5625 matches found
Multiple vulnerabilities in Cybozu Office
Overview Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Directory traversal in the "Customapp" function CWE-22 - CVE-2019-6022 Browse restriction bypass in the application "Address" CWE-284 - CVE-2019-6023 Two vulnerabilities were reported by the following...
Multiple vulnerabilities in "Custom Body Class"
Overview WordPress Plugin "Custom Body Class" provided by Andrei Lupu contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-6029 Cross-site Request Forgery CWE-352 - CVE-2019-6030 Shirai Masatake of Cryptography Laboratory,Department of Information and Communicati...
Multiple MOTEX products vulnerable to privilege escalation
Overview LanScope Cat and LanScope An provided by MOTEX Inc. contain a privilege escalation vulnerability. Mitsuaki Mitch Shiraishi of Secureworks Japan and Yoshimasa Obana reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
WordPress Plugin "WP Spell Check" vulnerable to cross-site request forgery
Overview WordPress Plugin "WP Spell Check" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability CWE-352. Takuya Yamaguchi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported these vulnerabilities...
Information Disclosure Vulnerability in Hitachi Command Suite
Overview An Information Disclosure Vulnerability was found in Hitachi Command Suite. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Rakuma App vulnerable to authentication information disclosure
Overview Rakuma App provided by Rakuten, Inc. contains an authentication information disclosure vulnerability CWE-200. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Library Information Management System LIMEDIO vulnerable to open redirect
Overview Library Information Management System LIMEDIO provided by RICOH COMPANY, LTD. contains an open redirect vulnerability CWE-601. Takeshi Imai of Internet Initiative Japan Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Multiple vulnerabilities in EC-CUBE module "REMISE Payment module (2.11, 2.12 and 2.13)"
Overview EC-CUBE module "REMISE Payment module 2.11, 2.12 and 2.13" provided by REMISE Corporation contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2019-6016 Information disclosure CWE-200 - CVE-2019-6017 Gen Sato of Mitsui Bussan Secure Directions, Inc. reported...
Multiple Vulnerabilities in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure...
Smart TV Box fails to restrict access permissions
Overview Smart TV Box provided by KDDI CORPORATION enables access to Android Debug Bridge via port 5555/TCP of LAN side interface. When a cable television provider sets up Smart TV Box at an individual residence, direct access from outside to the LAN side interface of Smart TV Box is disabled...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. DOM-based cross-site scripting in the application "Portal" CWE-79 - CVE-2019-5975 Denial-of-service DoS CWE-20 - CVE-2019-5976 Mail header injection in the application "E-mail" CWE-74 - CVE-2019-5977...
Multiple vulnerabilities in Access analysis CGI An-Analyzer
Overview Access analysis CGI An-Analyzer provided by ANGLERSNET Co,.Ltd. contains multiple vulnerabilities listed below. OS command injection in the Management Page CWE-78 - CVE-2019-5987 Stored cross-site scripting in the Management Page CWE-79 - CVE-2019-5988 DOM-based cross-site scripting in t...
Multiple vulnerabilities in Hikari Denwa router/Home GateWay
Overview Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5985 Cross-site Request Forgery CWE-352 - CVE-2019-5986...
WordPress Plugin "HTML5 Maps" vulnerable to cross-site request forgery
Overview WordPress Plugin "HTML5 Maps" provided by Fla-Shop.com contains a cross-site request forgery vulnerability CWE-352. Daisuke Shimizu of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the...
Multiple vulnerabilities in VAIO Update
Overview VAIO Update provided by Sony Corporation contains multiple vulnerabilities listed below. Improper authorization process CWE-285 - CVE-2019-5981 Improper verification of download file CWE-669 - CVE-2019-5982 Device Security reported this vulnerability to IPA. JPCERT/CC coordinated with th...
WordPress Plugin "Personalized WooCommerce Cart Page" vulnerable to cross-site request forgery
Overview WordPress Plugin "Personalized WooCommerce Cart Page" provided by N-MEDIA contains a cross-site request forgery vulnerability CWE-352. Akira Yamasaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this...
