5627 matches found
Photo Gallery CMS for PC, smartphone and feature phone (Free) vulnerable to cross-site scripting
Overview Photo Gallery CMS for PC, smartphone and feature phone Free provided by PHP Kobo contains a cross-site scripting CWE-79 vulnerability in admin.php. Yuji Tounai of NTT Com SecurityJapan KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Gazou BBS plus vulnerability in file upload processing
Overview Gazou BBS plus provided by LEMON-S PHP contains a vulnerability in the processing of file uploads. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An image file may be specially crafted t...
Cacti vulnerable to cross-site scripting
Overview Cacti is a web application that graphs stored data collected from network devices. Cacti contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing parameters in graphview.php. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IP...
osCommerce Japanese version vulnerable to directory traversal
Overview osCommerce is an open source system for creating shopping websites. osCommerce Japanese version contains a directory traversal vulnerability. Masako Ohno reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Symfony vulnerable to code injection
Overview Symfony is an open source web application framework provided by SensioLabs. Symfony contains a code injection vulnerability. Applications with ESI support enabled and using the Symfony built-in reverse proxy the HttpCache class are affected. Takeshi Terada of Mitsui Bussan Secure...
BloBee vulnerable to arbitrary file creation
Overview BloBee provided by CGI RESCUE is a bulletin board software. BloBee contains a vulnerability that may allow a remote attacker to create arbitrary files CWE-20. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
MilkyStep fails to restrict access permissions
Overview MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions CWE-264. Note that this vulnerability is different from JVN74280258. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the...
"Open Explorer Beta" App for Android vulnerable to directory traversal
Overview "Open Explorer Beta" App for Android provided by brandroid.org contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with t...
Zenphoto vulnerable to cross-site scripting
Overview Zenphoto is a content management system CMS. Zenphoto contains a cross-site scripting vulnerability CWE-79 due to a flaw in processing encoded user-supplied input. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...
Apache Sling API and Servlets Post components vulnerable to cross-site scripting
Overview Apache Sling is an open source web application framework provided by The Apache Software Foundation. Sling API and Servlet Post components included in Apache Sling contain a cross-site scripting vulnerability CWE-79 in the error page and the generation of the job completion. MORI Shingo...
Information Disclosure Vulnerability in JP1/Integrated Management - Universal CMDB
Overview An information disclosure vulnerability was found in JP1/Integrated Management - Universal CMDB. Impact When UCMDB server uses UD probe DFM probe, malicious remote users can acquire data stored in UD probe DFM probe, by sending crafted HTTP request to server. Solution Please refer to the...
BGA32.DLL and QBga32.DLL contain multiple vulnerabilities
Overview BGA32.DLL is a compression/decompression library for gza and bza-format files. BGA32.DLL contains multiple vulnerabilities including a buffer overflow because it utilizes vulnerable zlib and bzip2 libraries. QBga32.DLL, which is a wrapper of BGA32.DLL, is also affected. KONDOU, Kazuhiro...
"Honda Moto LINC" App for Android fails to verify SSL server certificates
Overview "Honda Moto LINC" App for Android fails to verify SSL server certificates. Yasuyuki KOBAYASHI reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an attacker to...
TransmitMail vulnerable to cross-site scripting
Overview TransmitMail is a PHP based mail form. TransmitMail contains a cross-site scripting CWE-79 vulnerability due to the processing of file names. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
bBlog vulnerable to cross-site request forgery
Overview bBlog is weblog software. bBlog contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Do not use bBlog bBlog is no longer being developed or maintained. It is recommended to...
"Restaurant Karaoke SHIDAX" App for Android fails to verify SSL server certificates
Overview "Restaurant Karaoke SHIDAX" App for Android fails to verify SSL server certificates. Yasuyuki KOBAYASHI reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an attack...
The Validator in TERASOLUNA Server Framework for Java(WEB) vulnerable to input validation bypass
Overview The TERASOLUNA Server Framework for JavaWEB provided by NTT Data Corporation is a software framework for creating web applications. The TERASOLUNA Server Framework for JavaWEB is vulnerable to an issue contained in the Apache Struts 1 Validator, since it uses Apache Struts 1.2.9. The...
MP Form Mail CGI eCommerce edition vulnerable to code injection
Overview MP Form Mail CGI eCommerce edition provided by futomi Co., Ltd. is a CGI used to send mail from a web form. MP Form Mail CGI eCommerce edition contains a code injection vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Informatio...
Maroyaka Relay Novel vulnerable to cross-site scripting
Overview Maroyaka Relay Novel provided by Maroyaka CGI is a CGI script for posting text into a website. Maroyaka Relay Novel contains a persistent cross-site scripting vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
Cross-site Scripting Vulnerability in JP1/IT Desktop Management - Manager and Hitachi IT Operations Director
Overview A cross-site scripting vulnerability was found in the online help of JP1/IT Desktop Management - Manager and Hitachi IT Operations Director. Impact Remote users can exploit a cross-site scripting vulnerability to execute malicious scripts. Solution Please refer to the 'Vendor Information...
Zen Cart Japanese version vulnerable to cross-site scripting
Overview Zen Cart is an open source system for creating shopping websites. Zen Cart Japanese version contains a cross-site scripting vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact ...
SYNCK GRAPHICA Mailform Pro CGI vulnerable to remote code execution
Overview Mailform Pro CGI provided by SYNCK GRAPHICA contains a flaw in the process of sending emails, which may result in an arbitrary code execution. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Squid input validation vulnerability
Overview Squid contains a vulnerability where inputs are not properly validated. Squid is a caching proxy server. Squid contains a vulnerability where server responses that contain invalid values in the Content-Length of the HTTP header are sent to the client. Kazuho Oku reported this vulnerabili...
C-BOARD Moyuku vulnerable to arbitrary file creation
Overview C-BOARD Moyuku is a bulletin board software. C-BOARD Moyuku contains a vulnerability that may allow a remote attacker to create arbitrary files. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Cross-site Scripting Vulnerability in Hitachi Command Suite Products
Overview The online help of Hitachi Command Suite Products contains a cross-site scripting vulnerability. Impact A remote attacker can exploit this vulnerability to execute malicious scripts. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Smartphone Passbook for Android information management vulnerability
Overview Smartphone Passbook for Android contains an issue where user inputs are output into a log file. Hiroshi Kumagai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Other android applications with...
Smartphone Passbook fails to verify SSL server certificates
Overview Smartphone Passbook provided by Ogaki Kyoritsu bank Ltd. fails to verify SSL server certificates. Hiroshi Kumagai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow...
Multiple ASUS wireless LAN routers vulnerable to cross-site request forgery
Overview Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain a cross-site request forgery vulnerability. Masashi Sakai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user views a maliciou...
Multiple ASUS wireless LAN routers vulnerable to OS command injection
Overview Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain an OS command injection vulnerability. Masashi Sakai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary OS command may be...
SYNCK GRAPHICA Download Log CGI vulnerable to directory traversal
Overview Download Log CGI provided by SYNCK GRAPHICA contains an issue in processing file names, which may result in a directory traversal vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
WBS Gantt-Chart for JIRA vulnerable to cross-site scripting
Overview WBS Gantt-Chart for JIRA provided by Ricksoft Inc. is an add-on for JIRA which provides WBS Work Breakdown Structure and Gantt-Chart features. WBS Gantt-Chart for JIRA contains a flaw in output page generation, which may lead to cross-site scripting CWE-79. Note that this vulnerability i...
Multiple Vulnerabilities in JP1/Cm2/Network Node Manager i
Overview JP1/Cm2/Network Node Manager i contains cross-site scripting and execution of arbitrary code vulnerabilities. Impact An attacker could inject arbitrary web script and execute arbitrary code. Solution Please refer to the 'Vendor Information' section for the official countermeasure and tak...
