5625 matches found
Android App "Spoon" uses a hard-coded API key for an external service
Overview Android App "Spoon" provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service CWE-798. Yoshihito Sakai of BroadBand Security, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Improper restriction of XML external entity references (XXE) in Electronic Deliverables Creation Support Tool provided by Ministry of Defense
Overview Electronic Deliverables Creation Support Tool provided by Ministry of Defense improperly restricts XML external entity references XXE CWE-611. Toyama Taku of NEC Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
FusionPBX vulnerable to cross-site scripting
Overview FusionPBX contains a stored cross-site scripting vulnerability CWE-79. Satoshi Horikoshi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on the web browser of the...
Drupal vulnerable to improper handling of structural elements
Overview Drupal provided by Drupal.org contains an improper handling of structural elements vulnerability CWE-237. Shiga Takuma of BroadBand Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Thermal camera TMC series vulnerable to insufficient technical documentation
Overview Thermal camera TMC series provided by THREE R SOLUTION CORP. JAPAN are vulnerable to insufficient technical documentation CWE-1059. The related documentation does not describe the existence of the network interface, nor the internal storage for pictures and measurement data. Hiroyuki...
Multiple TP-Link products vulnerable to OS command injection
Overview Multiple products provided by TP-LINK contain multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2024-21773 OS command injection CWE-78 - CVE-2024-21821 OS command injection CWE-78 - CVE-2024-21833 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to...
WordPress plugin "MW WP Form" vulnerable to arbitrary file upload
Overview WordPress plugin "MW WP Form" provided by Web Consultation Office Co., Ltd can create a mail form using shortcode. MW WP Form contains a vulnerability that may allow an attacker to upload arbitrary files CVE-2023-6316, CWE-434. Impact When the "Saving inquiry data in database" option in...
ELECOM wireless LAN routers vulnerable to OS command injection
Overview Multiple ELECOM wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability CWE-78. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a logged-in user with an administrative...
Ruckus Access Point contains a cross-site scripting vulnerability.
Overview Ruckus Access Point provided by CommScope, Inc. contains a cross-site scripting vulnerability CWE-79. MUNEHIRO SHIRATANI of AGEST,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
Multiple vulnerabilities in LuxCal Web Calendar
Overview LuxCal Web Calendar provided by LuxSoft contains multiple vulnerabilities listed below. SQL injection CWE-89 - CVE-2023-46700 Cross-site scripting CWE-79 - CVE-2023-47175 Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated wit...
Multiple vulnerabilities in First Corporation's DVRs
Overview DVRs provided by First Co., Ltd. contain multiple vulnerabilities listed below. Use of hard-coded password CWE-259 - CVE-2023-47213 Missing authentication for critical function CWE-306 - CVE-2023-47674 Yoshiki Mori of National Institute of Information and Communications Technology...
Multiple vulnerabilities in Cisco Firepower Management Center Software
Overview Cisco Firepower Management Center Software provided by Cisco Systems contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2023-20219 Path traversal CWE-22 - CVE-2023-20220 Kentaro Kawane of LAC Co., Ltd. reported these vulnerabilitis to IPA. JPCERT/CC...
HOTELDRUID vulnerable to cross-site scripting
Overview HOTELDRUID provided by DigitalDruid.Net contains a cross-site scripting vulnerability CWE-79. Tomoro Taniguchi of FiveDrive, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script...
Inkdrop vulnerable to code injection
Overview Inkdrop provided by Takuya Matsuyama is a Markdown editor. Inkdrop contains a code injection vulnerability CWE-94. T.Nodoka reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a specially crafted...
Advanced Micro Devices Windows kernel drivers vulnerable to insufficient access control on its IOCTL
Overview Multiple Windows kernel drivers provided by Advanced Micro Devices Inc. are vulnerable to insufficient access control on its IOCTL CWE-782, CVE-2023-20598. Takahiro Haruyama of VMware reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact By sending a...
Improper restriction of XML external entity reference (XXE) vulnerability in OMRON CX-Designer
Overview CX-Designer provided by OMRON Corporation contains an improper restriction of XML external entity reference XXE vulnerability CWE-611. Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a user opens a specially crafted project fil...
HP ThinUpdate vulnerable to improper server certificate verification
Overview HP ThinUpdate provided by HP Development Company, L.P. is vulnerable to improper server certificate verification CWE-295. Narumi Hirai of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impac...