Multiple vulnerabilities in GROWI
Overview GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Cross-site request forgery vulnerability in the process of updating user's "Basic Info" CWE-352 - CVE-2019-5968 Open redirect vulnerability in the process of login CWE-601 - CVE-2019-5969 Security Group of...
Apache Camel vulnerable to XML external entity injection (XXE)
Overview Apache Camel provided by The Apache Software Foundation contains an XML external entity injection XXE vulnerability CWE-611 due to using an outdated vulnerable JSON-lib library. Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC...
DoS Vulnerability in Hitachi IT Operations Director, JP1/IT Desktop Management - Manager and JP1/IT Desktop Management 2 - Manager
Overview A DoS Vulnerability was found in Hitachi IT Operations Director, JP1/IT Desktop Management - Manager and JP1/IT Desktop Management 2 - Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section...
Multiple Vulnerabilities in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure...
API server used by JR East Japan train operation information push notification App for Android fails to restrict access permissions
Overview JR East Japan train operation information push notification App for Android provided by East Japan Railway Company fails to restrict access permissions CWE-284. The application is no longer available/supported, and its service was ended in 2019 march 23. Tomoya Takahashi of TCU...
"an" App for iOS vulnerable to directory traversal
Overview "an" App for iOS provided by PERSOL CAREER CO., LTD. uses the old version of cordova-plugin-ionic-webview, and inherits a directory traversal vulnerability CWE-22, CVE-2018-16202. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this Vuerability to IPA. JPCERT/CC...
Dradis Community Edition and Dradis Professional Edition vulnerable to cross-site scripting
Overview Dradis Community Edition and Dradis Professional Edition provided by Security Roots Ltd contain a cross-site scripting vulnerability CWE-79. Ohji Kashiwazaki of Ierae Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
WordPress plugin "Smart Forms" vulnerable to cross-site request forgery
Overview The WordPress plugin "Smart Forms" provided by RedNao contains a cross-site request forgery vulnerability CWE-352. Masaki Saito of TDU Cryptography Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impa...
Windows 7 may insecurely load Dynamic Link Libraries
Overview In standard DLL files provided by Windows 7, there are some DLL files read from the same directory where the program resides when executing the program CWE-427. Microsoft states that the root cause of this vulnerability is "Application Directory App Dir DLL planting", thus there is no pl...
WordPress plugin "FormCraft" vulnerable to cross-site request forgery
Overview The WordPress plugin "FormCraft" provided by nCrafts contains a cross-site request forgery vulnerability CWE-352. Masaki Saito of TDU Cryptography Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impac...
A vulnerability in V20 PRO L-01J that may cause a crash
Overview V20 PRO L-01J provided by NTT DOCOMO, INC. is an Android smartphone. V20 PRO L-01J contains a flaw in processing connection using Wi-Fi CERTIFIED Passpoint which may result in the device to crash when Poasspoint is enabled. Hiroyuki Harada of Sapporo Gakuin University, Masashi Honma of...
OpenAM (Open Source Edition) vulnerable to open redirect
Overview OpenAM Open Source Edition contains an open redirect vulnerability. Norihito Aimoto of Open Source Solution Technology Corporation reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developers. Impact When accessing a specially crafted page, the user may be redirect...
Information Disclosure Vulnerability in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
Overview An Information Disclosure Vulnerability was found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official...
Cross-site Scripting Vulnerability in Hitachi Device Manager
Overview A Cross-site Scripting Vulnerability was found in Hitachi Device Manager. Impact Remote users can exploit this vulnerability to execute malicious scripts. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in Toshiba Lighting & Technology Corporation Home gateway
Overview Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below. Improper access control CWE-284 - CVE-2018-16197 Hidden functionality CWE-912 - CVE-2018-16198 Cross-site scripting CWE-79 - CVE-2018-16199 OS command injection CWE-78 -...
Multiple vulnerabilities in Aterm WF1200CR and Aterm WG1200CR
Overview Aterm WF1200CR and Aterm WG1200CR provided by NEC Corporation contain multiple vulnerabilities listed below. Information disclosure CWE-200 - CVE-2018-16192 Stored cross-site scripting CWE-79 - CVE-2018-16193 OS command injection CWE-78 - CVE-2018-16194 OS command injection in SOAP...
