5625 matches found
GBrowse vulnerable to unrestricted upload of files with dangerous types
Overview GBrowse provided by Generic Model Organism Database Project is a web-based genome browser. GBrowse allows the users to upload their own data in several file formats see "GBrowse User Uploads". The affected versions of GBrowse accept files with any formats uploaded CWE-434, and place them...
File and Directory Permissions Vulnerability in Hitachi Command Suite
Overview A File and Directory Permissions Vulnerability CVE-2020-36695 exists in Hitachi Command Suite. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Improper restriction of XML external entity references (XXE) in XBRL data create application
Overview XBRL data create application provided by Financial Services Agency improperly restricts XML external entity references XXE CWE-611. Taku Toyama of NEC Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Multiple vulnerabilities in multiple ELECOM wireless LAN routers and wireless LAN repeaters
Overview Wireless LAN routers and wireless LAN repeaters provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2023-37560 Open Redirect CWE-601 - CVE-2023-37561 Cross-Site Request Forgery CWE-352 - CVE-2023-37562 Information disclosure CWE-20...
"NewsPicks" App uses a hard-coded API key for an external service
Overview "NewsPicks" App for Android and "NewsPicks" App for iOS provided by NewsPicks, Inc. use a hard-coded API key for an external service CWE-798. Sunagawa Masanori of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
WordPress Plugin "Snow Monkey Forms" vulnerable to directory traversal
Overview WordPress Plugin "Snow Monkey Forms" provided by Monkey Wrench Inc. contains a directory traversal vulnerability CWE-22. Shinsaku Nomura of Bitforest Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
SYNCK GRAPHICA Mailform Pro CGI vulnerable to Regular expression Denial-of-Service (ReDoS)
Overview Mailform Pro CGI provided by SYNCK GRAPHICA contains a Regular expression Denial-of-Service ReDoS vulnerability CWE-1333. Tran Quang Vu of FPT Software reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impac...
Printer Driver Packager NX creates driver installation packages without modification detection
Overview Printer Driver Packager NX provided by Ricoh Company, Ltd. is a tool to create driver installation packages. A driver installation package is used to install and configure printer drivers on the target PCs. The installation and configuration of printer drivers require an administrative...
Chatwork Desktop Application (Mac) vulnerable to code injection
Overview Chatwork Desktop Application Mac provided by Chatwork Co., Ltd. contains a code injection vulnerability CWE-94. Koh M. Nakagawa of FFRI Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...
Multiple vulnerabilities in Fuji Electric products
Overview Multiple vulnerabilities listed below exist in the simulator module and the remote monitoring software 'V-Server Lite' and 'V-Server' contained in the graphic editor 'V-SFT', and the remote monitoring software 'TELLUS' and 'TELLUS Lite' provided by FUJI ELECTRIC CO., LTD. Stack-based...
Starlette vulnerable to directory traversal
Overview Starlette provided by Encode contains a directory traversal vulnerability CWE-22. Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Under certain conditions, a remote...
Wacom Tablet Driver installer for macOS vulnerable to improper link resolution before file access
Overview Wacom Tablet Driver installer for macOS provided by Wacom contains an improper link resolution before file access vulnerability CWE-59. Koh M. Nakagawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impac...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-3122 Denial-of-service DoS in Message CWE-400 - CVE-2023-26595 CyVDB-3142 Operation restriction bypass vulnerability in Message and Bulletin CWE-285 - CVE-2023-27304 CyVDB-3165 Operation...
Beekeeper Studio vulnerable to code injection
Overview Beekeeper Studio provided by Beekeeper Studio, Inc. contains a code injection vulnerability CWE-74. Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A remote...
Multiple vulnerabilities in MicroEngine Mailform
Overview MicroEngine Mailform provided by MicroEngine Inc. contains multiple vulnerabilities listed below. Unrestricted upload of file with dangerous type CWE-434 - CVE-2023-27397 Path traversal CWE-22 - CVE-2023-27507 Yuji Tounai of Mitsui Bussan Secure Directions, Inc. and hibiki moriyama of...
WordPress Plugin "Newsletter" vulnerable to cross-site scripting
Overview WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability CWE-79. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and coordinated. JPCERT/CC published respective advisories in...
JINS MEME CORE uses a hard-coded cryptographic key
Overview JINS MEME CORE provided by JINS Inc. is a nose pad type sensor attached to a glass frame. JINS MEME CORE uses a hard-coded cryptographic key CWE-321. MASAHIRO IIDA of LAC Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Earl...
WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting
Overview WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" provided by TMS contains a cross-site scripting vulnerability CWE-79. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and coordinated. The developer and JPCERT/...
Joruri Gw vulnerable to cross-site scripting
Overview Joruri Gw provided by SiteBridge Inc. is groupware. Message Memo function of Joruri Gw contains a cross-site scripting vulnerability CWE-79. Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
TP-Link T2600G-28SQ uses vulnerable SSH host keys
Overview TP-Link layer-2 switch T2600G-28SQ uses vulnerable SSH host keys CWE-1391. Kuniyuki Hasegawa of VeriServe Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact The credential information for a...
Multiple cross-site scripting vulnerabilities in SHIRASAGI
Overview SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability on Schedule function CWE-79 - CVE-2023-22425 Stored cross-site scripting vulnerability on Theme switching function CWE-79 - CVE-2023-22427 CVE-2023-22425 Ren...
Improper restriction of XML external entity reference (XXE) vulnerability in OMRON CX-Motion Pro
Overview CX-Motion Pro provided by OMRON Corporation contains an improper restriction of XML external entity reference XXE vulnerability CWE-611. Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a user opens a specially crafted project...
Pgpool-II vulnerable to information disclosure
Overview Pgpool-II is cluster management tool. Pgpool-II contains an information disclosure vulnerability CWE-200 in its watchdog function. Note that, only systems that meet all of the following setting requirements are affected by this vulnerability. Watchdog function is enabled usewatchdog = on...
WordPress plugin "Welcart e-Commerce" vulnerable to directory traversal
Overview WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a directory traversal vulnerability CWE-22. Masato Ikeda of Mitsui Bussan Secure Directions, Inc. and Takeshi Suzuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Active debug code vulnerability in OMRON CP1L-EL20DR-D
Overview Active debug code CWE-489 exists in CP1L-EL20DR-D provided by OMRON Corporation, which may lead to a command that is not specified in FINS protocol being executed without authentication. Georgy Kiguradze of Positive Technologies reported this vulnerability to JPCERT/CC. JPCERT/CC...
OpenAM Web Policy Agent (OpenAM Consortium Edition) vulnerable to path traversal
Overview OpenAM Web Policy Agent OpenAM Consortium Edition provided by OpenAM Consortium parses URLs improperly, leading to a path traversal vulnerability CWE-22. Furthermore, a crafted URL may be evaluated incorrectly. OpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of...
Digital Arts m-FILTER vulnerable to improper authentication
Overview m-FILTER provided by Digital Arts Inc. is an emaill security product. m-FILTER contains an improper authentication vulnerability CWE-287 when emails are being sent under certain conditions, and unintended emails may be sent by a remote attacker. Digital Arts Inc. states that attacks...
Multiple vulnerabilities in Fuji Electric V-Server
Overview V-Server provided by FUJI ELECTRIC CO., LTD. contains multiple vulnerabilities listed below. Stack-based Buffer ovewflow CWE-121 - CVE-2022-47908 Out-of-bounds Read CWE-125 - CVE-2022-41645 Out-of-bounds Write CWE-787 - CVE-2022-47317 Michael Heinzl reported these vulnerabilities to...
Use-after-free vulnerability in Omron CX-Drive
Overview CX-Drive provided by Omron Corporation contains a use-after-free vulnerability CWE-416. Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact By having a user to open a specially crafted file, arbitrary code may be executed. Solution...
Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure
Overview Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability CWE-200. Cameron Palmer of PROMON reported this vulnerability to Aiphone Co., Ltd. and coordinated. Aiphone Co., Ltd. and JPCERT/CC published respective advisories in...
WordPress Plugin "Salon booking system" vulnerable to cross-site scripting
Overview WordPress Plugin "Salon booking system" contains a cross-site scripting vulnerability CWE-79. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Stack-based buffer overflow vulnerability in Yokogawa Test & Measurement WTViewerE
Overview WTViewerE provided by Yokogawa Test & Measurement Corporation contains a stack-based buffer overflow vulnerability CWE-121. Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact Processing a long file name may cause the product to crash...
Lemon8 App fails to restrict access permissions
Overview Lemon8 by ByteDance K.K. provides the function to access a requested URL using Custom URL Scheme/DeepLink. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Ryo Sato of BroadBand Security,Inc. reported this...
Android App "IIJ SmartKey" vulnerable to information disclosure
Overview Android App "IIJ SmartKey" provided by Internet Initiative Japan Inc. contains an information disclosure vulnerability CWE-200. Naoaki Iwakiri reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Under...
