Sony mylo COM-2 does not verify server SSL certificate

Overview Sony mylo COM-2 contains a vulnerability where it does not verify the server certificate when connecting to a server via SSL/TLS. Sony mylo COM-2, a mobile terminal equipped with a web browser and media palyer, contains a vulnerability where it does not verify the server certificate when...

MTCMS WYSIWYG Editor cross-site scripting vulnerability

Overview MTCMS WYSIWYG Editor, weblog management software from SKYARC System, contains a cross-site scripting vulnerability. MTCMS WYSIWYG Editor from SKYARC System is management software used to update Movable Type contents, etc. The install.cgi in MTCMS WYSIWYG Editor contains a cross-site...

EUR Print Manager Denial of Service Vulnerability

Overview EUR Print Manager fails to accept job execution requests when it receives unexpected data, which could be exploited to cause a Denial of Service DoS condition. Impact An attacker could cause a Denial of Service DoD. Solution Please refer to the 'Vendor Information' section for official...

Multiple JustSystems products vulnerable to buffer overflow

Overview Multiple JustSystems products are vulnerable to buffer overflow. Multiple JustSystems products contain a vulnerability which allows a remote attacker to cause buffer overflow when a user opens or views a specially crafted .jtd file. Multiple products are affected by this vulnerability. F...

RaidenHTTPD cross-site scripting vulnerability

Overview RaidenHTTPD, from Sonei Information Systems TEAM JOHNLONG, contains a cross-site scripting vulnerability. This issue is different from JVN90438169. RaidenHTTPD is a multipurpose web server for Windows provided by TEAM JOHNLONG. RaidenHTTPD contains a cross-site scripting vulnerability...

Sylpheed Email Header Buffer Overflow Vulnerability with non-ASCII Characters

Overview Sylpheed does not validate input data properly, which could lead to buffer overflow when it receives a message with the header containing non-ASCII characters. Impact An Attacker could execute arbitrary code with the privileges of the user running Sylpheed. Solution Please refer to the...

Apache Tomcat denial of service vulnerability

Overview Apache Tomcat is an implementation of the Java Servlet and JavaServer Pages technologies. Apache Tomcat contains a vulnerability that may allow a remote attacker to cause a denial of service DoS. Impact A remote attacker may cause a denial of service DoS. Solution...

Sylpheed Filename Buffer Overflow Vulnerability

Overview Sylpheed contains a buffer overflow vulnerability exploitable via attachements with MIME-encoded filename. Impact An attacker could execute arbitrary code with the privileges of the user running Sylpheed. Solution Please refer to the 'Vendor Information' and 'References' section for...

Webmin and Usermin authentication bypass vulnerability

Overview Webmin and Usermin, web-based system management tools for UNIX, contain a vulnerability which may allow a remote attacker to bypass authentication when PAM authentication is used. Impact A remote attacker could bypass Webmin and Usermin's authentication, and execute an arbitrary command...

Ruby XMLRPC Server Denial of Service Vulnerability

Overview The User-level thread supported in Ruby does not switch while writing to a socket. This in turn blocks all subsequent procrsses when specially crafted requests are sent to the Web server and could result in a denial of service. Impact An attacker could cause a Denial of Service DoS...

Movable Type session management vulnerability

Overview Movable Type, a web log system from Six Apart KK, contains a vulnerability which could allow a remote attacker to gain illegal access. Impact A remote attacker could freely manipulate a web log by posting or deleting blog entries. Solution None...

Vulnerability involving security zone handling in applications using Internet Explorer components

Overview Internet Explorer IE components apply different security levels for web content processing depending on the location zone of the web content. As a result, web content on the Internet is processed in the "Internet" zone with a higher security level than that set for web content in the...

Hiki cross-site scripting vulnerability

Overview Hiki, a Wiki clone from the Hiki development team, contains a cross-site scripting vulnerability. Impact A remote attacker could create a content containing attacking code and take over a session by stealing the session ID of the user who logged into the system. If the user logged into t...

WirelessIP5000 has multiple vulnerabilities

Overview WirelessIP5000, a wireless IP phone from Hitachi Cable, contains multiple vulnerabilities; - Illegal access using the port TCP3390 - SNMP access using an arbitrary community name - Access to the HTTP server by an unauthorized user in the factory default configuration - The HTTP server...

Cross-site scripting vulnerability in the Unicode version of msearch

Overview The Unicode version of msearch, a full text search engine for websites, contains a cross-site scripting vulnerability. This problem is caused by a function added to the Unicode version of msearch. Impact A malicious script may be executed on the user's web browser. Solution None...

XOOPS cross-site scripting vulnerability

Overview XOOPS is an open source web content management system implemented in PHP. XOOPS itself and its forum modules have multiple vulnerabilities in validating private messages and forum articles. Impact A remote attacker may upload a script to be executed by a user reading a private message or...

DeleGate Multiple Buffer Overflow Vulnerabilities

Overview DeleGate suffers buffer overflow when scanf, strncpy and other string handling process are set to fail with a long string sent by proxy. Impact An attacker could execute arbitrary code with the privileges of the user running DeleGate. Solution Please refer to the 'Vendor Information'...

Shuriken Pro3 S/MIME signature verification does not verify the From address

Overview Shuriken Pro3 contains a vulnerability in the S/MIME signature verification where the From address is not verified properly. Impact A user can not notice a forged message when it is signed with a proper digital signature and the From address is forged, because the software does not alert...

w3m Vulnerability of Unauthorized Access to Files or Cookies

Overview w3m fails to properly escape HTML tags in the ALT attribute of an IMG tag, which could allow an attacker to access files or cookies. Impact An remote attacker could access files and cookies. Solution Please refer to the 'Vendor Information' section for official remediation and take...

McAfee VirusScan Engine buffer overflow vulnerability

Overview McAfee VirusScan Engine contains a buffer overflow vulnerability. Impact A buffer overflow may occur when scanning a malformed LHA file. Solution None...

Inappropriate interpretation of mailto URL scheme by mail client software

Overview The mailto URL scheme is used to designate the Internet email address on a web page. Specifying an email address and body text using the mailto URL scheme gives a template for a mail message. Many mail clients have a function to set a field specified by the mailto URL scheme in a mail...

QRcode Perl CGI & PHP script vulnerable to denial of service attack

Overview QRcode Perl CGI & PHP script, a QR code image generation tool, contains a vulnerability that may cause excessive consumption of server resources. Upon a specific request, resources of a server could be excessively comsumed until the server becomes unable to respond to requests from...

Pochy denial-of-service (DoS) vulnerability

Overview Pochy, email client software operating in the Microsoft Windows environment, contains a vulnerability that may cause the processing to stop while the CPU load is high and a denial-of-service DoS after receiving a specific string. Impact A remote attacker could exploit this vulnerability ...

Hyper Estraier directory traversal/denial of service vulnerability

Overview Hyper Estraier, a full text search system, contains a vulnerability in the process of creating index files. Impact If a remote attacker sends a specially crafted file and a user saves it in a search target directory, the attacker could register a file not to be searched in an index when...

Multiple vulnerabilities in FreeStyleWiki including cross-site scripting

Overview FreeStyleWiki contains a cross-site scripting and a cross-site request forgery vulnerabilities. The cross-site scripting vulnerability could allow a remote attacker to create a web page containing a malicious script. The cross-site request forgery vulnerability could allow a remote...

LHa Vuffer Overflow Vulnerability in Testing and Extracting Process

Overview LHa for UNIX does not handle the header length information properly when testing or extracting an archive, which could lead to buffer overflow. Impact An attacker could execute arbitrary code with the privilege of the user running LHa. Solution Please refer to the 'Vendor Information'...

Toshiba HDD & DVD video recorders can be accessed without authentication

Overview Toshiba HDD & DVD video recorders can be accessed without authentication. Impact The user can not notice a forged email signed by a malicious certificate. Solution None...

Meneame cross-site scripting vulnerability

Overview Meneame, an open source social bookmark system, contains a cross-site scripting vulnerability. Meneame, an open-source web application to build social bookmark systems, contains a cross-site scripting vulnerability, as it does not properly handle output data. Impact A remote attacker cou...

sHTTPd cross-site scripting vulnerability

Overview sHTTPd, from Uchu Ninja Neko-dan, contains a cross-site scripting vulnerability. sHTTPd from Uchu Ninja Neko-dan is a web server for Windows. sHTTPd contains a cross-site scripting vunerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the...

WebCart cross-site scripting vulnerability

Overview WebCart, provided by CGI's, contains a cross-site scripting vulnerability. WebCart provided by CGI's is shopping cart software. WebCart's management interface contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution...

Fingerprint Authentication Software for Sony Pocket Bit installs hidden folders and files

Overview Fingerprint Authentication Software for Sony Pocket Bit installs hidden folders and files, that is, the folders and files are not visible using ordinary system tools. Some models of Sony Pocket Bit series contain Fingerprint Authentication Software. Fingerprint Authentication Software...

TPBroker Denial of Service Vulnerability

Overview TPBroker Object Transaction Monitor and Cosminexus TPBroker Object Transaction Monitor terminate abnormally when the TSC Domain Manager receives invalid messages. Impact An attacker could cause a Denial of Service DoS condition. Solution Please refer to the 'Vendor Information' section f...

Cosminexus Agent Process Crash Vulnerability

Overview Cosminexus Agent process may crash when Cosminexus Agent receives specially crafted data from a process other than Cosminexus Manager. The crash doesn't affect the running applications launched by Cosminexux Agent. Impact An attacker could crash Cosminexus Agent process. Solution Please...

Hitachi Web Server SSL Client Authentication Vulnerability

Overview Hitachi Web Server accepts an SSL certificate sent by a clinet trying to connect to the Server even if the certificate is fraudulent. The vulnerability does not affect the product if the SSL authenticaton client feature is disabled. Impact An attacker could gain access with a fraudulent...

RoundCube Webmail cross-site request forgery vulnerability

Overview RoundCube Webmail from the RoundCube Project contains a cross-site request forgery vulnerability. RoundCube Webmail is an open source webmail client from the RoundCube Project. RoundCube Webmail contains a cross-site request forgery vulnerability that may allow disclosure of information...

FileMaker cross-site scripting vulnerability

Overview FileMaker from FileMaker, Inc. contains a cross-site scripting vulnerability. FileMaker is database software from FileMaker, Inc. FileMaker contains a cross-site scripting vulnerability in its "Instant Web Publishing" function that enables users to publish database contents on the web...

JP1/Cm2/Network Node Manager vulnerable to cross-site scripting

Overview Hitachi JP1/Cm2/Network Node Manager NNM is vulnerable to cross-site scripting. Hitachi JP1/Cm2/Network Node Manager NNM is software that helps a network administrator manage network configurations, faults, and other elements. Hitachi NNM is vulnerable to cross-site scripting. Impact An...

Google Web Toolkit vulnerable to cross-site scripting

Overview Google Web Toolkit GWT is vulnerable to cross-site scripting. Google Web Toolkit GWT is an open source software development framework that allows web developers to create Ajax applications in Java. The benchmark reporting system in GWT is vulnerable to cross-site scripting. Impact An...

JP1/Cm2/Network Node Manager Arbitrary Code Execution Vulnerability

Overview Shared Trace Service in JP1/Cm2/Network Node Manager NNM is vulnerable to arbitrary code execution. Impact An attacker could execute arbitrary code. Solution Please refer to the 'Vendor Information' section for the vendor recommended workaround...

Cosminexus Component Container Session Handling Vulnerability

Overview The session failover function in Cosminexus Component Container may fail to handle session information properly and allow one user's session data to be used as aonther user's session data. Impact A remote attacker could gain unauthorized access to other users' session and obtain sensitiv...

Multiple email clients vulnerable to directory traversal due to inappropriate unicode handling

Overview Some email clients contain a vulnerability when handling an attached file with a file name using unicode. This may result in a directory traversal attack or displaying a file name diffrently from the actual file name. Impact Actual impact could differ depending on the email clients thoug...

CGI RESCUE WebFORM allows unauthorized email transmission

Overview WebFORM from CGI RESCUE is software which delivers the HTML form inputs via email. WebFORM fails to check the mail headers properly, allowing a remote attacker to send email to arbitrary addresses. According to the vendor's information, FORM2MAIL also contains a similar vulnerability, an...

SugarCRM cross-site scripting vulnerability

Overview SugarCRM, an open source CRM Customer Relationship Management package, contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. In addition, if session information from a cookie is leaked, an attacker could possibly conduct...

Kmail CGI authentication bypass vulnerability

Overview Kmail CGI is a web mail system for cellular phones. Kmail CGI contains a user authentication bypass vulnerability. Impact A remote attacker may bypass Kmail CGI's user authentication, and view or delete the emails of Kmail users. Solution None...

desknet's buffer overflow vulnerability

Overview desknet's, web-based groupware, contains a buffer overflow vulnerability. Impact A remote attacker could execute an arbitrary command or code, or cause the DoS denial of service condition. Solution None...

Ruby cgi.rb Denial of Service Vulnerability

Overview The cig.rb class in Ruby cannot handle HTTP requests with MIME multipart data set with an invalid boundry, which could trigger an infinate loop and result in consuming a large amount of CPU respurces. Impact An attacker could cause a Denial of Service DoS on the Web services using cgi.rb...

Kahua vulnerable in allowing to share login sessions

Overview Kahua is an open source application development and runtime environment server. Kahua contains a vulnerability which allows the sharing of sessions among multiple applications which are referring to different user databases. Impact A remote attacker could possibly take over the user...

Multiple I-O DATA DEVICE wireless LAN routers default configuration does not set authentication

Overview The web administration interface for the WN-APG/R-Series and WN-WAPG/R-Series wireless LAN routers from I-O DATA DEVICE disables authentication in the default configuration. The authentication for the web administration interface for the WN-APG/R-Series and WN-WAPG/R-Series wireless LAN...

Sun Java Runtime Environment (JRE) contains a vulnerability in processing XSLT transformations

Overview The Sun Microsystems Java Runtime Environment JRE contains a vulnerability that could allow privilege escalation in the processing of XSLT transformations. The Sun Microsystems Java Runtime Environment JRE contains a vulnerability that could allow a remote attacker to elevate its...

PerlMailer cross-site scripting vulnerability

Overview PerlMailer is a mail form CGI provided by "Homepage Decorator". A cross-site scripting vulnerability exists in PerlMailer. PerlMailer is a mail form CGI provided by "Homepage Decorator". It is used to send mail from a form on a web page. A cross-site scripting vulnerabiltiy exists in...