Cybozu Garoon access restriction bypass vulnerability
Overview Single sign-on function of Cybozu Garoon provided by Cybozu, Inc. contains a restriction bypass vulnerability CWE-284. Kanta Nishitani reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN...
Multiple vulnerabilities in i-FILTER
Overview i-FILTER provided by Digital Arts Inc. contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2018-16180 HTTP header injection CWE-113 - CVE-2018-16181 Keigo Yamazaki of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...
Multiple vulnerabilities in multiple SEIKO EPSON printers and scanners
Overview Multiple printers and scanners provided by SEIKO EPSON CORPORATION contain multiple vulnerabilities listed below. Open Redirect CWE-601 - CVE-2018-0688 HTTP header injection CWE-113 - CVE-2018-0689 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability t...
Panasonic applications register unquoted service paths
Overview Some pre-installed applications on Panasonic PCs register Windows services with unquoted file paths CWE-428. Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information...
The installer of MARKET SPEED may insecurely load Dynamic Link Libraries
Overview The installer of MARKET SPEED provided by Rakuten Securities, Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Takashi Sugawara reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
EC-CUBE vulnerable to open redirect
Overview EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an open redirect vulnerability CWE-601. LOCKON CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LOCKON CO.,LTD...
The installer of Windows10 Fall Creators Update Modify module for Security Measures tool may insecurely load Dynamic Link Libraries
Overview The installer of Windows10 Fall Creators Update Modify module for Security Measures tool provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Tomohisa Hasegawa of Canon...
Mail app for iOS vulnerable to denial-of-service (DoS)
Overview Mail app for iOS provided by Apple contains a denial-of-service DoS vulnerability due to an issue in the handling of a maliciously crafted S/MIME signed message. Yukinobu Nagayasu of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Multiple vulnerabilities in OpenDolphin
Overview OpenDolphin provided by Life Sciences Computing Corporation contains multiple vulnerabilities listed below. Privilege escalation - CVE-2018-16161 Information disclosure CWE-200 - CVE-2018-16162 Restrict access permissions failure CWE-284 - CVE-2018-16163 Symantec Japan, Inc. Advisory...
OpenAM (Open Source Edition) vulnerable to session management
Overview OpenAM Open Source Edition contains a vulnerability in session management. Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A user who c...
Metabase vulnerable to cross-site scripting
Overview Metabase provided by Metabase, Inc. contains a reflected cross-site scripting vulnerability CWE-79. Yuuta Watanabe of STNet, Incorporated reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
User-friendly SVN vulnerable to cross-site scripting
Overview User-friendly SVN provided by USVN Team contains a reflected cross-site scripting vulnerability CWE-79. Jun Okutsu of NTT TechnoCross Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
The installer of Baidu Browser may insecurely load Dynamic Link Libraries
Overview Baidu Browser provided by Baidu, Inc. is a Web browser. The installer of Baidu Browser contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Asuka Nakajima of NTT Secure Platform Laboratories reported this vulnerability to IPA...
Multiple FXC network devices vulnerable to cross-site scripting
Overview Multiple network devices provided by FXC Inc. contain a stored cross-site scripting vulnerability CWE-79. SUNAGAWA, Masanori of Japan Advanced Institute of Science and Technology Graduate School of Advanced Science and Technology Security and Networks reported this vulnerability to IPA...
QNAP Photo Station vulnerable to cross-site scripting
Overview Photo Station provided by QNAP Systems, Inc. contains a reflected cross-site scripting vulnerability CWE-79. Mitsuaki Mitch Shiraishi of Secureworks Japan reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Path Traversal Vulnerability in JP1/Automatic Operation
Overview A Path Traversal Vulnerability was found in JP1/Automatic Operation. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
NoMachine App for Android vulnerable to environment variables alteration
Overview NoMachine App for Android contains an information alteration vulnerability. Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A remote attacker may alte...
Multiple cross-site scripting vulnerabilities in GROWI
Overview GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in the UserGroup Management section of admin page CWE-79 - CVE-2018-0652 Stored cross-site scripting vulnerability in Wiki page view CWE-79 -...