5596 matches found
JVN#13113728: "EasyRange" may insecurely load executable files
"EasyRange" provided by sira.jp according to the original report submitted by the reporter is a tool to extract compressed files. "EasyRange" contains an issue with the executable file search path when displaying an extracted file on Explorer, which may lead to loading an executable file resides ...
Sangoma Technologies CG/MG family driver cg6kwin2k.sys vulnerable to insufficient access control on its IOCTL
Overview CG/MG family driver cg6kwin2k.sys provided by Sangoma Technologies is vulnerable to insufficient access control on its IOCTL CWE-782. Takahiro Haruyama of Broadcom Carbon Black reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact By sending a specifi...
Multiple vulnerabilities in FitNesse
Overview FitNesse contains multiple vulnerabilities listed below. Multiple cross-site scripting CWE-79 - CVE-2024-23604, CVE-2024-28128 Improper restriction of XML external entity references CWE-611 -CVE-2024-28039 OS command injection CWE-78 - CVE-2024-28125 CVE-2024-23604, CVE-2024-28039,...
JVN#94521208: Multiple vulnerabilities in FitNesse
FitNesse contains multiple vulnerabilities listed below. Multiple cross-site scripting CWE-79 - CVE-2024-23604, CVE-2024-28128 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base Score: 4.3 Improper...
"ABEMA" App for Android fails to restrict access permissions
Overview "ABEMA" App for Android provided by AbemaTV, Inc. fails to restrict access permissions CWE-926 that allows another app installed on the user's device to access an arbitrary URL on "ABEMA" App via Intent. Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/...
JVN#70640802: "ABEMA" App for Android fails to restrict access permissions
"ABEMA" App for Android provided by AbemaTV, Inc. fails to restrict access permissions CWE-926 that allows another app installed on the user's device to access an arbitrary URL on "ABEMA" App via Intent. Impact An arbitrary website may be displayed on the app, and as a result, the user may become...
Information Exposure Vulnerability in Cosminexus Component Container
Overview An information exposure vulnerability CVE-2023-6814 exists in Cosminexus Component Container. Affected products and versions are listed below. Please upgrade your version to the appropriate version. These vulnerabilities exist in Cosminexus Component Container which is a component produc...
a-blog cms vulnerable to directory traversal
Overview a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a directory traversal vulnerability CWE-22. Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Securi...
OMRON NJ/NX series vulnerable to path traversal
Overview Machine Automation Controller NJ/NX series provided by OMRON Corporation contain a path traversal vulnerability CWE-22, CVE-2024-27121. OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact An arbitrary file in the affected product...
JVN#48443978: a-blog cms vulnerable to directory traversal
a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a directory traversal vulnerability CWE-22. Impact A user with editor or higher privilege who can log in to the product may obtain arbitrary files on the server including password files. Solution Update t...
Multiple vulnerabilities in SKYSEA Client View
Overview SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View contains multiple vulnerabilities listed below. Improper access control in the specific folder CWE-276 - CVE-2024-21805 Improper access control in the resident process CWE-749 -...
JVN#54451757: Multiple vulnerabilities in SKYSEA Client View
SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View contains multiple vulnerabilities listed below. Improper access control in the specific folder CWE-276 - CVE-2024-21805 Version| Vector| Score ---|---|--- CVSS v3|...
FUJIFILM Business Innovation Corp. printers vulnerable to cross-site request forgery
Overview Multiple printers provided by FUJIFILM Business Innovation Corp. contain a cross-site request forgery vulnerability CWE-352. Junnosuke Kushibiki, Ryu Kuki, Masataka Mizokuchi, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA...
Multiple vulnerabilities in printers and scanners which implement BROTHER Web Based Management
Overview Multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. contain multiple vulnerabilities listed below. Improper Authentication CWE-287 - CVE-2024-21824 Cross-Site Request Forgery CWE-352 - CVE-2024-22475 Hiroki Yasui, Yudai Morii, Takaya...
Toyoko Inn official App vulnerable to improper server certificate verification
Overview Toyoko Inn official App provided by Toyoko Inn IT Solution Co., Ltd. is vulnerable to improper server certificate verification CWE-295. Ryo Nihonyanagi of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Earl...
JVN#52919306: Toyoko Inn official App vulnerable to improper server certificate verification
Toyoko Inn official App provided by Toyoko Inn IT Solution Co., Ltd. is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update the application to the...
JVN#34328023: FUJIFILM Business Innovation Corp. printers vulnerable to cross-site request forgery
Multiple printers provided by FUJIFILM Business Innovation Corp. contain a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logging in, the user information may be altered. In the case the user is an administrator, the settings such as the...