Multiple vulnerabilities in JustSystems products
Overview Multiple products provided by JustSystems Corporation contain multiple vulnerabilities listed below. Use after free CWE-416 - CVE-2023-34366 Integer overflow CWE-190 - CVE-2023-38127 Access of resource using incompatible type Type confusion CWE-843 - CVE-2023-38128 Improper validation of...
e-Gov Client Application fails to restrict custom URL schemes properly
Overview e-Gov Client Application is installed, a Custom URL Scheme is configured on the system to enable invoking the product through a web browser. This custom URL contains the information about the website which the product should access, and a crafted URL may direct the application to access ...
File and Directory Permissions Vulnerability in JP1/Performance Management
Overview A File and Directory Permissions Vulnerability CVE-2023-3440 exists in JP1/Performance Management. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Multiple vulnerabilities in multiple FURUNO SYSTEMS wireless LAN access point devices in ST(Standalone) mode
Overview Wireless LAN access point devices provided by FURUNO SYSTEMS Co.,Ltd., running in STStandalone mode, contain multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2023-39222 Cross-site Scripting CWE-79 - CVE-2023-39429 Cross-Site Request Forgery CWE-352 - CVE-2023-4108...
Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software
Overview Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below. Double free CWE-415 - CVE-2023-41374 Use-after-free CWE-416 - CVE-2023-41375 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with th...
Vulnerability in JP1/VERITAS
Overview A vulnerability VTS23-011 exists in JP1/VERITAS. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in CGIs of PMailServer and PMailServer2
Overview CGIs included with PMailServer and PMailServer2 provided by A.K.I Software contain multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2023-39223 Insufficient verification vulnerability in Broadcast Mail CGI pmc.exe CWE-434 - CVE-2023-39933...
Phoenix Technologies Windows kernel driver vulnerable to insufficient access control on its IOCTL
Overview Some of the Windows kernel drivers provided by Phoenix Technologies Inc. is vulnerable to insufficient access control on its IOCTL CWE-782, CVE-2023-35841. Takahiro Haruyama of VMware reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact By sending a...
Vulnerability in HiRDB
Overview A Vulnerability CVE-2023-1995 exists in HiRDB. Impact Some audit logs may not be retrieved. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in Panasonic Control FPWIN Pro7
Overview Control FPWIN Pro7 provided by Panasonic contains multiple vulnerabilities listed below. Stack-based Buffer Overflow CWE-121 - CVE-2023-28728 Access of Resource Using Incompatible Type CWE-843 - CVE-2023-28729 Improper Restriction of Operations within the Bounds of a Memory Buffer Michae...
EC-CUBE 2 series vulnerable to cross-site scripting
Overview EC-CUBE 2 series provided by EC-CUBE CO.,LTD. contains a cross-site scripting vulnerability CWE-79 in "mail/template" and "products/product" of Management page. Shimamine Taihei of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to EC-CUBE CO.,LTD. and EC-CUBE CO.,LTD...
Multiple vulnerabilities in Special Interest Group Network for Analysis and Liaison's API
Overview Special Interest Group Network for Analysis and Liaison's "Inter-SOC Cooperation API" provided by Japan Computer Emergency Response Team Coordination Center JPCERT/CC contains multiple vulnerabilities listed below. Improper Authorization in Information Provision function CWE-285 -...
Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext
Overview Fujitsu Software Infrastructure Manager ISM V2.8.0.060, provided by Fujitsu Limited, stores the password for the proxy server in cleartext form to the product's maintenance data ismsnap CWE-312 under the following conditions. Using a proxy server that requires authentication in the...
SEIKO EPSON printer Web Config vulnerable to denial-of-service (DoS)
Overview SEIKO EPSON printer Web Config contains a denial-of-service DoS vulnerability due to improper input validation CWE-20. SEIKO EPSON CORPORATION reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and SEIKO EPSON CORPORATION coordinated under the...
Multiple Vulnerabilities in Hitachi Device Manager
Overview Multiple vulnerabilities have been found in Hitachi Device Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in Aterm series
Overview Aterm series provided by NEC Corporation contain multiple vulnerabilities listed below. Directory traversal CWE-22 - CVE-2023-3330 Directory traversal CWE-22 - CVE-2023-3331 Stored cross-site scripting CWE-79 - CVE-2023-3332 OS command injection CWE-78 - CVE-2023-3333 Taizoh Tsukamoto of...
ASUS Router RT-AX3000 vulnerable to using sensitive cookies without 'Secure' attribute
Overview ASUS Router RT-AX3000 provided by ASUSTeK COMPUTER INC. uses sensitive cookies without 'Secure' attribute CWE-614. Shungo Kumasaka of GMO Cyber Security by IERAE reported this vulnerability to the developer and JPCERT/CC published respective advisories in order to notify users of this...
