5609 matches found
Multiple buffer overflow vulnerabilities in HOME SPOT CUBE2
Overview HOME SPOT CUBE2 provided by KDDI CORPORATION contains multiple vulnerabilities listed below. Stack-based buffer overflow CWE-121 - CVE-2024-21780 Heap-based buffer overflow CWE-122 - CVE-2024-23978 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC...
Incorrect permission assignment vulnerability in Trend Micro uiAirSupport
Overview Trend Micro Incorporated has released a security update for Trend Micro uiAirSupport. Proof-of-concept code PoC for this vulnerability is available on the Internet. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact The...
Cybozu KUNAI for Android vulnerable to denial-of-service (DoS)
Overview Cybozu KUNAI for Android is a client application for using Cybozu products from an Android device. Cybozu KUNAI for Android contains an issue allowing to send massive requests to the connected Cybozu product if a user performs certain operations on KUNAI, which may result in repeated...
JVN#18743512: Cybozu KUNAI for Android vulnerable to denial-of-service (DoS)
Cybozu KUNAI for Android is a client application for using Cybozu products from an Android device. Cybozu KUNAI for Android contains an issue allowing to send massive requests to the connected Cybozu product if a user performs certain operations on KUNAI, which may result in repeated session...
File and Directory Permissions Vulnerability in Hitachi Tuning Manager
Overview A File and Directory Permissions Vulnerability CVE-2023-6457 exists in Hitachi Tuning Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Group Office vulnerable to cross-site scripting
Overview Group Office provided by Intermesh BV contains a stored cross-site scripting vulnerability CWE-79. Yoichi Tsuzuki of FFRI Security, Inc. and Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
Payment EX vulnerable to information disclosure
Overview Payment EX provided by Simplesite contains an information disclosure vulnerability CWE-200. Impact A remote unauthenticated attacker may obtain the information of the user who purchases merchandise using Payment EX. Solution Update the Software Update the software to the latest version...
JVN#41129639: Payment EX vulnerable to information disclosure
Payment EX provided by Simplesite contains an information disclosure vulnerability CWE-200. Impact A remote unauthenticated attacker may obtain the information of the user who purchases merchandise using Payment EX. Solution Update the Software Update the software to the latest version according ...
JVN#63567545: Group Office vulnerable to cross-site scripting
Group Office provided by Intermesh BV contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the product. Solution Update the Application Update the application to the latest version according to...
Multiple vulnerabilities in SHARP Energy Management Controller with Cloud Services
Overview Energy Management Controller with Cloud Services provided by SHARP CORPORATION contains multiple vulnerabilities listed below. Improper authentication CWE-287 - CVE-2024-23783 Improper access control CWE-284 - CVE-2024-23784 Cross-site request forgery CWE-352 - CVE-2024-23785 Stored...
File and Directory Permissions Vulnerability in Hitachi Storage Plug-in for VMware vCenter
Overview A File and Directory Permissions Vulnerability exists in Hitachi Storage Plug-in for VMware vCenter. Affected products and versions are listed below. Please upgrade your version to the appropriate version. Impact Regarding the impact of the vulnerability, please refer to the vendor...
ELECOM wireless LAN routers vulnerable to OS command injection
Overview Multiple ELECOM wireless LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a logged-in user with an administrative privilege...
Yamaha wireless LAN access point devices vulnerable to active debug code
Overview Active debug code CWE-489 exists in wireless LAN access point devices provided by Yamaha Corporation. The debug function can be enabled by performing specific operations. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer...
Oracle WebLogic Server vulnerable to HTTP header injection
Overview Oracle WebLogic Server provided by Oracle contains an HTTP header injection vulnerability CWE-113. Professional Service Department of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warnin...
"Mercari" App for Android fails to restrict custom URL schemes properly
Overview "Mercari" App for Android by Mercari, Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Shiga Takuma of BroadBand Security Inc...
JVN#93541851: Oracle WebLogic Server vulnerable to HTTP header injection
Oracle WebLogic Server provided by Oracle contains an HTTP header injection vulnerability CWE-113. Impact This vulnerability could be exploited by a remote attacker to conduct a cross-site scripting attack, etc., and as a result, the displayed page may be altered or an arbitrary script may be...
JVN#70818619: "Mercari" App for Android fails to restrict custom URL schemes properly
"Mercari" App for Android by Mercari, Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a user to access an...
Improper restriction of XML external entity references (XXE) in MLIT "Electronic Delivery Check System" and "Electronic delivery item Inspection Support System"
Overview "Electronic Delivery Check System" and "Electronic delivery item Inspection Support System" provided by Ministry of Land, Infrastructure, Transport and Tourism, Japan improperly restricts XML external entity references XXE CWE-611. Toyama Taku, Iwakawa Kento of NEC Corporation, and Manam...
Android App "Spoon" uses a hard-coded API key for an external service
Overview Android App "Spoon" provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service CWE-798. Yoshihito Sakai of BroadBand Security, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
Improper restriction of XML external entity references (XXE) in "Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version)"
Overview "Electronic Delivery Check System Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version" provided by Ministry of Agriculture, Forestry and Fisheries improperly restricts XML external entity references XXE CWE-611. Iwakawa Kento and Toyama...
Improper restriction of XML external entity references (XXE) in Electronic Deliverables Creation Support Tool provided by Ministry of Defense
Overview Electronic Deliverables Creation Support Tool provided by Ministry of Defense improperly restricts XML external entity references XXE CWE-611. Toyama Taku of NEC Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
JVN#77736613: Improper restriction of XML external entity references (XXE) in MLIT "Electronic Delivery Check System" and "Electronic delivery item Inspection Support System"
"Electronic Delivery Check System" and "Electronic delivery item Inspection Support System" provided by Ministry of Land, Infrastructure, Transport and Tourism, Japan improperly restricts XML external entity references XXE CWE-611. Impact Processing a specially crafted XML file may lead to exposu...
JVN#01434915: Improper restriction of XML external entity references (XXE) in "Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version)"
"Electronic Delivery Check System Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version" provided by Ministry of Agriculture, Forestry and Fisheries improperly restricts XML external entity references XXE CWE-611. Impact Processing a specially craft...
JVN#40049211: Improper restriction of XML external entity references (XXE) in Electronic Deliverables Creation Support Tool provided by Ministry of Defense
Electronic Deliverables Creation Support Tool provided by Ministry of Defense improperly restricts XML external entity references XXE CWE-611. Impact Processing a specially crafted XML file may lead to exposure of internal files on the system. Solution Update the Software Update the software to t...
JVN#96154238: Android App "Spoon" uses a hard-coded API key for an external service
Android App "Spoon" provided by Spoon Radio Japan Inc. uses a hard-coded API key for an external service CWE-798. Impact The hard-coded API key may be retrieved when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service. Note that t...
Access analysis CGI An-Analyzer vulnerable to open redirect
Overview Access analysis CGI An-Analyzer provided by ANGLERSNET Co,.Ltd. contains an open redirect vulnerability CWE-601. Tomoomi Iwata of Information-technology Promotion Agency, Japan reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Multiple vulnerabilities in a-blog cms
Overview a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Improper input validation CWE-20 - CVE-2024-23180 Cross-site scripting CWE-79 - CVE-2024-23181 Relative path traversal CWE-23 - CVE-2024-23182 Cross-site scripting CWE-79 - CVE-2024-23183 Improper input...
JVN#34565930: Multiple vulnerabilities in a-blog cms
a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Improper input validation CWE-20 - CVE-2024-23180 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N| Base Score: 3.5 CVSS v2| AV:N/AC:M/Au:S/C:N/I:P/A:N| Base Score: 3.5...
JVN#73587943: Access analysis CGI An-Analyzer vulnerable to open redirect
Access analysis CGI An-Analyzer provided by ANGLERSNET Co,.Ltd. contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Apply the...
FusionPBX vulnerable to cross-site scripting
Overview FusionPBX contains a stored cross-site scripting vulnerability CWE-79. Satoshi Horikoshi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on the web browser of the...
JVN#67215338: FusionPBX vulnerable to cross-site scripting
FusionPBX contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the product. Solution Update the software Update the software to the latest version according to the information provided by the...
Multiple Dahua Technology products vulnerable to authentication bypass
Overview Multiple products provided by Dahua Technology contain an authentication bypass vulnerability CWE-287. Mitsui Bussan Secure Directions, Inc. reported the vulnerability existed in "DHI-ASI7213Y-V3-T1" to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warnin...
JVN#83655695: Multiple Dahua Technology products vulnerable to authentication bypass
Multiple products provided by Dahua Technology contain an authentication bypass vulnerability CWE-287. Impact The product's identity verification may be bypassed if a remote attacker sends specially crafted data packets. Solution Update the software Update the software to the latest version...
Drupal vulnerable to improper handling of structural elements
Overview Drupal provided by Drupal.org contains an improper handling of structural elements vulnerability CWE-237. Shiga Takuma of BroadBand Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
JVN#63383723: Drupal vulnerable to improper handling of structural elements
Drupal provided by Drupal.org contains an improper handling of structural elements vulnerability CWE-237. Impact An attacker may be able to cause a denial-of-service DoS condition. Solution Update the Software Update the software to the latest version 10 series according to the information provid...
Pleasanter vulnerable to cross-site scripting
Overview Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability CWE-79. Masamitsu Kushi of Operation Group, Communication Technology Department, Digital Innovation HQ at Mitsubishi Heavy Industries, Ltd. reported this vulnerability to Implem Inc. and coordinated. After t...
Thermal camera TMC series vulnerable to insufficient technical documentation
Overview Thermal camera TMC series provided by THREE R SOLUTION CORP. JAPAN are vulnerable to insufficient technical documentation CWE-1059. The related documentation does not describe the existence of the network interface, nor the internal storage for pictures and measurement data. Hiroyuki...
JVN#51135247: Pleasanter vulnerable to cross-site scripting
Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability CWE-79. Impact If an attacker tricks the user to access the product with a specially crafted URL and perform a specific operation, an arbitrary script may be executed on the web browser of the user. Solution Update t...
JVN#96240417: Thermal camera TMC series vulnerable to insufficient technical documentation
Thermal camera TMC series provided by THREE R SOLUTION CORP. JAPAN are vulnerable to insufficient technical documentation CWE-1059. The related documentation does not describe the existence of the network interface, nor the internal storage for pictures and measurement data. Impact The user of th...
Improper input validation vulnerability in WordPress Plugin "WordPress Quiz Maker Plugin"
Overview WordPress Plugin "WordPress Quiz Maker Plugin" provided by AYS Pro Plugins contains an improper input validation vulnerability CWE-20. Shogo Kumamaru of LAC CyberLink Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
JVN#37326856: Improper input validation vulnerability in WordPress Plugin "WordPress Quiz Maker Plugin"
WordPress Plugin "WordPress Quiz Maker Plugin" provided by AYS Pro Plugins contains an improper input validation vulnerability CWE-20. Impact A user of the product may use the product to perform a Denial of Service DoS attack against external services. Solution Update the plugin Update the plugin...
Multiple TP-Link products vulnerable to OS command injection
Overview Multiple products provided by TP-LINK contain multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2024-21773 OS command injection CWE-78 - CVE-2024-21821 OS command injection CWE-78 - CVE-2024-21833 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to...
Multiple vulnerabilities in Panasonic Control FPWIN Pro7
Overview Control FPWIN Pro7 provided by Panasonic contains multiple vulnerabilities listed below. Stack-based Buffer Overflow CWE-121 - CVE-2023-6314 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119 - CVE-2023-6315 Michael Heinzl reported these vulnerabilities to th...
Multiple vulnerabilities in PowerCMS
Overview PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in the management screen CWE-79 - CVE-2023-49117 Open redirect vulnerability in the members' site CWE-601 - CVE-2023-50297 Alfasado Inc. reported these...
Multiple vulnerabilities in BUFFALO VR-S1000
Overview VR-S1000 provided by BUFFALO INC. contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2023-45741 Argument injection CWE-88 - CVE-2023-46681 Use of hard-coded cryptographic key CWE-321 - CVE-2023-46711 Information disclosure CWE-200 - CVE-2023-51363...
Brother iPrint&Scan Desktop for Windows vulnerable to improper link resolution before file access
Overview iPrint Desktop for Windows provided by Brother Industries, Ltd. outputs logs to a certain log file. The affected version of the product does not check whether the log file is a normal file or a symbolic link to a certain file CWE-59. Chris Au reported this vulnerability to Brother...
JVN#32646742: Multiple vulnerabilities in PowerCMS
PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in the management screen CWE-79 - CVE-2023-49117 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N| Base Score: 5.4 CVSS v2|...
JVN#23771490: Multiple vulnerabilities in BUFFALO VR-S1000
VR-S1000 provided by BUFFALO INC. contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2023-45741 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H| Base Score: 6.8 CVSS v2| AV:A/AC:L/Au:S/C:P/I:P/A:P| Base Score: 5.2 Argument...
WordPress plugin "MW WP Form" vulnerable to arbitrary file upload
Overview WordPress plugin "MW WP Form" provided by Web Consultation Office Co., Ltd can create a mail form using shortcode. MW WP Form contains a vulnerability that may allow an attacker to upload arbitrary files CVE-2023-6316, CWE-434. Impact When the "Saving inquiry data in database" option in...
Multiple vulnerabilities in GROWI
Overview GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability in the presentation feature CWE-79 - CVE-2023-42436 Stored cross-site scripting vulnerability in the App Settings /admin/app page and the Markdown Settings...