JVN#82749078: Multiple vulnerabilities in printers and scanners which implement BROTHER Web Based Management
Multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. contain multiple vulnerabilities listed below. Improper Authentication CWE-287 - CVE-2024-21824 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N| Base...
Protection mechanism failure in RevoWorks
Overview RevoWorks SCVX and RevoWorks Browser provided by J's Communication Co., Ltd. enable users to execute web browsers in the sandboxed environment isolated from the client's local environment. In the products, file exchange between the sandboxed environment and local environment is prohibite...
OET-213H-BTS1 missing authorization check in the initial configuration
Overview OET-213H-BTS1 is a digital temperature measurement and face recognition terminal, developed by Zhejiang Uniview Technologies Co.,Ltd and provided by Atsumi Electric Co., Ltd. The initial configuration of the product is insecure CWE-1188, it does not perform an authorization check when...
OpenPNE plugin "opTimelinePlugin" vulnerable to cross-site scripting
Overview OpenPNE plugin "opTimelinePlugin" provided by OpenPNE Project contains a stored cross-site scripting vulnerability CWE-79 in Edit Profile page. Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
JVN#78084105: OpenPNE plugin "opTimelinePlugin" vulnerable to cross-site scripting
OpenPNE plugin "opTimelinePlugin" provided by OpenPNE Project contains a stored cross-site scripting vulnerability CWE-79 in Edit Profile page. Impact On the site which uses the affected product, when a user configures the profile with some malicious contents, an arbitrary script may be executed ...
JVN#35928117: Protection mechanism failure in RevoWorks
RevoWorks SCVX and RevoWorks Browser provided by J's Communication Co., Ltd. enable users to execute web browsers in the sandboxed environment isolated from the client's local environment. In the products, file exchange between the sandboxed environment and local environment is prohibited in...
JVN#77203800: OET-213H-BTS1 missing authorization check in the initial configuration
OET-213H-BTS1 is a digital temperature measurement and face recognition terminal, developed by Zhejiang Uniview Technologies Co.,Ltd and provided by Atsumi Electric Co., Ltd. The initial configuration of the product is insecure CWE-1188, it does not perform an authorization check when processing...
Multiple vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. Reflected cross-site scripting vulnerability in Site search Feature CWE-79 - CVE-2023-44379 Stored cross-site scripting vulnerability in Content Management CWE-79 - CVE-2024-26128 OS command...
JVN#73283159: Multiple vulnerabilities in baserCMS
baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. Reflected cross-site scripting vulnerability in Site search Feature CWE-79 - CVE-2023-44379 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS...
ELECOM wireless LAN routers vulnerable to OS command injection
Overview Multiple wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a logged-in user with an administrative privilege sends a...
EL Injection Vulnerability in Hitachi Global Link Manager
Overview An EL Injection Vulnerability CVE-2024-0715 exists in Hitachi Global Link Manager. Affected products and versions are listed below. Please upgrade your version to the appropriate version. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Plea...
Multiple vulnerabilities in ELECOM wireless LAN routers and wireless LAN repeater
Overview Multiple wireless LAN routers and wireless LAN repeater provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2024-21798 Cross-Site Request Forgery CWE-352 - CVE-2024-23910 CVE-2024-21798 Yamaguchi Kakeru of Fujitsu Limited reported...
JVN#44166658: Multiple vulnerabilities in ELECOM wireless LAN routers and wireless LAN repeater
Multiple wireless LAN routers and wireless LAN repeater provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2024-21798 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N| Base Score: 4.8 CVSS v2|...
Android App "Mopria Print Service" vulnerable to improper intent handling
Overview Android app "Mopria Print Service" provided by Mopria Alliance is vulnerable to improper intent handling CWE-668. Johan Francsics reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact When a malicious app is installed on the victim user's Android...
a-blog cms vulnerable to URL spoofing
Overview a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains an URL spoofing vulnerability CWE-451. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
JVN#48966481: a-blog cms vulnerable to URL spoofing
a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains an URL spoofing vulnerability CWE-451. Impact If an attacker sends a specially crafted request, the administrator of the product may be forced to access an arbitrary website when clicking a link in the...
Multiple out-of-bounds write vulnerabilities in Canon Office/Small Office Multifunction Printers and Laser Printers
Overview Office/Small Office Multifunction Printers and Laser Printers provided by Canon Inc. contain multiple out-of-bounds write vulnerabilities CWE-787, CVE-2023-6229, CVE-2023-6230, CVE-2023-6231, CVE-2023-6232, CVE-2023-6233, CVE-2023-6234, CVE-2024-0244. Canon Inc. reported these...
