5625 matches found
JVN#46241173: EC-CUBE plugin "Easy Blog for EC-CUBE4" vulnerable to cross-site request forgery
EC-CUBE plugin "Easy Blog for EC-CUBE4" provided by COREMOBILE Co. Ltd. contains a cross-site request forgery vulnerability CWE-352. Impact If a site administrator who is logging in to the management screen of EC-CUBE on which the plug-in is installed accesses a specially crafted page, a blog...
JVN#44550983: Strapi vulnerable to cross-site scripting
Strapi contains a stored cross-site scripting vulnerability CWE-79 in the file upload function. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege. Solution Update the Software Update the software to the...
Command injection vulnerability in QNAP VioStar series NVR
Overview VioStar series NVR provided by QNAP Systems, Inc. contains a command injection vulnerability CVE-2022-27588, CWE-77. Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact An arbitrary command may be executed by a remote...
Installer of Trend Micro Password Manager may insecurely load Dynamic Link Libraries
Overview Installer of Trend Micro Password Manager provided by Trend Micro Incorporated contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA...
JVN#60037444: Installer of Trend Micro Password Manager may insecurely load Dynamic Link Libraries
Installer of Trend Micro Password Manager provided by Trend Micro Incorporated contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use...
GENEREX RCCMD vulnerable to directory traversal
Overview RCCMD provided by GENEREX SYSTEMS Computervertriebsgesellschaft mbH contains a directory traversal vulnerability CWE-22. Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#60801132: GENEREX RCCMD vulnerable to directory traversal
RCCMD provided by GENEREX SYSTEMS Computervertriebsgesellschaft mbH contains a directory traversal vulnerability CWE-22. Impact Arbitrary files on the server may be viewed or altered by an attacker. Solution Update the software Update the software to the latest version according to the informatio...
Multiple vulnerabilities in Operation management interface of FUJITSU Network IPCOM
Overview FUJITSU Network IPCOM provided by FUJITSU LIMITED is an integrated network appliance. Operation management interface used to operate FUJITSU Network IPCOM contains multiple vulnerabilities listed below. OS command injection in the web console CWE-78 - CVE-2022-29516 Buffer overflow in th...
KOYO Electronics Screen Creator Advance2 vulnerable to authentication bypass
Overview Screen Creator Advance2 provided by KOYO ELECTRONICS INDUSTRIES CO., LTD. is a screen development tool for KOYO ELECTRONICS's HMI. Screen Creator Advance2 contains an authentication bypass vulnerability CWE-807 due to the improper check for the Remote control setting's account names. KOY...
Multiple vulnerabilities in multiple MEIKYO ELECTRIC products
Overview Multiple MEIKYO ELECTRIC products provided by MEIKYO ELECTRIC CO.,LTD. contain multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2022-27632 Cross-site scripting CWE-79 - CVE-2022-28717 Takayuki Sasaki of Yokohama National University reported these...
JVN#58266015: Multiple vulnerabilities in multiple MEIKYO ELECTRIC products
Multiple MEIKYO ELECTRIC products provided by MEIKYO ELECTRIC CO.,LTD. contain multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2022-27632 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L| Base Score: 5.4 CVSS v2|...
JVN#96561229: Multiple vulnerabilities in Operation management interface of FUJITSU Network IPCOM
FUJITSU Network IPCOM provided by FUJITSU LIMITED is an integrated network appliance. Operation management interface used to operate FUJITSU Network IPCOM contains multiple vulnerabilities listed below. OS command injection in the web console CWE-78 - CVE-2022-29516 Version| Vector| Score...
JVN#50337155: KOYO Electronics Screen Creator Advance2 vulnerable to authentication bypass
Screen Creator Advance2 provided by KOYO ELECTRONICS INDUSTRIES CO., LTD. is a screen development tool for KOYO ELECTRONICS's HMI. Screen Creator Advance2 contains an authentication bypass vulnerability CWE-807 due to the improper check for the Remote control setting's account names. Impact An...
Hammock AssetView missing authentication for critical functions
Overview AssetView provided by Hammock Corporation misses authentication for some critical functions CWE-306 on the managing server. Denis Faiustov, Ruslan Sayfiev of GMO Cyber Security by IERAE reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Securit...
JVN#54857505: Hammock AssetView missing authentication for critical functions
AssetView provided by Hammock Corporation misses authentication for some critical functions CWE-306 on the managing server. Impact With some knowledge on the system configuration, a remote attacker may upload a crafted configuration file to the managing server, which results in the managed client...
WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" vulnerable to cross-site request forgery
Overview WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" provided by VideoWhisper contains a cross-site request forgery vulnerability CWE-352. Kosuke Sakai reported and coordinated with the developer to fix this vulnerability. After coordination was...
JVN#31606885: WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" vulnerable to cross-site request forgery
WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" provided by VideoWhisper contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in with the administrative privilege, unintended operations may b...
Trend Micro Antivirus for Mac vulnerable to privilege escalation
Overview Trend Micro Incorporated has released a security update for Trend Micro Antivirus for Mac. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A user who can log in to the system where the affected product is installed may...
Trend Micro Apex Central and Trend Micro Apex Central as a Service vulnerable to improper check for file contents
Overview Trend Micro Apex Central and Trend Micro Apex Central as a Service provided by Trend Micro Incorporated are vulnerable to improper check for file contents CWE-345, CVE-2022-26871. Trend Micro Incorporated states that attacks has been observed. Trend Micro Incorporated reported this...
Zero-channel BBS Plus vulnerable to cross-site scripting
Overview Zero-channel BBS Plus by Zero-Channel BBS Plus Developers is a bulletin board CGI script. Zero-channel BBS Plus contains a cross-site scripting vulnerability CWE-79. Zero-Channel BBS Plus Developers reported this vulnerability to JPCERT/CC to notify users of its solution through JVN...
WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization
Overview WordPress Plugin "Advanced Custom Fields" provided by Delicious Brains contains a missing authorization vulnerability CWE-862. Keitaro Yamazaki of Ierae Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
AttacheCase may insecurely load Dynamic Link Libraries
Overview AttacheCase may insecurely load Dynamic Link Libraries. AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Taizoh Tsukamoto of...
JVN#42543427: WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization
WordPress Plugin "Advanced Custom Fields" provided by Delicious Brains contains a missing authorization vulnerability CWE-862. Impact Users of this product Editor, Author, Contributor may view the information on the database without the access permission. Solution Update the plugin Update the...
JVN#59576930: Zero-channel BBS Plus vulnerable to cross-site scripting
Zero-channel BBS Plus by Zero-Channel BBS Plus Developers is a bulletin board CGI script. Zero-channel BBS Plus contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the management screen of the product,...
JVN#10140834: AttacheCase may insecurely load Dynamic Link Libraries
AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege to run the software. Solution...
Netcommunity OG410X and OG810X VoIP gateway/Hikari VoIP adapter for business offices vulnerable to OS command injection
Overview Netcommunity OG410X and OG810X series provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contain an OS command injection vulnerability CWE-78, CVE-2022-22986. Chuya Hayakawa of 00One, Inc. reported this vulnerability to NTT Eas...
Multiple vulnerabilities in KINGSOFT "WPS Office" and "KINGSOFT Internet Security"
Overview "WPS Office" and "KINGSOFT Internet Security" provided by KINGSOFT JAPAN, INC. contain multiple vulnerabilities listed below. Stack-based buffer overflow CWE-121 - CVE-2022-25949 Insecurely loading Dynamic Link Libraries CWE-427 - CVE-2022-26081, CVE-2022-25969, CVE-2022-26511 These...
JVN#21234459: Multiple vulnerabilities in KINGSOFT "WPS Office" and "KINGSOFT Internet Security"
"WPS Office" and "KINGSOFT Internet Security" provided by KINGSOFT JAPAN, INC. contain multiple vulnerabilities listed below. Stack-based buffer overflow CWE-121 - CVE-2022-25949 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H| Base Score: 8.8 CVSS v2|...
Multiple vulnerabilities in pfSense
Overview pfSense software provided by Netgate contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2021-20729 Improper access control CWE-284 - CVE-2022-26019 Improper input validation CWE-20 - CVE-2022-24299 Yutaka WATANABE of Ierae Security Inc. reported these...
JVN#87751554: Multiple vulnerabilities in pfSense
pfSense software provided by Netgate contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2021-20729 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base Score: 4.3 Improper...
Installer of Trend Micro Portable Security may insecurely load Dynamic Link Libraries
Overview Trend Micro Incorporated has released a security update for Trend Micro Portable Security. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A local attacker may obtain the administrative privilege when the product's...
Installer of Trend Micro Password Manager may insecurely load Dynamic Link Libraries
Overview Trend Micro Incorporated has released a security update for Trend Micro Password Manager. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A local attacker may obtain the administrative privilege when the product's...
UNIVERGE WA Series vulnerable to OS command injection
Overview UNIVERGE WA Series provided by NEC Platforms, Ltd. contains an OS command injection vulnerability. Remote system maintenance feature of UNIVERGE WA series "Local maintenance console/Remote maintenance console/Web based remote console maintenance" contains an OS command injection...
JVN#72801744: UNIVERGE WA Series vulnerable to OS command injection
Remote system maintenance feature of UNIVERGE WA series "Local maintenance console/Remote maintenance console/Web based remote console maintenance" contains an OS command injection vulnerability CWE-78. Impact If an attacker who can access the product sends specific character strings or a special...
Installer of WPS Office for Windows misconfigures the ACL for the installation directory
Overview Installer of WPS Office for Windows misconfigures the ACL for the installation directory. When WPS Office for Windows is installed, some service program is registered to the OS, which is invoked with some administrative privilege. The installer fails to configure properly the ACL for the...
Multiple vulnerabilities in OMRON CX-Programmer
Overview CX-Programmer provided by OMRON Corporation contains multiple vulnerabilities listed below. Out-of-bounds Write CWE-787 - CVE-2022-21124 Use After Free CWE-416 - CVE-2022-25230 Use After Free CWE-416 - CVE-2022-25325 Out-of-bounds Read CWE-125 - CVE-2022-21219 Out-of-bounds Write CWE-787...
Directory Permission Vulnerability in Hitachi Ops Center Viewpoint
Overview A directory permission vulnerability was found in Hitachi Ops Center Viewpoint. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
File Permission Vulnerability in Hitachi Command Suite
Overview A file permission vulnerability was found in HitachiHitachi Command Suite. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
i-FILTER vulnerable to improper check for certificate revocation
Overview i-FILTER provided by Digital Arts Inc. is vulnerable to improper check for certificate revocation CWE-299 . Digital Arts Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Digital Arts Inc. coordinated under the Information Security Early...
JVN#33214411: i-FILTER vulnerable to improper check for certificate revocation
i-FILTER provided by Digital Arts Inc. is vulnerable to improper check for certificate revocation CWE-299 . Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the software and add settings Update the software to the latest version...
pfSense-pkg-WireGuard vulnerable to directory traversal
Overview pfSense-pkg-WireGuard provided by pfSense is an add-on package for pfSense CE and pfSense Plus. pfSense-pkg-WireGuard contains a directory traversal vulnerability CWE-22. Yutaka WATANABE of Ierae Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...
Multiple vulnerabilities in Trend Micro ServerProtect
Overview Trend Micro Incorporated has released security updates for ServerProtect. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Remote control execution due to insufficiently protected static credentials Denial-of-servic...
MarkText vulnerable to cross-site scripting
Overview MarkText is a Markdown editor. MarkText contains a cross-site scripting vulnerability CWE-79. Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may...
Norton Security for Mac improperly processes ICMP packets
Overview Norton Security for Mac provided by NortonLifeLock Inc. is antivirus software. Norton Security for Mac improperly processes ICMP packets, which may result in OS to crash CWE-20. Yuki Meguro of Tohoku Information Systems Company, Incorporated reported this vulnerability to IPA. JPCERT/CC...
JVN#87683137: Norton Security for Mac improperly processes ICMP packets
Norton Security for Mac provided by NortonLifeLock Inc. is antivirus software. Norton Security for Mac improperly processes ICMP packets, which may result in OS to crash CWE-20. Impact An unprivileged user may cause a denial-of-service DoS condition on the OS. Solution Update the Software Update...
JVN#85572374: pfSense-pkg-WireGuard vulnerable to directory traversal
pfSense-pkg-WireGuard provided by pfSense is an add-on package for pfSense CE and pfSense Plus. pfSense-pkg-WireGuard contains a directory traversal vulnerability CWE-22. Impact pfSense users may view files in the private folders which they do not have privileges to access. Solution Update the...
JVN#89524240: MarkText vulnerable to cross-site scripting
MarkText is a Markdown editor. MarkText contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the PC of the user using the product. Solution Update the Software Update the software to the latest version according to the information provided by the...
Multiples security updates for Trend Micro Endpoint security products for enterprises (March 2022)
Overview Trend Micro Incorporated has released multiple security updates for Trend Micro Endpoint security products for enterprises. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Apex One On Premise 2019 Privilege...
EC-CUBE improperly handles HTTP Host header values
Overview EC-CUBE provided by EC-CUBE CO.,LTD. improperly handles HTTP Host header values CWE-913. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning...
EC-CUBE plugin "Mail Magazine Management Plugin" vulnerable to cross-site request forgery
Overview EC-CUBE plugin "Mail Magazine Management Plugin" provided by EC-CUBE CO.,LTD. contains a cross-site request forgery vulnerability CWE-352. Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Informatio...