5627 matches found
QQQ SYSTEMS vulnerable to cross-site scripting
Overview QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. QQQ SYSTEMS contains a stored cross-site scripting vulnerability CWE-79. When an administrative user of the software accesses a malicious page created by an attacker, an arbitrary script may be executed. Note...
WordPress plugin "WP All Import" vulnerable to cross-site scripting
Overview The WordPress plugin "WP All Import" provided by Soflyy contains a cross-site scripting vulnerability CWE-79 in the file upload function. Note that this vulnerability is different from JVN60032768. Mardan Muhidin of Gehirn Inc. reported this vulnerability to IPA. JPCERT/CC coordinated wi...
Multiple vulnerabilities in WXR-1900DHP2
Overview WXR-1900DHP2 provided by BUFFALO INC. is a wireless LAN router. WXR-1900DHP2 contains multiple vulnerabilities listed below. Missing Authentication for Critical Function CWE-306 - CVE-2018-0521 Buffer Overflow CWE-119 - CVE-2018-0522 OS Command Injection CWE-78 - CVE-2018-0523 Taizoh...
XXE Vulnerability in Hitachi Device Manager
Overview An XXE XML External Entity Vulnerability was found in Hitachi Device Manager. This vulnerability only affects the Linux cluster environment. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section fo...
Application and self-extracting archive containing the application of "FLET'S v4 / v6 address selection tool" may insecurely load Dynamic Link Libraries
Overview Application and self-extracting archive containing the application of "FLET'S v4 / v6 address selection tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili...
WordPress plugin "MTS Simple Booking C" vulnerable to cross-site scripting
Overview The WordPress plugin "MTS Simple Booking C" provided by MT Systems Co., Ltd. contains a stored cross-site scripting vulnerability CWE-79. Daichi Takaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to...
Cross-site Scripting Vulnerability in Fujitsu Interstage List Works
Overview A cross-suite scripting vulnerability has been found in web functionality of Fujitsu Interstage List Works. Impact By creating a malicious webpage that exploits this vulnerability, an attacker could execute arbitrary code on the user's computer used to access the malicious webpage...
Lhaplus vulnerable to improper verification when expanding ZIP64 archives
Overview Lhaplus is file compression/decompression software. Lhaplus does not treat ZIP64 archives properly when expanding. Koji Ando of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Cross-site Scripting Vulnerability in JP1/Service Support and JP1/Integrated Management - Service Support
Overview A cross-site scripting vulnerability was found in JP1/Service Support and JP1/Integrated Management - Service Support. Impact Remote users can exploit this vulnerability to execute malicious scripts. Solution Please refer to the 'Vendor Information' section for the official countermeasur...
Cross-site Scripting Vulnerability in JP1/Operations Analytics
Overview A cross-site scripting vulnerability was found in JP1/Operations Analytics. Impact Remote users can exploit this vulnerability to execute malicious scripts. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
XXE Vulnerability in Hitachi Command Suite
Overview An XXE XML External Entity Vulnerability was found in Hitachi Command Suite. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor. Cross-site Scripting Access Control For Access Control, Hitachi Data Center Analytics v8.0.0, v8.0.2, v8.1.0, and v8.1.3 will be affected. Impact Regarding the impact of the vulnerability, please refer ...
RMI Vulnerability in Hitachi Tuning Manager
Overview A RMI Vulnerability was found in Hitachi Tuning Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Wi-Fi STATION L-02F fails to restrict access permissions
Overview Wi-Fi STATION L-02F provided by NTT DOCOMO, INC. fails to restrict access permissions. Japan Computer Emergency Response Team Coordination Center Global Coordination Division Cyber Metrics Line Information Security Analyst Keisuke Shikano reported this vulnerability to IPA. JPCERT/CC...
Denial-of-service (DoS) Vulnerability in JP1 and Hitachi IT Operations Director
Overview A vulnerability to denial-of-service attacks was found in JP1 and Hitachi IT Operations Director. Impact An attacker may conduct denial-of-service attacks. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Denial-of-service (DoS) Vulnerability in HiRDB
Overview A vulnerability to denial-of-service attacks was found in HiRDB. Impact A vulnerability to denial-of-service attacks was found in HiRDB. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Installer of Optimal Guard may insecurely load Dynamic Link Libraries
Overview Installer of Optimal Guard provided by OPTiM Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Installer of "Security Kinou Mihariban" may insecurely load Dynamic Link Libraries
Overview Installer of "Security Kinou Mihariban" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC...
Multiple vulnerabilities in WebCalendar
Overview WebCalendar provided by k5n.us contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2017-10840 Directory traversal CWE-22 - CVE-2017-10841 The following researchers reported vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information...
WordPress plugin "BackupGuard" vulnerable to cross-site scripting
Overview The WordPress plugin "BackupGuard" provided by BackupGuard contains a reflected cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary scri...
Installer of LhaForge may insecurely load Dynamic Link Libraries
Overview LhaForge is a file compression/decompression software. The installer of LhaForge contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with t...
Installer of Tween may insecurely load Dynamic Link Libraries
Overview Tween is a twitter client application. Installer of Tween contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
RBB SPEED TEST App fails to verify SSL server certificates
Overview RBB SPEED TEST App provided by IID, Inc. fails to verify SSL server certificates. DigiGnome reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an attacker to...
WordPress plugin "Simple Custom CSS and JS" vulnerable to cross-site scripting
Overview The WordPress plugin "Simple Custom CSS and JS" provided by SilkyPress contains a reflected cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
gSOAP vulnerable to stack-based buffer overflow
Overview gSOAP library provided by Genivia contains a stack-based buffer overflowCWE-121. Processing a crafted SOAP message sent by a remote attacker may result in code execution. Impact Processing a crafted SOAP message sent by a remote attacker may result in code execution. Solution Update to t...