Sharp NEC Display Solutions' public displays vulnerable to local file inclusion
Overview Multiple public displays provided by Sharp NEC Display Solutions, Ltd. contain a local file inclusion vulnerability CWE-22, CVE-2023-7077. Tunahan TEKEOĞLU of Senior Cyber Security Consultant reported this vulnerability to Sharp NEC Display Solutions, Ltd. and coordinated. Sharp NEC...
Zeroshell vulnerable to OS command injection
Overview The web interface of Zeroshell, Linux distribution provided by Zeroshell.org, contains an OS command injection vulnerability CWE-78. Hirukawa Norihiko of MYT Consulting Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
JVN#44033918: Zeroshell vulnerable to OS command injection
The web interface of Zeroshell, Linux distribution provided by Zeroshell.org, contains an OS command injection vulnerability CWE-78. Impact Processing a crafted HTTP request may lead to an arbitrary OS command execution. Solution Stop using the product The developer states that the affected produ...
Multiple buffer overflow vulnerabilities in HOME SPOT CUBE2
Overview HOME SPOT CUBE2 provided by KDDI CORPORATION contains multiple vulnerabilities listed below. Stack-based buffer overflow CWE-121 - CVE-2024-21780 Heap-based buffer overflow CWE-122 - CVE-2024-23978 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC...
Incorrect permission assignment vulnerability in Trend Micro uiAirSupport
Overview Trend Micro Incorporated has released a security update for Trend Micro uiAirSupport. Proof-of-concept code PoC for this vulnerability is available on the Internet. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact The...
Cybozu KUNAI for Android vulnerable to denial-of-service (DoS)
Overview Cybozu KUNAI for Android is a client application for using Cybozu products from an Android device. Cybozu KUNAI for Android contains an issue allowing to send massive requests to the connected Cybozu product if a user performs certain operations on KUNAI, which may result in repeated...
JVN#18743512: Cybozu KUNAI for Android vulnerable to denial-of-service (DoS)
Cybozu KUNAI for Android is a client application for using Cybozu products from an Android device. Cybozu KUNAI for Android contains an issue allowing to send massive requests to the connected Cybozu product if a user performs certain operations on KUNAI, which may result in repeated session...
File and Directory Permissions Vulnerability in Hitachi Tuning Manager
Overview A File and Directory Permissions Vulnerability CVE-2023-6457 exists in Hitachi Tuning Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Group Office vulnerable to cross-site scripting
Overview Group Office provided by Intermesh BV contains a stored cross-site scripting vulnerability CWE-79. Yoichi Tsuzuki of FFRI Security, Inc. and Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Payment EX vulnerable to information disclosure
Overview Payment EX provided by Simplesite contains an information disclosure vulnerability CWE-200. Impact A remote unauthenticated attacker may obtain the information of the user who purchases merchandise using Payment EX. Solution Update the Software Update the software to the latest version...
JVN#63567545: Group Office vulnerable to cross-site scripting
Group Office provided by Intermesh BV contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the product. Solution Update the Application Update the application to the latest version according to...
JVN#41129639: Payment EX vulnerable to information disclosure
Payment EX provided by Simplesite contains an information disclosure vulnerability CWE-200. Impact A remote unauthenticated attacker may obtain the information of the user who purchases merchandise using Payment EX. Solution Update the Software Update the software to the latest version according ...
Multiple vulnerabilities in SHARP Energy Management Controller with Cloud Services
Overview Energy Management Controller with Cloud Services provided by SHARP CORPORATION contains multiple vulnerabilities listed below. Improper authentication CWE-287 - CVE-2024-23783 Improper access control CWE-284 - CVE-2024-23784 Cross-site request forgery CWE-352 - CVE-2024-23785 Stored...
File and Directory Permissions Vulnerability in Hitachi Storage Plug-in for VMware vCenter
Overview A File and Directory Permissions Vulnerability exists in Hitachi Storage Plug-in for VMware vCenter. Affected products and versions are listed below. Please upgrade your version to the appropriate version. Impact Regarding the impact of the vulnerability, please refer to the vendor...
ELECOM wireless LAN routers vulnerable to OS command injection
Overview Multiple ELECOM wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a logged-in user with an administrative privilege...
Yamaha wireless LAN access point devices vulnerable to active debug code
Overview Active debug code CWE-489 exists in wireless LAN access point devices provided by Yamaha Corporation. The debug function can be enabled by performing specific operations. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer...