a cross-site request forgery vulnerability due to an issue in the web management screen. kaito834 reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
WordPress plugin "Nofollow Links" vulnerable to cross-site scripting
Overview The WordPress plugin "Nofollow Links" contains a cross-site scripting CWE-79 vulnerability in nofollow-links.php. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Sushiro App fails to verify SSL server certificates
Overview Sushiro App provided by AKINDO SUSHIRO CO., LTD. fails to verify SSL server certificates. Yuta Teshima of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
Multiple Hikari Denwa routers vulnerable to cross-site request forgery
Overview Multiple Hikari Denwa routers contain a cross-site request forgery vulnerability CWE-352. Ryoya Tsukasaki of Urawa Commercial High School reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user...
Multiple Hikari Denwa routers vulnerable to OS command injection
Overview Multiple Hikari Denwa routers contain an OS command injection vulnerability CWE-78. Ryoya Tsukasaki of Urawa Commercial High School reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary OS...
WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting
Overview WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a cross-site scripting vulnerability CWE-79. Note that this vulnerability is different from JVN95082904. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with t...
CG-WLR300GNV Series does not limit authentication attempts
Overview CG-WLR300GNV and CG-WLR300GNV-W provided by Corega Inc are wireless LAN routers. The WPS functionality in CG-WLR300GNV Series does not limit PIN authentication attempts, making it susceptible to brute force attacks. Takeshi Okamoto of Kanagawa Institute of Technology and Takaaki Minegish...
CG-WLBARAGM vulnerable to denial-of-service (DoS)
Overview CG-WLBARAGM provided by Corega Inc is a wireless LAN router. CG-WLBARAGM contains a denial-of-service DoS vulnerability. Yuji Ukai of FFRI, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
DX Library vulnerable to remote code execution
Overview DX Library is an open source library for creating Windows applications. DX Library contains a remote code execution vulnerability due to an issue in printfDx. Tomoya Kitagawa of Graduate School of Information Science, Nara Institute of Science and Technology reported this vulnerability t...
Apache Struts 1 vulnerability that allows unintended remote operations against components on memory
Overview The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met: Condition 1: When the following ActionForm including its subclasses are in the...
Trend Micro enterprise products directory traversal vulnerability
Overview Multiple enterprise products provided by Trend Micro Incorporated contain a directory traversal vulnerability. According to the developer, exploiting the vulnerability requires access to the LAN environment of the user. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to...
Cybozu Garoon function "MultiReport" vulnerable to access restriction bypass
Overview Cybozu Garoon is a groupware. Cybozu Garoon contains an access restriction bypass vulnerability in the function "MultiReport". Yuji Tounai of NTT Com Security Japan KK reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution...
Cybozu Garoon function "Portlets" vulnerable to access restriction bypass
Overview Cybozu Garoon is a groupware. Cybozu Garoon contains an access restriction bypass vulnerability in the function "Portlets". Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact A user may create a portlet which does not belong any...
Cybozu Garoon vulnerable to cross-site scripting
Overview Cybozu Garoon is a groupware. Cybozu Garoon contains a cross-site scripting vulnerability. Note that this vulnerability is different from JVN37121456. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated...
Cybozu Garoon function "Files" vulnerable to directory traversal
Overview Cybozu Garoon is a groupware. Cybozu Garoon contains a directory traversal vulnerability in the function "Files". Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early...
Cybozu Garoon mail function vulnerable to access restriction bypass
Overview Cybozu Garoon is a groupware. Cybozu Garoon contains an access restriction bypass vulnerability in the mail function. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact A spoofed e-mail may be sent by a user. Solution Update the...
WebARENA formmail vulnerable to cross-site scripting
Overview formmail used for the WebARENA Service provided by NTT PC Communications Incorporated contains a cross-site scripting vulnerability CWE-79. OHTA, Yoshinori of Business Architects Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Multiple Buffalo wireless LAN routers vulnerable to information disclosure
Overview Multiple Buffalo wireless LAN routers contain an information disclosure vulnerability. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...
Japan Connected-free Wi-Fi vulnerable to API execution
Overview Japan Connected-free Wi-Fi provided by NTT Broadband Platform, Inc. contains a vulnerability which allows an arbitrary API to be executed by a man-in-the-middle attacker. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
WordPress plugin "Markdown on Save Improved" vulnerable to cross-site scripting
Overview The WordPress plugin "Markdown on Save Improved" contains a stored cross-site scripting CWE-79 vulnerability. Kenta Yamamoto of Cryptography Laboratory,Department of Information and Communication Engineering, Graduate School of Tokyo Denki University reported this vulnerability to IPA...
Cross-site Scripting Vulnerability in Hitachi Tuning Manager
Overview A cross-site scripting vulnerability was found in Hitachi Tuning Manager. Impact Remote users can exploit this vulnerability to execute malicious scripts. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Apache Cordova vulnerable to arbitrary plugin execution
Overview Apache Cordova contains a vulnerability where arbitrary plugins may be executed. Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms. iOS applications built using Apache Cordova contain a vulnerability where...
EC-CUBE fails to restrict access permissions
Overview EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE fails to restrict access permissions. Note that this vulnerability is different from JVN47473944. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC...
EC-CUBE fails to restrict access permissions
Overview EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE fails to restrict access permissions. Note that this vulnerability is different from JVN11458774. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC...
kintone mobile for Android fails to verify SSL server certificates
Overview kintone mobile for Android provided by Cybozu, Inc. fails to verify SSL server certificates. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an...
EC-CUBE plugin "Social-button Plugin Premium" and "Social-button Plugin" vulnerable to cross-site scripting
Overview EC-CUBE plugin "Social-button Plugin Premium" and "Social-button Plugin" provided by Cyber-Will Inc. contain a cross-site scripting vulnerability CWE-79. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
baserCMS plugin "Casebook Plugin" vulnerable to cross-site request forgery
Overview baserCMS plugin "Casebook Plugin" contains a cross-site request forgery vulnerability CWE-352. Takaesu Isao of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
baserCMS plugin "Menubook Plugin" vulnerable to cross-site scripting
Overview baserCMS plugin "Menubook Plugin" contains a cross-site scripting vulnerability. CWE-79 Takaesu Isao of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
baserCMS plugin "Recruit Plugin" vulnerable to cross-site request forgery
Overview baserCMS plugin "Recruit Plugin" contains a cross-site request forgery vulnerability. CWE-352 Takaesu Isao of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
WisePoint contains issue in preventing clickjacking attacks
Overview WisePoint contains an issue in the protection against clickjacking attacks on the management screen. Hiroki Ikemoto of NTT SOFT SERVICE Corp reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user...