5625 matches found
Cybozu Remote Service vulnerable to Uncontrolled Resource Consumption
Overview Cybozu Remote Service provided by Cybozu, Inc. is vulnerable to uncontrolled resource consumption CWE-400. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A logged-in user may consume huge storage space, resulting to a...
Multiple cross-site scripting vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in User management CWE-79 - CVE-2022-39325 Stored cross-site scripting vulnerability in Permission Settings CWE-79 - CVE-2022-41994...
JVN#87895771: Cybozu Remote Service vulnerable to Uncontrolled Resource Consumption
Cybozu Remote Service provided by Cybozu, Inc. is vulnerable to uncontrolled resource consumption CWE-400. Impact A logged-in user may consume huge storage space, resulting to a denial-of-service DoS condition. Solution Update the Software Update to the latest version according to the information...
JVN#53682526: Multiple cross-site scripting vulnerabilities in baserCMS
baserCMS provided by baserCMS Users Community contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in User management CWE-79 - CVE-2022-39325 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N| Base...
TP-Link RE300 V1 tdpServer vulnerable to improper processing of its input
Overview tdpServer of TP-Link RE300 V1 improperly processes its input, possibly resulting to crash CWE-228. Tomoya Kitagawa and Toshiki Takatera of Ricerca Security, Inc. reported this vulnerability to the developer and coordinated. After coordination was completed, this case was reported to...
JVN#29657972: TP-Link RE300 V1 tdpServer vulnerable to improper processing of its input
tdpServer of TP-Link RE300 V1 improperly processes its input, possibly resulting to crash CWE-228. Impact An attacker may be able to cause a denial-of-service DoS condition of the product's OneMesh function. Solution Update the software Update the software to the latest version according to the...
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Overview Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Information disclosure due to Out-of-Bounds read vulnerabilities...
Typora fails to properly neutralize JavaScript code.
Overview Typora fails to properly neutralize JavaScript code CWE-116. Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Opening a file with the affected product may lead to...
JVN#26044739: Typora fails to properly neutralize JavaScript code
Typora fails to properly neutralize JavaScript code CWE-116. Impact Opening a file with the affected product may lead to execute the JavaScript code inside the file. Solution Update the Software Update the software to the latest version according to the information provided by the developer. The...
WordPress Plugin "WordPress Popular Posts" accepts untrusted external inputs to update certain internal variables
Overview WordPress Plugin "WordPress Popular Posts" provided by Hector Cabrera accepts untrusted external inputs to update certain internal variables CWE-454. Tsubasa Iinuma of Origami Systems reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
JVN#13927745: WordPress Plugin "WordPress Popular Posts" accepts untrusted external inputs to update certain internal variables
WordPress Plugin "WordPress Popular Posts" provided by Hector Cabrera accepts untrusted external inputs to update certain internal variables CWE-454. Impact The number of views for an article may be manipulated through a crafted input. Solution Update the plugin Update the plugin according to the...
RICOH Aficio SP 4210N vulnerable to cross-site scripting
Overview Aficio SP 4210N provided by RICOH COMPANY, LTD. contains a cross-site scripting vulnerability CWE-79 in Web Image Monitor. Yudai Morii, Takaya Noma, Hiroki Yasui, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC...
Multiple vulnerabilities in Movable Type
Overview Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. Improper Validation of Syntactic Correctness of Input CWE-1286 - CVE-2022-45113 Cross-site Scripting CWE-79 - CVE-2022-45122 Improper Neutralization of Server-Side Includes SSI Within a Web Page CWE-9...
JVN#24659622: RICOH Aficio SP 4210N vulnerable to cross-site scripting
Aficio SP 4210N provided by RICOH COMPANY, LTD. contains a cross-site scripting vulnerability CWE-79 in Web Image Monitor. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege. Solution Update the firmware...
JVN#37014768: Multiple vulnerabilities in Movable Type
Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. Improper Validation of Syntactic Correctness of Input CWE-1286 - CVE-2022-45113 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N| Base Score: 4.7 CVSS v2|...
TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation
Overview The past versions of TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java Rich are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability. According to the developer, this vulnerability is...
JVN#54728399: TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation
The past versions of TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java Rich are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability. According to the developer, this vulnerability is caused by ...
Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure
Overview Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability CWE-200. Cameron Palmer of PROMON reported this vulnerability to Aiphone Co., Ltd. and coordinated. Aiphone Co., Ltd. and JPCERT/CC published respective advisories in...
Multiple vulnerabilities in OMRON products
Overview Machine automation controller NJ/NX series, Automation software "Sysmac Studio", and programmable terminal PT NA series provided by OMRON Corporation contain multiple vulnerabilities in the communication function. The vulnerabilities are as follows. Use of Hard-coded Credentials CWE-798 ...
JVN#75437943: Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure
Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability CWE-200. Impact An attacker who can obtain specific information of the product and access the product may obtain sensitive information stored in the device. Solution Use the...
WordPress Plugin "Salon booking system" vulnerable to cross-site scripting
Overview WordPress Plugin "Salon booking system" contains a cross-site scripting vulnerability CWE-79. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Multiple vulnerabilities in WordPress
Overview WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature. Stored Cross-site scripting CWE-79 - CVE-2022-43497 Stored Cross-site scripting CWE-79 - CVE-2022-43500 Improper authentication CWE-287 - CVE-2022-43504 Toshitsugu Yoneyama of Mitsu...
JVN#59663854: WordPress Plugin "Salon booking system" vulnerable to cross-site scripting
WordPress Plugin "Salon booking system" contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress administrative page where the product is installed. Solution Update the plugin Update the plug...
JVN#09409909: Multiple vulnerabilities in WordPress
WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature. Stored Cross-site scripting CWE-79 - CVE-2022-43497 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2|...
Multiple vulnerabilities in the web interfaces of Kyocera Document Solutions MFPs and printers
Overview The web interface "Command Center" of multiple MFPs and printers provided by KYOCERA Document Solutions Inc. contain multiple vulnerabilities listed below. Session Information Easily Guessable CWE-287 - CVE-2022-41798 Missing authorization CWE-425 - CVE-2022-41807 Stored cross-site...
JVN#46345126: Multiple vulnerabilities in the web interfaces of Kyocera Document Solutions MFPs and printers
The web interface "Command Center" of multiple MFPs and printers provided by KYOCERA Document Solutions Inc. contain multiple vulnerabilities listed below. Session Information Easily Guessable CWE-287 - CVE-2022-41798 Version| Vector| Score ---|---|--- CVSS v3|...
Multiple vulnerabilities in FUJI SOFT network devices
Overview USB dongle +F FS040U and mobile routers +F FS020W/+F FS030W/+F FS040W provided by FUJI SOFT INCORPORATED contain multiple vulnerabilities listed below. Plaintext Storage of a Password CWE-256 - CVE-2022-43442 Cross-Site Request Forgery CWE-352 - CVE-2022-43470 Tomohisa Hasegawa of Canon ...
JVN#74285622: Multiple vulnerabilities in FUJI SOFT network devices
USB dongle +F FS040U and mobile routers +F FS020W/+F FS030W/+F FS040W provided by FUJI SOFT INCORPORATED contain multiple vulnerabilities listed below. Plaintext Storage of a Password CWE-256 - CVE-2022-43442 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N...
Multiple vulnerabilities in SHIRASAGI
Overview SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below. Open Redirect CWE-601 - CVE-2022-43479 Stored Cross-site Scripting CWE-79 - CVE-2022-43499 SHIGA TAKUMA of BroadBand Security, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with th...
JVN#86350682: Multiple vulnerabilities in SHIRASAGI
SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below. Open Redirect CWE-601 - CVE-2022-43479 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N| Base Score: 4.7 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base Score: 4.3 Stored...
Multiple vulnerabilities in nadesiko3
Overview Nadesiko3 provided by kujirahand contains multiple vulnerabilities listed below. OS command injection vulnerability in processing compression and decompression CWE-78 - CVE-2022-41642 Improper check or handling of exceptional conditions in nako3edit CWE-703 - CVE-2022-41777 OS command...
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Overview Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Privilege escalation due to a Time-of-check Time-of-use TOCTOU Race...
JVN#56968681: Multiple vulnerabilities in nadesiko3
Nadesiko3 provided by kujirahand contains multiple vulnerabilities listed below. OS command injection vulnerability in processing compression and decompression CWE-78 - CVE-2022-41642 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Base Score: 9.8 CVSS v2...
Stack-based buffer overflow vulnerability in Yokogawa Test & Measurement WTViewerE
Overview WTViewerE provided by Yokogawa Test & Measurement Corporation contains a stack-based buffer overflow vulnerability CWE-121. Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact Processing a long file name may cause the product to crash...