LinPHA vulnerable to cross-site scripting
Overview LinPHA is a software to manage and host image files on the web. LinPHA contains a cross-site scripting vulnerability. Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
"File Upload BBS" of i-HTTPD vulnerable to remote command execution
Overview i-HTTPD is a web server for Windows, implementing Server Side Includes SSI. i-HTTPD contains "File Upload BBS". When "File Upload BBS" is activated, a user can upload files on the server, and i-HTTPD processes SSI directives in the uploaded files CWE-97. Yamagata of webappsec.jp reported...
ARROWS Me F-11D vulnerability where arbitrary areas may be accessed
Overview ARROWS Me F-11D contains a vulnerability where arbitrary areas on the device may be accessed. FUKAUMI Naoki of SOUM Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An attacker with local...
SEIL Series routers vulnerable to denial-of-service (DoS)
Overview The PPP Access Concentrator PPPAC and the Dial-Up Networking in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service DoS vulnerability due to an issue in processing certain packets CWE-119. Note that this vulnerability is different from JVN21907573...
Direct Web Remoting (DWR) vulnerable to XML external entity injection
Overview Direct Web Remoting DWR is a Java framework for developing Ajax into web applications. DWR contains an XML external entity injection vulnerability CWE-611. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...
jigbrowser+ for iOS same origin policy bypass
Overview jigbrowser+ for iOS contains a flaw in loading web pages, which may allow an attacker to bypass the same origin policy. Toshiharu Sugiyama of DeNA Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
SLFileManager for Android vulnerable to directory traversal
Overview SLFileManager provided by S-Link, Inc. contains a flaw in processing file names, which may result in a directory traversal CWE-22 vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Yuko Yuko App for Android fails to verify SSL server certificates
Overview Yuko Yuko App for Android provided by Yuko Yuko Corporation fails to verify SSL server certificates. Shunsuke Taniguchi of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
Dotclear vulnerable to cross-site scripting
Overview Dotclear is a weblog software. Dotclear contains a cross-site scripting vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user views a crafted page while...
Bump for Android vulnerable in handling of implicit intents
Overview Bump for Android is an application that allows users to share information and files. Bump for Android contains a vulnerability in the handling of implicit intents. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
FileMaker Pro fails to verify SSL server certificates
Overview FileMaker Pro contains a function to encrypt communications with the FileMaker Server. FileMaker Pro fails to verify the SSL server certificate. NOTE: This vulnerability exists because of an incomplete fix for CVE-2013-2319. Impact A man-in-the-minddle attack may allow an attacker to...
FileMaker Pro vulnerable to cross-site scripting
Overview FileMaker Pro contains an "Instant Web Publishing" function. When this function is enabled, FileMaker Pro is vulnerable to cross-scripting. NOTE: This vulnerability exists because of an incomplete fix for CVE-2013-3640. Impact An arbitrary script may be executed on the user's web browser...
Movable Type vulnerable to cross-site scripting
Overview Movable Type provided by Six Apart, Ltd. contains a cross-site scripting vulnerability. Movable Type contains an issue in processing the management page, which may result in a cross-site scripting vulnerability. Saeki Tominaga reported this vulnerability to IPA. JPCERT/CC coordinated wit...
Piwigo vulnerable to cross-site scripting
Overview Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Piwigo vulnerable to cross-site scripting
Overview Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability when the "Community" plugin is activated and validation on user uploaded photos is disabled. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC...
Multiple I-O DATA IP Cameras vulnerable to authentication bypass
Overview Multiple IP Cameras provided by I-O DATA contain an authentication bypass vulnerability. Impact An attacker who can access the product may be able to gain access to configuration and credential information. As a result, the attacker may take control of the product. Solution Apply an upda...
PerlMailer vulnerable to cross-site scripting
Overview PerlMailer from Homepage Decorator is a mail form CGI which is used to send mail from a form on a web page. PerlMailer CGI scripts contain a cross-site scripting vulnerability. Koki Takahashi reported this vulnerability to IPA. JPCERT/CC coordinated with the vendors under Information...
Meridian vulnerable to cross-site scripting
Overview Meridian provided by Nexa Technologies is a software for market trading. Meridian contains a cross-site scripting vulnerability. Kazuyuki Matsuda reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...