5625 matches found
Vulnerability in JP1/VERITAS
Overview A vulnerability VTS23-011 exists in JP1/VERITAS. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in CGIs of PMailServer and PMailServer2
Overview CGIs included with PMailServer and PMailServer2 provided by A.K.I Software contain multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2023-39223 Insufficient verification vulnerability in Broadcast Mail CGI pmc.exe CWE-434 - CVE-2023-39933...
Phoenix Technologies Windows kernel driver vulnerable to insufficient access control on its IOCTL
Overview Some of the Windows kernel drivers provided by Phoenix Technologies Inc. is vulnerable to insufficient access control on its IOCTL CWE-782, CVE-2023-35841. Takahiro Haruyama of VMware reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact By sending a...
Vulnerability in HiRDB
Overview A Vulnerability CVE-2023-1995 exists in HiRDB. Impact Some audit logs may not be retrieved. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in Panasonic Control FPWIN Pro7
Overview Control FPWIN Pro7 provided by Panasonic contains multiple vulnerabilities listed below. Stack-based Buffer Overflow CWE-121 - CVE-2023-28728 Access of Resource Using Incompatible Type CWE-843 - CVE-2023-28729 Improper Restriction of Operations within the Bounds of a Memory Buffer Michae...
EC-CUBE 2 series vulnerable to cross-site scripting
Overview EC-CUBE 2 series provided by EC-CUBE CO.,LTD. contains a cross-site scripting vulnerability CWE-79 in "mail/template" and "products/product" of Management page. Shimamine Taihei of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to EC-CUBE CO.,LTD. and EC-CUBE CO.,LTD...
Multiple vulnerabilities in Special Interest Group Network for Analysis and Liaison's API
Overview Special Interest Group Network for Analysis and Liaison's "Inter-SOC Cooperation API" provided by Japan Computer Emergency Response Team Coordination Center JPCERT/CC contains multiple vulnerabilities listed below. Improper Authorization in Information Provision function CWE-285 -...
Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext
Overview Fujitsu Software Infrastructure Manager ISM V2.8.0.060, provided by Fujitsu Limited, stores the password for the proxy server in cleartext form to the product's maintenance data ismsnap CWE-312 under the following conditions. Using a proxy server that requires authentication in the...
Multiple Vulnerabilities in Hitachi Device Manager
Overview Multiple vulnerabilities have been found in Hitachi Device Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in Aterm series
Overview Aterm series provided by NEC Corporation contain multiple vulnerabilities listed below. Directory traversal CWE-22 - CVE-2023-3330 Directory traversal CWE-22 - CVE-2023-3331 Stored cross-site scripting CWE-79 - CVE-2023-3332 OS command injection CWE-78 - CVE-2023-3333 Taizoh Tsukamoto of...
ASUS Router RT-AX3000 vulnerable to using sensitive cookies without 'Secure' attribute
Overview ASUS Router RT-AX3000 provided by ASUSTeK COMPUTER INC. uses sensitive cookies without 'Secure' attribute CWE-614. Shungo Kumasaka of GMO Cyber Security by IERAE reported this vulnerability to the developer and JPCERT/CC published respective advisories in order to notify users of this...
Multiple vulnerabilities in FUJI ELECTRIC FRENIC RHC Loader
Overview FRENIC RHC Loader provided by FUJI ELECTRIC CO., LTD. contains multiple vulnerabilities listed below. Stack-based buffer overflow CWE-121 - CVE-2023-29160 Out-of-bounds read CWE-125 - CVE-2023-29167 Improper restriction of XML external entity reference CWE-611 - CVE-2023-29498 Michael...
Pleasanter vulnerable to cross-site scripting
Overview Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability CWE-79. Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Implem Inc. and Implem Inc. reported it to IPA. JPCERT/CC and Implem Inc. coordinated under the Information Security...
Android App "Brother iPrint&Scan" vulnerable to improper access control
Overview Android App "Brother iPrint" provided by BROTHER INDUSTRIES, LTD. contains an improper access control vulnerability CWE-284, CVE-2023-28369. Johan Francsics reported this vulnerability to BROTHER INDUSTRIES, LTD. and coordinated. After the coordination, BROTHER INDUSTRIES, LTD. reported...
Multiple vulnerabilities in WordPress Plugin "MW WP Form" and "Snow Monkey Forms"
Overview WordPress Plugin "MW WP Form" and "Snow Monkey Forms" provided by Monkey Wrench Inc. contain multiple vulnerabilities listed below. Directory traversal CWE-22 - CVE-2023-28408 Unrestricted upload of file with dangerous type CWE-434 - CVE-2023-28409 Directory traversal CWE-22 -...
SR-7100VN vulnerable to privilege escalation
Overview SR-7100VN provided by ICOM INCORPORATED contains a privilege escalation vulnerability CWE-268. HAMANO Kiyoto of SOUM Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A user with an...
Improper restriction of XML external entity references (XXE) in Shinseiyo Sogo Soft
Overview Shinseiyo Sogo Soft provided by The Ministry of Justice improperly restricts XML external entity references XXE CWE-611. Taku Toyama of NEC Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impac...
WordPress plugin "LIQUID SPEECH BALLOON" vulnerable to cross-site request forgery
Overview WordPress plugin "LIQUID SPEECH BALLOON" provided by LIQUID DESIGN Ltd. contains a cross-site request forgery vulnerability CWE-352. Ryo Sato of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Trend Micro Security may insecurely load Dynamic Link Libraries
Overview Trend Micro Security provided by Trend Micro Incorporated contains an insecure DLL loading issue CWE-427. While the affected version of Trend Micro Security is installed and a malicious DLL is placed in a directory where some application executable resides, invoking the application...
Yokogawa Electric CENTUM series vulnerable to cleartext storage of sensitive information
Overview CENTUM series provided by Yokogawa Electric Corporation are vulnerable to cleartext storage of sensitive information CWE-312, CVE-2023-26593. Yokogawa Electric Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact If an attacker who can...
JTEKT ELECTRONIC Screen Creator Advance 2 vulnerable to improper restriction of operations within the bounds of a memory buffer
Overview Screen Creator Advance 2 provided by JTEKT ELECTRONICS CORPORATION is vulnerable to improper restriction of operations within the bounds of a memory buffer CWE-119 due to improper check of its data size when processing a project file. Michael Heinzl reported this vulnerability to...
CONPROSYS HMI System(CHS) vulnerable to SQL injection
Overview CONPROSYS HMI SystemCHS provided by Contec Co., Ltd. contains an SQL injection vulnerability CWE-89, CVE-2023-1658. Tenable Network Security reported this vulnerability to the developer. JPCERT/CC coordinated with the reporter and the developer. Impact Sending a specially crafted paramet...
Android App "Wolt Delivery: Food and more" uses a hard-coded API key for an external service
Overview Android App "Wolt Delivery: Food and more" provided by Wolt uses a hard-coded API key for an external service CWE-798. Naoya Kurosawa of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software
Overview Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below. Out-of-bounds read CWE-125 - CVE-2023-22419, CVE-2023-22421 Use-after-free CWE-416 - CVE-2023-22424 Michael Heinzl reported these vulnerabilities to JPCERT/CC...
Multiple vulnerabilities in PostgreSQL extension module pg_ivm
Overview pgivm provided by IVM Development Group is a PostgreSQL extension module that provides incremental view maintenance functionality of materialized views. pgivm contains multiple vulnerabilities listed below. Exposure of sensitive information to an unauthorized actor CWE-200 - CVE-2023-228...
Multiple vulnerabilities in Trend Micro Maximum Security
Overview Trend Micro Incorporated has released security updates for Trend Micro Maximum Security. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Trend Micro Maximum Security 2022 Arbitrary file deletion due to link...
File and Directory Permissions Vulnerability in Hitachi Automation Director, Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center
Overview A File and Directory Permissions Vulnerability CVE-2020-36652 exists in Hitachi Automation Director, Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor...
Multiple vulnerabilities in PLANEX COMMUNICATIONS Network Camera CS-WMV02G
Overview Wired/Wireless LAN Pan/Tilt Network Camera CS-WMV02G provided by PLANEX COMMUNICATIONS INC. contains multiple vulnerabilities listed below. Stored cross-site scripting CWE-79 - CVE-2023-22370 Cross-site request forgery CWE-352 - CVE-2023-22375 Reflected cross-site scripting CWE-79 -...
Zuken Elmic KASAGO uses insufficient random values for TCP Initial Sequence Numbers
Overview Zuken Elmic KASAGO, TCP/IP protocol stack for embedded systems, uses its own random number generator function when generating TCP initial sequence numbers, which leads to use insufficient random values CWE-330. Zuken Elmic reported this vulnerability to JPCERT/CC to notify users of its...
Contec CONPROSYS HMI System (CHS) vulnerable to multiple SQL injections
Overview CONPROSYS HMI System CHS provided by CONTEC CO.,LTD. contains multiple SQL injection vulnerabilities CWE-89. Mosin from ELEX FEIGONG RESEARCH INSTITUTE of Elex CyberSecurity, Inc., reported these vulnerabilities to Contec Co., Ltd. Contec Co., Ltd. reported the issues to JPCERT/CC in ord...
Multiple vulnerabilities in PIXELA PIX-RT100
Overview PIX-RT100 provided by PIXELA CORPORATION contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2023-22304 Backdoor access issue CWE-912 - CVE-2023-22316 MASAHIRO IIDA of LAC Co.,Ltd. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the develop...
Multiple vulnerabilities in MAHO-PBX NetDevancer series
Overview There are multiple vulnerabilities in the Management screen of MAHO-PBX NetDevancer series provided by Mahoroba Kobo, Inc. OS Command Injection CWE-78 - CVE-2023-22279 OS Command Injection CWE-78 - CVE-2023-22280 Cross-Site Request Forgery CWE-352 - CVE-2023-22286 Reflected Cross-site...
TP-Link SG105PE vulnerable to authentication bypass
Overview TP-Link SG105PE contains an authentication bypass vulnerability CWE-287. Baba Takao of BPS Co., Ltd reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Under certain conditions, an attacker may...
pgAdmin 4 vulnerable to open redirect
Overview pgAdmin 4 provided by pgAdmin Project contains an open redirect vulnerability CWE-601. SHIGA TAKUMA of BroadBand Security, Inc. and Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Multiple vulnerabilities in Fuji Electric V-SFT and TELLUS
Overview V-SFT and TELLUS provided by FUJI ELECTRIC CO., LTD. contain multiple vulnerabilities listed below. Out-of-bounds Read CWE-125 - CVE-2022-46360 Out-of-bounds Write CWE-787 - CVE-2022-43448 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the develope...
+Message App improper handling of Unicode control characters
Overview +Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode control character's specifications. Therefore, a crafted text may display misleading web links CWE-451. Akaki Tsunoda reported this vulnerability to IPA. JPCERT/CC...
Zenphoto vulnerable to cross-site scripting
Overview Zenphoto contains a stored cross-site scripting vulnerability CWE-79. Terada Yu of Fujitsu System Integration Laboratories reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be...
Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)
Overview CONPROSYS HMI System CHS provided by Contec Co., Ltd. contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2022-44456 Use of Default Credentials CWE-1392 - CVE-2023-22331 Use of Password Hash Instead of Password for Authentication CWE-836 - CVE-2023-22334...
Multiple vulnerabilities in Buffalo network devices
Overview Multiple network devices provided by BUFFALO INC. contain multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2022-43466 OS Command Injection CWE-78 - CVE-2022-43443 Hidden Functionality CWE-912 - CVE-2022-43486 Chuya Hayakawa of 00One, Inc. reported these...
Information Exposure Vulnerability in JP1/Automatic Operation
Overview An information exposure vulnerability CVE-2022-34881 exists in JP1/Automatic Operation. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate...
Contec SolarView Compact vulnerable to cross-site scripting
Overview SolarView Compact provided by Contec Co., Ltd. is PV Measurement System. SolarView Compact contains a cross-site scripting vulnerability CWE-79, CVE-2022-44355 in Check Network Communication Page of the product's web server. As of 2022 December 5, a Proof-of-Concept PoC code exploiting...
Cybozu Remote Service vulnerable to Uncontrolled Resource Consumption
Overview Cybozu Remote Service provided by Cybozu, Inc. is vulnerable to uncontrolled resource consumption CWE-400. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A logged-in user may consume huge storage space, resulting to a...
WordPress Plugin "WordPress Popular Posts" accepts untrusted external inputs to update certain internal variables
Overview WordPress Plugin "WordPress Popular Posts" provided by Hector Cabrera accepts untrusted external inputs to update certain internal variables CWE-454. Tsubasa Iinuma of Origami Systems reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
RICOH Aficio SP 4210N vulnerable to cross-site scripting
Overview Aficio SP 4210N provided by RICOH COMPANY, LTD. contains a cross-site scripting vulnerability CWE-79 in Web Image Monitor. Yudai Morii, Takaya Noma, Hiroki Yasui, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC...
TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation
Overview The past versions of TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java Rich are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability. According to the developer, this vulnerability is...
Multiple vulnerabilities in OMRON products
Overview Machine automation controller NJ/NX series, Automation software "Sysmac Studio", and programmable terminal PT NA series provided by OMRON Corporation contain multiple vulnerabilities in the communication function. The vulnerabilities are as follows. Use of Hard-coded Credentials CWE-798 ...
Multiple vulnerabilities in the web interfaces of Kyocera Document Solutions MFPs and printers
Overview The web interface "Command Center" of multiple MFPs and printers provided by KYOCERA Document Solutions Inc. contain multiple vulnerabilities listed below. Session Information Easily Guessable CWE-287 - CVE-2022-41798 Missing authorization CWE-425 - CVE-2022-41807 Stored cross-site...
Multiple vulnerabilities in FUJI SOFT network devices
Overview USB dongle +F FS040U and mobile routers +F FS020W/+F FS030W/+F FS040W provided by FUJI SOFT INCORPORATED contain multiple vulnerabilities listed below. Plaintext Storage of a Password CWE-256 - CVE-2022-43442 Cross-Site Request Forgery CWE-352 - CVE-2022-43470 Tomohisa Hasegawa of Canon ...
bingo!CMS vulnerable to authentication bypass
Overview bingo!CMS provided by Shift Tech Inc. contains an authentication bypass vulnerability CWE-288 in some of the management functions. Shift Tech Inc. states that attacks exploiting this vulnerability have been observed. Shift Tech Inc. reported this vulnerability to IPA to notify users of i...
The installer of Sony Content Transfer may insecurely load Dynamic Link Libraries
Overview The installer of Content Transfer for Windows provided by Sony Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Tomohisa Hasegawa of Canon IT Solutions Inc. reported this vulnerability to IPA. JPCERT/CC coordinat...