Multiple vulnerabilities in Trend Micro Deep Security and Cloud One - Workload Security agents for Windows
Overview Trend Micro Incorporated has released a security update for Trend Micro Deep Security and Cloud One - Workload Security agents for Windows. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Information disclosure due...
Privilege Escalation Vulnerability in Hitachi Storage Plug-in for VMware vCenter
Overview A privilege escalation vulnerability CVE-2022-2637 exists in Hitachi Storage Plug-in for VMware vCenter. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and ta...
Multiple vulnerabilities in Contec FLEXLAN FX3000 and FX2000 series
Overview FLEXLAN FX3000 and FX2000 series provided by Contec Co., Ltd. contain multiple vulnerabilities listed below. Hidden Functionality CWE-912 - CVE-2022-36158 Use of Hard-coded Credentials CWE-798 - CVE-2022-36159 Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these...
Multiple vulnerabilities in PukiWiki
Overview PukiWiki provided by PukiWiki Development Team contains multiple vulnerabilities listed below. Path Traversal CWE-22 - CVE-2022-34486 Reflected Cross-site Scripting CWE-79 - CVE-2022-27637 Harold Kim reported these vulnerabilities to the developer and coordinated. After coordination was...
PLANEX MZK-DP150N contains hidden administrative functionality
Overview MZK-DP150N provided by PLANEX COMMUNICATIONS INC. contains a hidden administrative screen CVE-2021-37289, CWE-912. In the initial settings of the product, the login account for the configuration screen is common to all products. Please change the account information from the initial...
PukiWiki vulnerable to cross-site scripting
Overview PukiWiki provided by PukiWiki Developers Team contains a stored cross-site scripting vulnerability CWE-79. Ryuhoh Ide of Department of Applied Physics, School of Engineering, The University of Tokyo reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Trend Micro Endpoint security products for enterprises vulnerable to Link Following Local Privilege Escalation
Overview Trend Micro Incorporated has released security updates for Endpoint security products for enterprises. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. Impact A non-administrative user of the system where the affected product...
Kaitai Struct: compiler vulnerable to denial-of-service (DoS)
Overview Kaitai Struct: compiler provided by Kaitai team contains SnakeYAML library version 1.25, which is used in parsing .ksy files. SnakeYAML version 1.25 expands recursive aliases unlimitedly CWE-674, hence Katai Struct: compiler is vulnerable to a denial-of-service DoS attack by Billion Laug...
CONTEC SolarView Compact vulnerable to insufficient verification in uploading files
Overview SolarView Compact provided by CONTEC CO., LTD. is PV Measurement System. The image file management page of SolarView Compact contains an insufficient verification vulnerability when uploadi webray reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.ng files...
Information Disclosure Vulnerability in Hitachi Automation Director and Hitachi Ops Center Automator
Overview Information Disclosure Vulnerability have been found in Hitachi Automation Director and Hitachi Ops Center Automator. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official...
Multiple vulnerabilities in Nintendo Wi-Fi Network Adaptor WAP-001
Overview Nintendo Wi-Fi Network Adaptor provided by Nintendo Co.,Ltd. contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2022-36381 Buffer overflow CWE-121 - CVE-2022-36293 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc reported these vulnerabilities to IP...
"JustSystems JUST Online Update for J-License" starts a program with an unquoted file path
Overview "JustSystems JUST Online Update for J-License" is bundled with multiple products for corporate users provided by JustSystems Corporation, as in Ichitaro through Pro5 and others, and it is registered as a Windows service. "JustSystems JUST Online Update for J-License" starts another progr...
"Hulu" App for iOS vulnerable to improper server certificate verification
Overview "Hulu" App for iOS provided by HJ Holdings, Inc. is vulnerable to improper server certificate verification CWE-295. Shungo Kumasaka of GMO Cyber Security by IERAE reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Multiple vulnerabilities in untangle
Overview untangle provided by Christian Stefanescu is a Python library for processing XML documents. untangle contains multiple vulnerabilities listed below. Improper Restriction of Recursive Entity References in DTDs CWE-776 - CVE-2022-33977 Improper Restriction of XML External Entity Reference...
Passage Drive vulnerable to insufficient data verification
Overview Passage Drive provided by Yokogawa Rental & Lease Corporation contains an insufficient data verification vulnerability for interprocess communication CWE-20. Yokogawa Rental & Lease Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and...
LiteCart vulnerable to cross-site scripting
Overview LiteCart contains a cross-site scripting vulnerability CWE-79. Satoshi Horikoshi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on the web browser of the user wh...