Multiple vulnerabilities in FUJI ELECTRIC FRENIC RHC Loader
Overview FRENIC RHC Loader provided by FUJI ELECTRIC CO., LTD. contains multiple vulnerabilities listed below. Stack-based buffer overflow CWE-121 - CVE-2023-29160 Out-of-bounds read CWE-125 - CVE-2023-29167 Improper restriction of XML external entity reference CWE-611 - CVE-2023-29498 Michael...
Pleasanter vulnerable to cross-site scripting
Overview Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability CWE-79. Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Implem Inc. and Implem Inc. reported it to IPA. JPCERT/CC and Implem Inc. coordinated under the Information Security...
Android App "Brother iPrint&Scan" vulnerable to improper access control
Overview Android App "Brother iPrint" provided by BROTHER INDUSTRIES, LTD. contains an improper access control vulnerability CWE-284, CVE-2023-28369. Johan Francsics reported this vulnerability to BROTHER INDUSTRIES, LTD. and coordinated. After the coordination, BROTHER INDUSTRIES, LTD. reported...
Qrio Smart Lock Q-SL2 vulnerable to authentication bypass by capture-replay
Overview Qrio Smart Lock Q-SL2 provided by Qrio, inc. contains an authentication bypass by capture-replay vulnerability CWE-294. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Multiple vulnerabilities in WordPress Plugin "MW WP Form" and "Snow Monkey Forms"
Overview WordPress Plugin "MW WP Form" and "Snow Monkey Forms" provided by Monkey Wrench Inc. contain multiple vulnerabilities listed below. Directory traversal CWE-22 - CVE-2023-28408 Unrestricted upload of file with dangerous type CWE-434 - CVE-2023-28409 Directory traversal CWE-22 -...
SR-7100VN vulnerable to privilege escalation
Overview SR-7100VN provided by ICOM INCORPORATED contains a privilege escalation vulnerability CWE-268. HAMANO Kiyoto of SOUM Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A user with an...
Improper restriction of XML external entity references (XXE) in Shinseiyo Sogo Soft
Overview Shinseiyo Sogo Soft provided by The Ministry of Justice improperly restricts XML external entity references XXE CWE-611. Taku Toyama of NEC Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impac...
WordPress plugin "LIQUID SPEECH BALLOON" vulnerable to cross-site request forgery
Overview WordPress plugin "LIQUID SPEECH BALLOON" provided by LIQUID DESIGN Ltd. contains a cross-site request forgery vulnerability CWE-352. Ryo Sato of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Trend Micro Security may insecurely load Dynamic Link Libraries
Overview Trend Micro Security provided by Trend Micro Incorporated contains an insecure DLL loading issue CWE-427. While the affected version of Trend Micro Security is installed and a malicious DLL is placed in a directory where some application executable resides, invoking the application...
Yokogawa Electric CENTUM series vulnerable to cleartext storage of sensitive information
Overview CENTUM series provided by Yokogawa Electric Corporation are vulnerable to cleartext storage of sensitive information CWE-312, CVE-2023-26593. Yokogawa Electric Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact If an attacker who can...
JTEKT ELECTRONIC Screen Creator Advance 2 vulnerable to improper restriction of operations within the bounds of a memory buffer
Overview Screen Creator Advance 2 provided by JTEKT ELECTRONICS CORPORATION is vulnerable to improper restriction of operations within the bounds of a memory buffer CWE-119 due to improper check of its data size when processing a project file. Michael Heinzl reported this vulnerability to...
CONPROSYS HMI System(CHS) vulnerable to SQL injection
Overview CONPROSYS HMI SystemCHS provided by Contec Co., Ltd. contains an SQL injection vulnerability CWE-89, CVE-2023-1658. Tenable Network Security reported this vulnerability to the developer. JPCERT/CC coordinated with the reporter and the developer. Impact Sending a specially crafted paramet...
Android App "Wolt Delivery: Food and more" uses a hard-coded API key for an external service
Overview Android App "Wolt Delivery: Food and more" provided by Wolt uses a hard-coded API key for an external service CWE-798. Naoya Kurosawa of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software
Overview Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below. Out-of-bounds read CWE-125 - CVE-2023-22419, CVE-2023-22421 Use-after-free CWE-416 - CVE-2023-22424 Michael Heinzl reported these vulnerabilities to JPCERT/CC...
Multiple vulnerabilities in PostgreSQL extension module pg_ivm
Overview pgivm provided by IVM Development Group is a PostgreSQL extension module that provides incremental view maintenance functionality of materialized views. pgivm contains multiple vulnerabilities listed below. Exposure of sensitive information to an unauthorized actor CWE-200 - CVE-2023-228...
Multiple vulnerabilities in Trend Micro Maximum Security
Overview Trend Micro Incorporated has released security updates for Trend Micro Maximum Security. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Trend Micro Maximum Security 2022 Arbitrary file deletion due to link...