Multiple Vulnerabilities in Hitachi Automation Director and Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Automation Director and Hitachi Infrastructure Analytics Advisor. Impact They may conduct the attacks listed below. Cross-site Scripting XXE XML External Entity Open Redirect Solution Please refer to the 'Vendor Information' section for...
Installer and self-extracting archive containing the installer of MLIT DenshiSeikabutsuSakuseiShienKensa system may insecurely load Dynamic Link Libraries
Overview The installer and the self-extracting archive including the installer of MLIT DenshiSeikabutsuSakuseiShienKensa system contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability...
Installer of PDF Digital Signature Plugin provided by the Ministry of Justice may insecurely load Dynamic Link Libraries
Overview Installer of PDF Digital Signature Plugin provided by the Ministry of Justice contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Yuji Tounai of NTT Communications Corporation and Eili Masami of Tachibana Lab. reported this...
Denshi Nyusatsu Check Tool provided by Ministry of Education, Culture, Sports, Science and Technology may insecurely load Dynamic Link Libraries
Overview Denshi Nyusatsu Check Tool provided by Ministry of Education, Culture, Sports, Science and Technology MEXT contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this...
HOME SPOT CUBE2 vulnerable to improper authentication in WebUI
Overview HOME SPOT CUBE2 provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE2 contains improper authentication in WebUI. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Multiple I-O DATA network camera products vulnerable to cross-site request forgery
Overview Multiple network camera products provided by I-O DATA DEVICE, INC. contains a cross-site request forgery vulnerability CWE-352. Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Securi...
WordPress plugin "WP Job Manager" fails to restrict access permissions
Overview The WordPress plugin "WP Job Manager" provided by Automattic Inc. fails to restrict access permissions. Katsunori Kumagai of Kumasan, LLC. reported this issue to IPA under Information Security Early Warning Partnership. Impact A remote unauthenticated attacker may upload an image file to...
The installer of SemiDynaEXE provided by Geospatial Information Authority of Japan (GSI) may insecurely load Dynamic Link Libraries
Overview The installer of SemiDynaEXE SemiDynaEXE2008.EXE provided by Geospatial Information Authority of Japan GSI contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA...
The installer of PatchJGD provided by Geospatial Information Authority of Japan (GSI) may insecurely load Dynamic Link Libraries
Overview The installer of PatchJGD PatchJGD101.EXE provided by Geospatial Information Authority of Japan GSI contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC...
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to remote code execution
Overview AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a remote code execution vulnerability. Note that this vulnerability is different from JVN80238098...
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to remote code execution
Overview AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a remote code execution vulnerability. Note that this vulnerability is different from JVN20870477...
Installer of Tera Term may insecurely load Dynamic Link Libraries
Overview The installer of Tera Term provided by TeraTerm Project contains an issue with the DLL search path, which may lead to insecurely load Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Informati...
WordPress plugin "MaxButtons" vulnerable to cross-site scripting
Overview The WordPress plugin "MaxButtons" provided by Max Foundry contains a cross-site scripting vulnerability CWE-79. ASAI Ken and Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
PrimeDrive Desktop Application Installer may insecurely load executable files
Overview PrimeDrive Desktop Application is the client application for PrimeDrive online storage service provided by SoftBank Corp. The installer of PrimeDrive Desktop Application contains an issue with the file search path, which may insecurely load executable files CWE-427. Eili Masami of...
SOY CMS vulnerable to directory traversal
Overview SOY CMS provided by Nippon Institute of Agroinformatics Ltd. is a Contents Management System CMS. SOY CMS contains a directory traversal vulnerability CWE-22 due to a flaw in processing shopid parameter. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the develope...
The API in Cybozu Office vulnerable to denial-of-service (DoS)
Overview The API in Cybozu Office contains a denial-of-service DoS vulnerability. Cybozu, Inc. reported this vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership. Impact A...
ASSETBASE vulnerable to cross-site scripting
Overview ASSETBASE provided by UCHIDA YOKO CO., LTD. is an IT asset management tool. ASSETBASE contains a cross-site scripting vulnerability CWE-79. Keitaro Yamazaki of Kyoto University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
CS-Cart Japanese Edition vulnerable to cross-site request forgery
Overview CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition contains a cross-site request forgery CWE-352 vulnerability. Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Installer of PhishWall Client Internet Explorer version may insecurely load Dynamic Link Libraries
Overview PhishWall Client Internet Explorer version, provided by SecureBrain Corporation, is an anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer version contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries...
CubeCart vulnerable to directory traversal
Overview CubeCart from CubeCart Limited is an open source system for creating online shopping websites. CubeCart contains a directory traversal vulnerability CWE-22. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Cybozu Garoon vulnerable to SQL injection
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an SQL injection vulnerability. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early...
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to authentication bypass
Overview AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains an authentication bypass vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC...
Multiple cross-site scripting vulnerabilities in Webmin
Overview Webmin contains multiple cross-site scripting vulnerabilities CWE-79 due to issues in outputting error messages into a HTML page and the function to edit the database. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated...
CubeCart vulnerable to directory traversal
Overview CubeCart from CubeCart Limited is an open source system for creating online shopping websites. CubeCart contains a directory traversal vulnerability CWE-22. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Knowledge vulnerable to cross-site request forgery
Overview Knowledge provided by support-project.org is an open-source knowledge base platform. Knowledge contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Software Update...