5625 matches found
Installer of Electronic reception and examination of application for radio licenses Online may insecurely load Dynamic Link Libraries
Overview Installer of Electronic reception and examination of application for radio licenses Online contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the...
CREATE SD official App for Android fails to restrict access permissions
Overview CREATE SD official App for Android provided by CREATE SD CO., LTD. implements the function to access a requested URL using an Intent. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an Intent from an arbitrary App and t...
The installer of Microsoft Teams may insecurely load Dynamic Link Libraries
Overview The installer of Microsoft Teams contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Microsoft states that the root cause of this vulnerability is "Application Directory App Dir DLL planting", thus there is no plan to release a...
PowerAct Pro Master Agent for Windows fails to restrict acess permissions
Overview PowerAct Pro Master Agent for Windows provided by OMRON SOCIAL SOLUTIONS Co.,Ltd. fails to restrict access permissions. Hosono, Akane reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A user with an...
iChain Insurance Wallet App for iOS vulnerable to directory traversal
Overview iChain Insurance Wallet App for iOS provided by iChain, Inc. uses the old version of cordova-plugin-ionic-webview, and inherits a directory traversal vulnerability CWE-22, CVE-2018-16202. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/C...
POWER EGG vulnerability where EL expression may be executed
Overview POWER EGG provided by D-CIRCLE inc. is an integrated collaboration tool. POWER EGG contains a vulnerability where an arbitray EL expression may be executed CWE-20. Touma Hatano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
HOUSE GATE App for iOS vulnerable to directory traversal
Overview HOUSE GATE App for iOS provided by HOUSE GATE inc. uses the old version of cordova-plugin-ionic-webview, and inherits a directory traversal vulnerability CWE-22, CVE-2018-16202. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC...
WordPress plugin "spam-byebye" vulnerable to cross-site scripting
Overview The WordPress plugin "spam-byebye" contains a reflected cross-site scripting vulnerability CWE-79 qw3rTyTy reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on the...
Clickjacking Vulnerability in Hitachi Automation Director
Overview A Clickjacking Vulnerability was found in Hitachi Automation Director. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Installer of Mapping Tool may insecurely load Dynamic Link Libraries
Overview Installer of Mapping Tool provided by Japan Atomic Energy Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Takashi Sugawara reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Informatio...
Multiple vulnerabilities in Cybozu Remote Service
Overview Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Upload of arbitrary files in logo setting screen CWE-434 - CVE-2018-16169 Directory traversal in used device management screen CWE-22 - CVE-2018-16170 Directory traversal in client certificates...
Problem with directory permissions in JP1/Operations Analytics
Overview A problem with directory permissions was found in JP1/Operations Analytics. Impact Regarding the impact of the vulnarability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate acti...
Multiple vulnerabilities in RICOH Interactive Whiteboard
Overview RICOH Interactive Whiteboard provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below. Command injection CWE-94 - CVE-2018-16184 Missing file signature - CVE-2018-16185 Hard-coded credentials for the administrator settings screen - CVE-2018-16186 The server...
Multiple directory traversal vulnerabilities in Cybozu Office
Overview Cybozu Office provided by Cybozu, Inc. contains multiple directory traversal vulnerabilities below. Directory traversal vulnerability due to a flaw in processing parameter of the HTTP request CWE-22 - CVE-2018-0703 Directory traversal vulnerability due to a flaw in processing parameter...
Cybozu Mailwise vulnerable to directory traversal
Overview Cybozu Mailwise provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing parameter of the HTTP request. Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of it...
WordPress plugin "Event Calendar WD" vulnerable to cross-site scripting
Overview The WordPress plugin "Event Calendar WD" provided by Web-Dorado contains a stored cross-site scripting vulnerability CWE-79. Yuta Kitaoka of TokyoDenkiUniversity Cryptography Lab reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate acti...
Web Isolation vulnerable to cross-site scripting
Overview Web Isolation provided by Symantec Corporation contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update the software to the latest version according to the information provide...
Path Traversal Vulnerability in Hitachi Automation Director
Overview A Path Traversal Vulnerability was found in Hitachi Automation Director. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
LINE MUSIC for Android fails to verify SSL server certificates
Overview LINE MUSIC for Android provided by LINE MUSIC CORPORATION fails to verify SSL server certificates CWE-295. LINE MUSIC CORPORATION reported this vulnerability to JPCERT/CC to notify users of respective solutions through JVN. Impact A man-in-the-middle attack may allow an attacker to...
WL-330NUL vulnerable to cross-site request forgery
Overview WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a cross-site request forgery vulnerability CWE-352. Masashi Sakai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Movable Type plugin MTAppjQuery vulnerable to PHP code execution
Overview MTAppjQuery provided by bit part LLC is a plugin for Movable Type. An older version PHP library Uploadify is incorporated in MTAppjQuery v1.8.1 and earlier versions and the older versions of Uploadify contains unrestricted upload of arbitrary file CWE-434, which may lead to arbitrary PHP...
Multiple vulnerabilities in Aterm W300P
Overview Aterm W300P provided by NEC Corporation contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2018-0629, CVE-2018-0630, CVE-2018-0631 Buffer Overflow CWE-119 - CVE-2018-0632, CVE-2018-0633 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this...
DHC Online Shop App for Android fails to verify SSL server certificates
Overview DHC Online Shop App for Android provided by DHC Corporation fails to verify SSL server certificates. Sho Ueshima and Tsuyoshi Ogawa of SIE Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
Installer of Glary Utilities may insecurely load Dynamic Link Libraries
Overview Installer of Glary Utilities provided by Glarysoft Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Ear...