Lemon8 App fails to restrict access permissions
Overview Lemon8 by ByteDance K.K. provides the function to access a requested URL using Custom URL Scheme/DeepLink. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Ryo Sato of BroadBand Security,Inc. reported this...
JVN#10921428: Lemon8 App fails to restrict access permissions
Lemon8 by ByteDance K.K. provides the function to access a requested URL using Custom URL Scheme/DeepLink. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a user to access an arbitrar...
Android App "IIJ SmartKey" vulnerable to information disclosure
Overview Android App "IIJ SmartKey" provided by Internet Initiative Japan Inc. contains an information disclosure vulnerability CWE-200. Naoaki Iwakiri reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Under...
JVN#74534998: Android App "IIJ SmartKey" vulnerable to information disclosure
Android App "IIJ SmartKey" provided by Internet Initiative Japan Inc. contains an information disclosure vulnerability CWE-200. Impact Under certain conditions, an attacker may obtain a one-time password issued by the product. Solution Update the application Update the application to the latest...
Multiple vulnerabilities in SVMPC1 and SVMPC2
Overview SVMPC1 and SVMPC2 provided by Daikin Holdings Singapore Pte Ltd. contain multiple vulnerabilities listed below. Use of hard-coded password CWE-259 - CVE-2022-41653 Improper access control CWE-284 - CVE-2022-38355 Impact Exploiting these vulnerabilities may allow an attacker on the same L...
bingo!CMS vulnerable to authentication bypass
Overview bingo!CMS provided by Shift Tech Inc. contains an authentication bypass vulnerability CWE-288 in some of the management functions. Shift Tech Inc. states that attacks exploiting this vulnerability have been observed. Shift Tech Inc. reported this vulnerability to IPA to notify users of i...
Multiple vulnerabilities in Trend Micro Deep Security and Cloud One - Workload Security agents for Windows
Overview Trend Micro Incorporated has released a security update for Trend Micro Deep Security and Cloud One - Workload Security agents for Windows. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Information disclosure due...
The installer of Sony Content Transfer may insecurely load Dynamic Link Libraries
Overview The installer of Content Transfer for Windows provided by Sony Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Tomohisa Hasegawa of Canon IT Solutions Inc. reported this vulnerability to IPA. JPCERT/CC coordinat...
JVN#74592196: bingo!CMS vulnerable to authentication bypass
bingo!CMS provided by Shift Tech Inc. contains an authentication bypass vulnerability CWE-288 in some of the management functions. Shift Tech Inc. states that attacks exploiting this vulnerability have been observed. Impact Accessing a specific URL directly may allow a remote unauthenticated...
JVN#40620121: The installer of Sony Content Transfer may insecurely load Dynamic Link Libraries
The installer of Content Transfer for Windows provided by Sony Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privileges of the installer. Solution Do not execute the...
Growi vulnerable to improper access control
Overview GROWI provided by WESEEK, Inc. contains an improper access control vulnerability CWE-284. Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A us...
JVN#00845253: Growi vulnerable to improper access control
GROWI provided by WESEEK, Inc. contains an improper access control vulnerability CWE-284. Impact A user who can login to the affected product may download the markdown data from the pages set to private by the other users. Solution Update the software Update the software to the following versions...
IPFire WebUI vulnerable to cross-site scripting
Overview The web user interface of IPFire provided by IPFire Project contains multiple stored cross-site scripting vulnerabilities CWE-79. This analysis assumes a scenario where one administrative user prepares malicious content, and then another administrative user accesses this content, resulti...
JVN#15411362: IPFire WebUI vulnerable to cross-site scripting
The web user interface of IPFire provided by IPFire Project contains multiple stored cross-site scripting vulnerabilities CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is using the product. Solution Update the Software Update the Software to the latest...
Multiple vulnerabilities in Buffalo network devices
Overview Multiple network devices provided by Buffalo Inc. contain multiple vulnerabilities listed below. Hidden Functionality CWE-912 - CVE-2022-39044 Use of Hard-coded Credentials CWE-798 - CVE-2022-34840 Authentication Bypass CWE-288 - CVE-2022-4096 Chuya Hayakawa of 00One, Inc. reported these...
Privilege Escalation Vulnerability in Hitachi Storage Plug-in for VMware vCenter
Overview A privilege escalation vulnerability CVE-2022-2637 exists in Hitachi Storage Plug-in for VMware vCenter. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and ta...