5627 matches found
Multiple cross-site scripting vulnerabilities in Movable Type
Overview Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in the custom block edit page of MT Block Editor CWE-79 - CVE-2025-22888 Stored cross-site scripting vulnerability in the HTML edit mode ...
acmailer CGI and acmailer DB vulnerable to OS command injection
Overview acmailer CGI and acmailer DB provided by Extra Innovation Inc. contain an OS command injection vulnerability CWE-78. Extra Innovation Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Extra Innovation Inc. coordinated under the...
Multiple vulnerabilities in FileMegane
Overview FileMegane provided by JIP InfoBridge Co., Ltd. contains multiple vulnerabilities listed below. Server-Side Request Forgery SSRF CWE-918 - CVE-2025-20075 Authentication Bypass by Spoofing CWE-290 - CVE-2025-25055 Masamu Asato of GMO Cybersecurity by Ierae, Inc. reported these...
Improper restriction of XML external entity reference (XXE) vulnerability in OMRON NB-Designer
Overview NB-Designer provided by OMRON Corporation contains an improper restriction of XML external entity reference XXE vulnerability CWE-611, CVE-2024-12298. Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a user opens a specially...
Multiple vulnerabilities in Defense Platform Home Edition
Overview Defense Platform Home Edition provided by Humming Heads Inc. contains multiple vulnerabilities listed below. Improper handling of message in specific process CWE-422 - CVE-2025-20094 Execution with unnecessary privileges CWE-250 - CVE-2025-22890 Improper handling of message in specific...
WordPress Plugin "Simple Image Sizes" vulnerable to cross-site scripting
Overview WordPress Plugin "Simple Image Sizes" provided by Rahe contains a stored cross-site scripting vulnerability CWE-79. Ibuki Sato of Nippon Engineering College of Hachioji reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
EXIF Viewer Classic vulnerable to cross-site scripting
Overview EXIF Viewer Classic provided by Rodrigue former Kakera is a Google Chrome browser extension. The affected versions of the product improperly handle EXIF meta data, resulting in a cross-site scripting vulnerability CWE-79. Versions 2.3.2 and 2.4.0 were reported as vulnerable. The vendor...
Multiple vulnerabilities in I-O DATA router UD-LT2
Overview UD-LT2 provided by I-O DATA DEVICE, INC. contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2025-20617, CVE-2025-26856 Inclusion of Undocumented Features CWE-1242 - CVE-2025-22450 OS Command Injection CWE-78 - CVE-2025-23237 CVE-2025-20617, CVE-2025-22450,...
FortiWeb vulnerable to SQL injection
Overview FortiWeb provided by Fortinet, Inc. contains an SQL injection vulnerability CWE-89, CVE-2024-55593. Kentaro Kawane of GMO Cybersecurity by Ierae reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...
Trend Micro Deep Security 20.0 Agent (for Windows) vulnerable to uncontrolled search path element
Overview Trend Micro Incorporated has released the security updates for Deep Security 20.0 Agent for Windows that contains a fix for an uncontrolled search path element vulnerability CWE-427, CVE-2024-55955. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the...
Multiple vulnerabilities in FXC AE1021 and AE1021PE
Overview AE1021 and AE1021PE are information outlet type wireless LAN routers provided by FXC Inc. They contain multiple vulnerabilities listed below. Weak Authentication CWE-1390 - CVE-2024-47397 OS Command Injection CWE-78 - CVE-2024-53688 Inclusion of Undocumented Features CWE-1242 -...
Multiple vulnerabilities in Edgecross Basic Software for Windows
Overview Edgecross Basic Software for Windows provided by Edgecross Consortium contains multiple vulnerabilities listed below. Incorrect default permissions CWE-276 - CVE-2024-4229 External control of file name or path CWE-73 - CVE-2024-4230 Edgecross Consortium reported these vulnerabilities to...
Multiple vulnerabilities in SoftBank Mesh Wi-Fi router RP562B
Overview Mesh Wi-Fi router RP562B provided by SoftBank Corp. contains multiple vulnerabilities listed below. Active debug code CWE-489 - CVE-2024-29075 OS command injection CWE-78 - CVE-2024-45827 Exposure of sensitive system information to an unauthorized control sphere CWE-497 - CVE-2024-47799...
WordPress Plugin "VK All in One Expansion Unit" vulnerable to cross-site scripting
Overview "Custom Alert Content" of WordPress Plugin "VK All in One Expansion Unit" provided by Vektor,Inc. contains a stored cross-site scripting vulnerability CWE-79. Umeda Yuugo of Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Command injection vulnerability in Trend Micro Cloud Edge
Overview Trend Micro Incorporated has released a security update for Cloud Edge to fix a command injection vulnerability CVE-2024-48904. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact An arbitrary command may be executed on th...
Hikvision network camera security enhancement to prevent cleartext transmission of Dynamic DNS credentials
Overview Multiple network cameras provided by Hangzhou Hikvision Digital Technology Co., Ltd. support two Dynamic DNS services, DynDNS and NO-IP.The user can select which to use on the GUI configuration page. Both the services provide their APIs accessible via HTTP and HTTPS, but old firmware...
Chatwork Desktop Application (Windows) uses a potentially dangerous function
Overview Chatwork Desktop Application Windows provided by kubell Co., Ltd. contains an issue with use of potentially dangerous function CWE-676, which allows a user to access an external website via a link in the application. RyotaK of Flatt Security Inc. directly reported this vulnerability to t...
Multiple vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability due to inappropriate Slug handling on Article Edit CWE-79 - CVE-2024-46996 Stored cross-site scripting vulnerability on Edit Email Form Settings CWE-79 ...
Multiple vulnerabilities in Exment
Overview Exment provided by Kajitori Co.,Ltd contains multiple vulnerabilities listed below. Incorrect Permission Assignment for Critical Resource CWE-732 - CVE-2024-46897 Stored Cross-site Scripting CWE-79 - CVE-2024-47793 CVE-2024-46897 masataka sato of Mitsui Bussan Secure Directions, Inc...
Multiple vulnerabilities in JTEKT ELECTRONICS Kostac PLC Programming Software
Overview Kostac PLC Programming Software provided by JTEKT ELECTRONICS CORPORATION contains multiple vulnerabilities listed below. Out-of-bounds write CWE-787 - CVE-2024-47134 Stack-based buffer overflow CWE-121 - CVE-2024-47135 Out-of-bounds read CWE-125 - CVE-2024-47136 Michael Heinzl reported...
Apache Tomcat improper handling of TLS handshake process data
Overview Apache Tomcat provided by The Apache Software Foundation improperly handles TLS handshake process data, which may lead to a denial-of-service DoS condition CWE-770, CVE-2024-38286. The reporter, Ozaki of North Grid Corporation, reported this issue directly to and coordinated with the...
File Permissions Vulnerability in Hitachi Ops Center Common Services
Overview File permissions vulnerability exists in Hitachi Ops Center Common Services. CVE-2024-2819: File permission vulnerability in Hitachi Ops Center Common Services Display new window Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer ...
Multiple vulnerabilities in Smart-tab
Overview Smart-tab provided by TECHNO SUPPORT COMPANY is a multi-functional guest room tablet system for hotels and other accommodation facilities. Smart-tab contains multiple vulnerabilities listed below. Active debug code CWE-489 - CVE-2024-41999 Plaintext storage of a password CWE-256 -...
MF Teacher Performance Management System vulnerable to cross-site scripting
Overview MF Teacher Performance Management System provided by Media Fusion Co.,Ltd. contains a cross-site scripting vulnerability CWE-79. Akira Sumiyoshi, Takuto Matsuhashi, Kei Watanabe, Akio Yamaguchi, Syunji Yazaki and Hideaki Tsuchiya of UEC-CSIRT, The University of Electro-Communications...
Malleability attack against executables encrypted by CBC mode with no integrity check
Overview Researchers at NTT, University of Hyogo, and NEC have identified a security issue that leads to executing arbitrary code in executable files that are encrypted by CBC mode with no integrity check. This issue has been published in ACNS 2020 . There is a risk that an encrypted executable...
Multiple Alps System Integration products and the OEM products vulnerable to cross-site request forgery
Overview Multiple Alps System Integration products and the OEM products contain a cross-site request forgery vulnerability CWE-352. Yoshiaki komeyama of KOBELCO SYSTEMS CORPORATION reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warnin...
Pgpool-II vulnerable to information disclosure
Overview Pgpool-II is a cluster management tool. Pgpool-II contains an information disclosure vulnerability CWE-213 in its query cache function. PgPool Global Development Group reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and PgPool Global Development...
Multiple vulnerabilities in WordPress plugin "Carousel Slider"
Overview WordPress plugin "Carousel Slider" provided by Sayful Islam contains 2 CSRF vulnerabilities listed below. Cross-site request forgery on Carousel image selection feature CWE-352 - CVE-2024-45269 Cross-site request forgery on Hero image selection feature CWE-352 - CVE-2024-45270 RyotaK of...
xfpt vulnerable to stack-based buffer overflow
Overview xfpt fails to handle appropriately some parameters inside the input data, resulting in a stack-based buffer overflow vulnerability CWE-121. Yuhei Kawakoya of NTT Security Holdings Corporation reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact When ...
Multiple vulnerabilities in ELECOM wireless LAN routers and access points
Overview Multiple wireless LAN routers and access points provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Cross-site scripting vulnerability due to an improper processing of input values in easysetup.cgi and menu.cgi CWE-79 - CVE-2024-34577, CVE-2024-42412 Missing...
Multiple Safie products vulnerable to improper server certificate verification
Overview Multiple Safie products are vulnerable to improper server certificate verification CWE-295. The product can be operated via port 11029/TCP and Bluetooth, and its communications are AES encrypted. The product user can obtain the encryption key from the cloud server based on the...
Installer of Trend Micro Security 2020 (Consumer) may insecurely load Dynamic Link Libraries
Overview Installers of Trend Micro Security 2020 Consumer family may insecurely load Dynamic Link Libraries. Multiple products provided by Trend Micro Incorporated contain the DLL search path issue, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Trend Micro Incorporated...
Firmware update for RICOH JavaTM Platform resets the TLS configuration
Overview JavaTM Platform provided by Ricoh Company, Ltd. is the execution environment for firmware extensions of Ricoh MFPs and printers, providing TLS Transport Layer Security communication mechanism. When the firmware for JavaTM Platform is updated from Ver.12.89 or earlier versions to a newer...
FFRI AMC vulnerable to OS command injection
Overview FFRI AMC provided by FFRI Security, Inc. is a management console for the endpoint security product FFRI yarai and ActSecure X. FFRI AMC contains an OS command injection vulnerability CWE-78. It is exploitable when the notification program setting is enabled, the executable file path is...
Multiple vulnerabilities in FutureNet NXR series, VXR series and WXR series
Overview FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. contain multiple vulnerabilities listed below. Initialization of a Resource with an Insecure Default CWE-1188 - CVE-2024-31070 Active Debug Code CWE-489 - CVE-2024-36475 OS Command Injection CWE-78 -...
Assimp vulnerable to heap-based buffer overflow
Overview Assimp provided by Open Asset Import Library contains a heap-based buffer overflow vulnerability CWE-122. Yuhei Kawakoya of NTT Security Holdings reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Multiple TP-Link products vulnerable to OS command injection
Overview Multiple products provided by TP-LINK contains an OS command injection vulnerability CWE-78 related to the backup/restore function. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact A user who logs in to the affected...
LINE client for iOS vulnerable to universal cross-site scripting
Overview The in-app browser of LINE client for iOS provided by LY Corporation contains a universal cross-site scripting vulnerability CWE-79, CVE-2024-5739. LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact If a user clicks a malicious...
"ZOZOTOWN" App for Android fails to restrict custom URL schemes properly
Overview "ZOZOTOWN" App for Android provided by ZOZO, Inc. provides the function to access a URL requested via Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a use...
awkblog vulnerable to OS command injection
Overview awkblog provided by Keisuke Nakayama contains an OS command injection vulnerability CWE-78. Keigo YAMAZAKI of LAC Co., Ltd. / Nuligen Security Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impa...
Multiple vulnerabilities in Field Logic DataCube
Overview DataCube provided by Field Logic Inc. contains multiple vulnerabilities listed below. Direct Request 'Forced Browsing' CWE-425 - CVE-2024-25830 Reflected cross-site scripting CWE-79 - CVE-2024-25831 Unrestricted upload of file with dangerous type CWE-434 - CVE-2024-25832 SQL injection...
"OfferBox" App uses a hard-coded secret key
Overview "OfferBox" App provided by i-plug inc. uses a hard-coded secret key for JWT CWE-321. Yuta Yamate of Rakuten Group, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact The hard-coded secret key for...
Hidden Functionality vulnerability in DT900
Overview DT900 contains a Hidden Functionality vulnerabilityCWE-912. Specified versions allow an attacker to access the system setting. reported by Mr. Gianluca Altomani and Mr. Manuel Romei. for NEC-PSIRT Impact Regarding the impact of the vulnerability, please refer to the vendor advisory...
Phormer vulnerable to cross-site scripting
Overview Phormer contains a cross-site scripting vulnerability CWE-79. Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on t...
Multiple vulnerabilities in MosP kintai kanri
Overview MosP kintai kanri provided by esMind, LLC contains multiple vulnerabilities listed below. Path Traversal CWE-22 - CVE-2024-28880 Incorrect Permission Assignment for Critical Resource CWE-732 - CVE-2024-29078 Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities...
WordPress Plugin "Heateor Social Login WordPress" vulnerable to cross-site scripting
Overview WordPress Plugin "Heateor Social Login WordPress" provided by Heateor contains a stored cross-site scripting vulnerability CWE-79. Daiki Sato of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Multiple vulnerabilities in RoamWiFi R10
Overview RoamWiFi R10 provided by RoamWiFi Technology Co., Ltd. contains multiple vulnerabilities listed below. Active debug code CWE-489 - CVE-2024-31406 Insertion of sensitive information into log file CWE-532 - CVE-2024-32051 Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities...
TvRock vulnerable to cross-site request forgery
Overview TvRock provided by TvRock according to the original report submitted by the reporter is a tool to set a timer recording for a TV program. TvRock contains a cross-site request forgery vulnerability CWE-352. During the meeting of Committee for authorizing the disclosure of unresolved...
LINE client for iOS vulnerable to improper server certificate verification
Overview The financial module within LINE client for iOS lacks server certificate verification in log transmission CWE-295, CVE-2023-5554. LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact The communication may be eavesdropped under a...
Multiple vulnerabilities in WordPress Plugin "Forminator"
Overview WordPress Plugin "Forminator" provided by WPMU DEV contains multiple vulnerabilities listed below. Unrestricted upload of file with dangerous type CWE-434 SQL injection CWE-89 Cross-site scripting CWE-79 hibiki moriyama of STNet, Incorporated reported these vulnerabilities to IPA...