Local File Inclusion vulnerability in Zenphoto
Overview Zenphoto is a content management system CMS. Zenphoto contains a Local File Inclusion vulnerability. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Sensitive information may be obtained or...
Multiple vulnerabilities in Pixelpost
Overview Pixelpost provided by Pixelpost.org contains multiple vulnerabilities listed below. Arbitrary code execution - CVE-2018-0604 Cross-site scripting CWE-79 - CVE-2018-0605 SQL injection CWE-89 - CVE-2018-0606 ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the...
The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" may insecurely invoke an executable file
Overview The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION contains an issue with the DLL search path, which may lead to insecurely invoke an executable file...
Multiple vulnerabilities in Cybozu Office
Overview Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Information disclosure in the application "Message" when viewing an external image CWE-200 - CVE-2018-0526 Stored cross-site scripting in "E-mail Details Screen" of the application "E-mail" CWE-79 -...
Multiple Microsoft Windows applications and installers may insecurely load Dynamic Link Libraries
Overview Multiple Windows applications and installers provided by Microsoft contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the same directory where applications and/or installers reside CWE-427. Microsoft states that the root cause of thi...
The installer of Visual C++ Redistributable may insecurely load Dynamic Link Libraries
Overview The installer of Visual C++ Redistributable provided Microsoft contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the same directory as the installer CWE-427. Microsoft states that the root cause of this vulnerability is "Applicatio...
KINEPASS App fails to verify SSL server certificates
Overview KINEPASS App provided by T-JOY CO.,LTD fails to verify SSL server certificates. Seigo Yamamoto of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow a...
IIJ SmartKey App for Android vulnerable to authentication bypass
Overview IIJ SmartKey App for Android contains an authentication bypass vulnerability. IIJ SmartKey App for Android provided by Internet Initiative Japan Inc. is an application that enables two-step authentication two-factor authentication for a website from an Android device. IIJ SmartKey App fo...
Access Control Vulnerability in Hitachi Infrastructure Analytics Advisor
Overview An Access Control Vulnerability was found in Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate...
WordPress plugin "Events Manager" vulnerable to cross-site scripting
Overview The WordPress plugin "Events Manager" provided by NetWebLogic contains a stored cross-site scripting vulnerability CWE-79. Daichi Takaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC...
Hatena Bookmark App for iOS contains an address bar spoofing vulnerability
Overview Hatena Bookmark App for iOS provided by Hatena Co., Ltd. contains a vulnerability where the address bar displays a different URL than the URL that is being accessed. Kenichiro Wakitani reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
TinyFTP Daemon vulnerable to buffer overflow
Overview TinyFTP Daemon provided by Hisayuki Nomura is a FTP File Transfer Protocol server. TinyFTP Daemon contains a buffer overflow vulnerability CWE-121. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an...
ViX may insecurely load Dynamic Link Libraries
Overview ViX provided by KOKADA is a Graphics Viewer Software for Windows. ViX contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries contained in the same directory as an image file CWE-427. During the meeting of Committee for authorizing the...
Multiple vulnerabilities in CG-WGR1200
Overview CG-WGR1200 provided by Corega Inc is a wireless LAN router. CG-WGR1200 contains multiple vulnerabilities listed below. Buffer Overflow CWE-119 - CVE-2017-10852 Buffer Overflow CWE-78 - CVE-2017-10853 Authentication bypass CWE-306 - CVE-2017-10854 Taizoh Tsukamoto of Mitsui Bussan Secure...
Installer of WinShot may insecurely load Dynamic Link Libraries
Overview Installer of WinShot contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Installer of JTrim may insecurely load Dynamic Link Libraries
Overview Installer of JTrim contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
XXE Vulnerability in Hitachi Device Manager
Overview An XXE XML External Entity Vulnerability was found in Hitachi Device Manager. This vulnerability only affects the Linux cluster environment. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section fo...
Multiple Vulnerabilities in Hitachi Command Suite
Overview Multiple vulnerabilities have been found in Hitachi Command Suite. Cross-site Scripting Open Redirect Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Installer of "FLET'S Azukeru Backup Tool" may insecurely load Dynamic Link Libraries
Overview "FLET'S Azukeru Backup Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION is software to automatically back up files in the user's computer to "FLET'S Azukeru" service. Installer of "FLET'S Azukeru Backup Tool" contains an issue with the DLL search path, which may lead to...
WordPress plugin "WP Retina 2x" vulnerable to cross-site scripting
Overview The WordPress plugin "WP Retina 2x" contains a reflected cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on a...
Cross-site Scripting Vulnerability in Fujitsu NetCOBOL
Overview A cross-site scripting vulnerability was found in MeFt/Web Service manager function in Fujitsu NetCOBOL. Impact By creating a malicious webpage that exploits this vulnerability, an attacker could execute arbitrary code on the user's computer used to access the malicious webpage. Solution...
Cross-site Scripting Vulnerability in Fujitsu Interstage List Works
Overview A cross-suite scripting vulnerability has been found in web functionality of Fujitsu Interstage List Works. Impact By creating a malicious webpage that exploits this vulnerability, an attacker could execute arbitrary code on the user's computer used to access the malicious webpage...
CS-Cart Japanese Edition vulnerable to cross-site scripting
Overview CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition contains a cross-site scripting vulnerabulity CWE-79. Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor. Cross-site Scripting Access Control For Access Control, Hitachi Data Center Analytics v8.0.0, v8.0.2, v8.1.0, and v8.1.3 will be affected. Impact Regarding the impact of the vulnerability, please refer ...