5625 matches found
Multiple vulnerabilities in UTAU
Overview UTAU provided by ameya/ayame contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2024-28886 Path Traversal CWE-22 - CVE-2024-32944 Yu Ishibashi reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
OMRON NJ/NX series vulnerable to insufficient verification of data authenticity
Overview Machine Automation Controller NJ/NX series provided by OMRON Corporation contain an issue with insufficient verification of data authenticity CWE-345. OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact If a user program in the...
JVN#17680667: Multiple vulnerabilities in Unifier and Unifier Cast
Unifier and Unifier Cast provided by Yokogawa Rental & Lease Corporation contains multiple vulnerabilities listed below. Incorrect Default Permissions configured by Cast Launcher CWE-276 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 7.8 CVE-2024-23847 Missing Authorization for coejobhoo...
JVN#71404925: Multiple vulnerabilities in UTAU
UTAU provided by ameya/ayame contains multiple vulnerabilities listed below. OS command injection CWE-78 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Base Score 5.3 CVE-2024-28886 Path Traversal CWE-22 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 3.3 CVE-2024-32944 Impact If a user of...
Splunk Config Explorer vulnerable to cross-site scripting
Overview Splunk Config Explorer provided by Chris Younger contains a reflected cross-site scripting vulnerability CWE-79. Taihei Shimamine of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
WordPress Plugin "WP Booking" vulnerable to cross-site scripting
Overview WordPress Plugin "WP Booking" provided by aviplugins.com contains a stored cross-site scripting vulnerability CWE-79. Daiki Sato of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#56781258: Splunk Config Explorer vulnerable to cross-site scripting
Splunk Config Explorer provided by Chris Younger contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is using the product. Solution Update the software Update the software to the latest version according to...
JVN#35838128: WordPress Plugin "WP Booking" vulnerable to cross-site scripting
WordPress Plugin "WP Booking" provided by aviplugins.com contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the web site using the product. Solution Update the plugin Update the plugin to the late...
Android App "TP-Link Tether" and "TP-Link Tapo" vulnerable to improper server certificate verification
Overview Android App "TP-Link Tether" and "TP-Link Tapo" provided by TP-LINK GLOBAL INC. are vulnerable to improper server certificate verification CWE-295. Kenichiro Ito of TDU Cryptography Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Securi...
JVN#29471697: Android App "TP-Link Tether" and "TP-Link Tapo" vulnerable to improper server certificate verification
Android App "TP-Link Tether" and "TP-Link Tapo" provided by TP-LINK GLOBAL INC. are vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update the...
Panasonic KW Watcher vulnerable to memory buffer error
Overview KW Watcher provided by Panasonic contains a vulnerability due to improper restriction of operations within the bounds of a memory buffer CWE-119, CVE-2024-4162. Michael Heinzl reported this vulnerability to Panasonic and coordinated. After the coordination was completed, Panasonic report...
Ruijie BCR810W/BCR860 vulnerable to OS command injection
Overview Network router BCR810W/BCR860 provided by Ruijie Networks Co., Ltd. contains an OS command injection vulnerability CVE-2023-3608, CWE-78. Note that this vulnerability can only be exploited when the BCOS port of the product is connected to the Internet. JPCERT/CC has confirmed attacks...
WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal
Overview WordPress Plugin "Download Plugins and Themes from Dashboard" provided by WPFactory LLC contains a path traversal vulnerability CWE-22. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to WPFactory LLC and coordinated. After the coordination was completed, th...
Multiple vulnerabilities in Field Logic DataCube
Overview DataCube provided by Field Logic Inc. contains multiple vulnerabilities listed below. Direct Request 'Forced Browsing' CWE-425 - CVE-2024-25830 Reflected cross-site scripting CWE-79 - CVE-2024-25831 Unrestricted upload of file with dangerous type CWE-434 - CVE-2024-25832 SQL injection...
JVN#85380030: WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal
WordPress Plugin "Download Plugins and Themes from Dashboard" provided by WPFactory LLC contains a path traversal vulnerability CWE-22. Impact The user with "switchthemes" privilege may obtain arbitrary files on the server. Solution Update the plugin Update the plugin to the latest version...
Central Dogma vulnerable to cross-site scripting
Overview Central Dogma provided by LY Corporation contains a cross-site scripting vulnerability CWE-79, CVE-2024-1143 because RelayState data is not properly treated when Central Dogma processes SAML messages. LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-3167 Improper handling of data in Mail CWE-231 - CVE-2024-31397 CyVDB-3221 Improper restriction on the output of some API CWE-201 - CVE-2024-31398 CyVDB-3238 Excessive resource consumption in Mai...
JVN#28869536: Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Improper handling of data in Mail CWE-231 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Base Score 4.9 CVE-2024-31397 CyVDB-3167 Improper restriction on the output of some API CWE-201...
"OfferBox" App uses a hard-coded secret key
Overview "OfferBox" App provided by i-plug inc. uses a hard-coded secret key for JWT CWE-321. Yuta Yamate of Rakuten Group, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact The hard-coded secret key for...
Hidden Functionality vulnerability in DT900
Overview DT900 contains a Hidden Functionality vulnerabilityCWE-912. Specified versions allow an attacker to access the system setting. reported by Mr. Gianluca Altomani and Mr. Manuel Romei. for NEC-PSIRT Impact Regarding the impact of the vulnerability, please refer to the vendor advisory...
Phormer vulnerable to cross-site scripting
Overview Phormer contains a cross-site scripting vulnerability CWE-79. Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on t...
JVN#61054671: Phormer vulnerable to cross-site scripting
Phormer contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user. Solution Update the Software Update the software to the latest version according to the information provided by the developer. Phormer version 3.35 was released...
JVN#83405304: "OfferBox" App uses a hard-coded secret key
"OfferBox" App provided by i-plug inc. uses a hard-coded secret key for JWT CWE-321. Impact The hard-coded secret key for JWT may be retrieved if the application binary is reverse-engineered. Solution The hard-coded secret key has been revoked by the developer on May 8, 2024 therefore this...
Multiple vulnerabilities in MosP kintai kanri
Overview MosP kintai kanri provided by esMind, LLC contains multiple vulnerabilities listed below. Path Traversal CWE-22 - CVE-2024-28880 Incorrect Permission Assignment for Critical Resource CWE-732 - CVE-2024-29078 Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities...
JVN#97751842: Multiple vulnerabilities in MosP kintai kanri
MosP kintai kanri provided by esMind, LLC contains multiple vulnerabilities listed below. Path Traversal CWE-22 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Base Score 6.5 CVE-2024-28880 Incorrect Permission Assignment for Critical Resource CWE-732 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Bas...
WordPress Plugin "Heateor Social Login WordPress" vulnerable to cross-site scripting
Overview WordPress Plugin "Heateor Social Login WordPress" provided by Heateor contains a stored cross-site scripting vulnerability CWE-79. Daiki Sato of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Trend Micro Maximum Security vulnerable to improper link resolution (CVE-2024-32849)
Overview Trend Micro Incorporated has released a security update for Trend Micro Maximum Security, fixing an improper link resolution vulnerabilityCWE-59, CVE-2024-32849. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact Trend...
JVN#87694318: WordPress Plugin "Heateor Social Login WordPress" vulnerable to cross-site scripting
WordPress Plugin "Heateor Social Login WordPress" provided by Heateor contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who accessed the website using the product. Solution Update the plugin Update the plugin to...
NETGEAR routers vulnerable to buffer overflow
Overview Multiple routers provided by NETGEAR Inc. contain a buffer overflow vulnerability CWE-121, CVE-2023-27368. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact An unauthenticated attacker may bypass authentication for th...
Multiple vulnerabilities in RoamWiFi R10
Overview RoamWiFi R10 provided by RoamWiFi Technology Co., Ltd. contains multiple vulnerabilities listed below. Active debug code CWE-489 - CVE-2024-31406 Insertion of sensitive information into log file CWE-532 - CVE-2024-32051 Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities...
Multiple vulnerabilities in OMRON Sysmac Studio/CX-One and CX-Programmer
Overview OMRON Sysmac Studio/CX-One and CX-Programmer contain multiple vulnerabilities listed below. Out-of-bounds read CWE-125 - CVE-2024-31412 Free of pointer not at start of buffer CWE-761 - CVE-2024-31413 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with t...
JVN#62737544: Multiple vulnerabilities in RoamWiFi R10
RoamWiFi R10 provided by RoamWiFi Technology Co., Ltd. contains multiple vulnerabilities listed below. Active debug code CWE-489 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 8.8 CVE-2024-31406 Insertion of sensitive information into log file CWE-532...
TvRock vulnerable to cross-site request forgery
Overview TvRock provided by TvRock according to the original report submitted by the reporter is a tool to set a timer recording for a TV program. TvRock contains a cross-site request forgery vulnerability CWE-352. During the meeting of Committee for authorizing the disclosure of unresolved...
TvRock vulnerable to denial-of-service (DoS)
Overview TvRock provided by TvRock according to the original report submitted by the reporter is a tool to set a timer recording for a TV program. TvRock contains a denial-of-service DoS vulnerability CWE-400. During the meeting of Committee for authorizing the disclosure of unresolved...
JVN#40079147: TvRock vulnerable to denial-of-service (DoS)
TvRock provided by TvRock according to the original report submitted by the reporter is a tool to set a timer recording for a TV program. TvRock contains a denial-of-service DoS vulnerability CWE-400. Impact Receiving a specially crafted request by a remote attacker or having a user of TVRock cli...
JVN#24683352: TvRock vulnerable to cross-site request forgery
TvRock provided by TvRock according to the original report submitted by the reporter is a tool to set a timer recording for a TV program. TvRock contains a cross-site request forgery vulnerability CWE-352. Impact If a logged-in user of TVRock accesses a specially crafted page, unintended operatio...
Armeria-saml improperly handles SAML messages
Overview Armeria-saml provided by LY Corporation contains an issue in handling SAML messages CWE-304, CVE-2024-1735. LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact Authentication may be bypassed by receiving a specially crafted SAML...
LINE client for iOS vulnerable to improper server certificate verification
Overview The financial module within LINE client for iOS lacks server certificate verification in log transmission CWE-295, CVE-2023-5554. LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact The communication may be eavesdropped under a...
Multiple vulnerabilities in WordPress Plugin "Forminator"
Overview WordPress Plugin "Forminator" provided by WPMU DEV contains multiple vulnerabilities listed below. Unrestricted upload of file with dangerous type CWE-434 SQL injection CWE-89 Cross-site scripting CWE-79 hibiki moriyama of STNet, Incorporated reported these vulnerabilities to IPA...
JVN#50132400: Multiple vulnerabilities in WordPress Plugin "Forminator"
WordPress Plugin "Forminator" provided by WPMU DEV contains multiple vulnerabilities listed below. Unrestricted upload of file with dangerous type CWE-434 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8 CVE-2024-28890 SQL injection CWE-89 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H...
Proscend Communications M330-W and M330-W5 vulnerable to OS command injection
Overview M330-W and M330-W5 provided by Proscend Communications Inc. are LTE Industrial Cellular Routers. M330-W and M330-W5 contain an OS command injection vulnerability CWE-78. CYNEX Analysis Team of National Institute of Information and Communications Technology reported this vulnerability to...
JVN#23835228: Proscend Communications M330-W and M330-W5 vulnerable to OS command injection
M330-W and M330-W5 provided by Proscend Communications Inc. are LTE Industrial Cellular Routers. M330-W and M330-W5 contain an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed by an attacker who has access to the product. Solution Update the firmware The...
Multiple vulnerabilities in BUFFALO wireless LAN routers
Overview Multiple wireless LAN routers provided by BUFFALO INC. contain multiple vulnerabilities listed below. Plaintext storage of a password CWE-256 OS Command Injection CWE-78 Satoru Nagaoka of Cyber Defense Institute, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the...
JVN#58236836: Multiple vulnerabilities in BUFFALO wireless LAN routers
Multiple wireless LAN routers provided by BUFFALO INC. contain multiple vulnerabilities listed below. Plaintext storage of a password CWE-256 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 6.5 CVE-2024-23486 OS Command Injection CWE-78 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base...
Multiple vulnerabilities in a-blog cms
Overview a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in Entry editing pages CWE-79 - CVE-2024-30419 Server-side request forgery CWE-918 - CVE-2024-30420 Directory traversal CWE-22 - CVE-2024-31394 Stored cross-site...
JVN#70977403: Multiple vulnerabilities in a-blog cms
a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in Entry editing pages CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4 CVE-2024-30419 Server-side request forgery CWE-918...
Multiple vulnerabilities in WordPress Plugin "Ninja Forms"
Overview WordPress Plugin "Ninja Forms" provided by Saturday Drive contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2024-25572 Stored cross-site scripting in submit processing CWE-79 - CVE-2024-26019 Stored cross-site scripting in custom fields for labels...
JVN#50361500: Multiple vulnerabilities in WordPress Plugin "Ninja Forms"
WordPress Plugin "Ninja Forms" provided by Saturday Drive contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3 CVE-2024-25572 Stored cross-site scripting in submit processing CWE-79...
Multiple vulnerabilities in Cente middleware
Overview Some products in Cente middleware TCP/IP Network Series developed by DMG MORI Digital Co., LTD. and provided by NEXT Co., Ltd. contain multiple vulnerabilities listed below. Out-of-bounds Read caused by improper checking of the option length values in IPv6 NDP packets CWE-125 Out-of-boun...
Multiple vulnerabilities in NEC Aterm series
Overview Aterm series provided by NEC Corporation contains multiple vulnerabilities listed below. Incorrect Permission Assignment for Critical Resource CWE-732 - CVE-2024-28005 Exposure of Sensitive System Information to an Unauthorized Control Sphere CWE-497 - CVE-2024-28006 Incorrect Permission...