5609 matches found
Multiple vulnerabilities in TransmitMail
Overview TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below. Directory traversal vulnerability due to the improper validation of external input values CWE-22 - CVE-2022-22146 Cross-site scripting CWE-79 - CVE-2022-21193 ishiyuriniwa reported...
Multiple vulnerabilities in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux
Overview Deep Security and Cloud One - Workload Security Agent for Linux provided by Trend Micro Incorporated contain multiple vulnerabilities listed below. Directory Traversal CWE-22 - CVE-2022-23119 Code Injection CWE-94 - CVE-2022-23120 As of 2022 January 24, a Proof-of-Concept PoC code...
JVN#70100915: Multiple vulnerabilities in TransmitMail
TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below. Directory traversal vulnerability due to the improper validation of external input values CWE-22 - CVE-2022-22146 Version| Vector| Score ---|---|--- CVSS v3|...
GROWI vulnerable to authorization bypass through user-controlled key
Overview GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability CWE-639, CVE-2021-3852. huntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEE...
Multiple cross-site scripting vulnerabilities in php_mailform
Overview phpmailform provided by econosys system contains multiple cross-site scripting vulnerabilities listed below. Reflected cross-site scripting vulnerability regarding the checkbox CWE-79 - CVE-2022-22142 Reflected cross-site scripting vulnerability regarding the attached file name CWE-79 -...
JVN#16690037: Multiple cross-site scripting vulnerabilities in php_mailform
phpmailform provided by econosys system contains multiple cross-site scripting vulnerabilities listed below. Reflected cross-site scripting vulnerability regarding the checkbox CWE-79 - CVE-2022-22142 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base...
Canon laser printers and small office multifunctional printers vulnerable to cross-site scripting
Overview Multiple Canon laser printers and small office multifunctional printers contain a stored cross-site scripting vulnerability CWE-79. Murashima Masahiro of IERAE SECURITY INC. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
JVN#64806328: Canon laser printers and small office multifunctional printers vulnerable to cross-site scripting
Multiple Canon laser printers and small office multifunctional printers contain a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the product settings screen. Solution Update the firmware Update the...
PASSWORD MANAGER "MIRUPASS" PW10 / PW20 missing encryption
Overview PASSWORD MANAGER "MIRUPASS" PW10 / PW20 provided by KING JIM CO.,LTD. contain a missing encryption vulnerability CWE-311. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Earl...
Label printers "TEPRA" PRO SR5900P / SR-R7900P vulnerable to insufficiently protected credentials
Overview Label printers "TEPRA" PRO SR5900P / SR-R7900P provided by KING JIM CO.,LTD. contain an insufficiently protected credentials vulnerability CWE-522. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
JVN#81479705: Label printers "TEPRA" PRO SR5900P / SR-R7900P vulnerable to insufficiently protected credentials
Label printers "TEPRA" PRO SR5900P / SR-R7900P provided by KING JIM CO.,LTD. contain an insufficiently protected credentials vulnerability CWE-522. Impact An attacker who can access the products via network may obtain credentials to connect to the Wi-Fi access point with the infrastructure mode...
JVN#19826500: PASSWORD MANAGER "MIRUPASS" PW10 / PW20 missing encryption
PASSWORD MANAGER "MIRUPASS" PW10 / PW20 provided by KING JIM CO.,LTD. contain a missing encryption vulnerability CWE-311. Impact A user who can physically access the products may obtain the stored passwords. Solution Stop using the products The developer states that the products are no longer...
Jimoty App for Android uses a hard-coded API key for an external service
Overview Jimoty App for Android provided by Jimoty, Inc. uses a hard-coded API key for an external service CWE-798. Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact API key for...
Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master"
Overview WordPress Plugin "Quiz And Survey Master" provided by ExpressTech contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2022-0180 Reflected cross-site scripting CWE-79 - CVE-2022-0181 Stored cross-site scripting CWE-79 - CVE-2022-0182 CVE-2022-0180,...
JVN#49047921: Jimoty App for Android uses a hard-coded API key for an external service
Jimoty App for Android provided by Jimoty, Inc. uses a hard-coded API key for an external service CWE-798. Impact API key for an external service may be obtained by analyzing data in the app. Note that a user is not directly affected by this vulnerability. Solution Update the Application Update t...
JVN#72788165: Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master"
WordPress Plugin "Quiz And Survey Master" provided by ExpressTech contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2022-0180 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N| Base Score: 4.3 CVSS v2|...
Multiple vulnerabilities in KONICA MINOLTA MFPs and printing systems
Overview Multi-function printers MFP and printing systems provided by KONICA MINOLTA, INC. contain multiple vulnerabilities listed below. Incorrect authorization CWE-863 - CVE-2021-20868 Exposure of sensitive information to an unauthorized actor CWE-200 - CVE-2021-20869 Improper handling of...
Multiple vulnerabilities in IDEC PLCs
Overview Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below. Unprotected transport of credentials CWE-523 - CVE-2021-37400 Plaintext storage of a password CWE-256 - CVE-2021-37401 Unprotected transport of credentials CWE-523 - CVE-2021-20826 Plaintext storage...
TP-Link TL-WR802N V4(JP) vulnerable to OS command injection
Overview TP-Link TL-WR802N is a wifi router for home networks. The firmware version 170705 is reported vulnerable to OS command injection CWE-78. Impact Any user who can login to the web interface of the affected product may execute any OS commands. Solution Update the Firmware Update to the late...
Multiple vulnerabilities in QNAP VioStar NVR
Overview VioStar series NVR provided by QNAP Systems contains multiple vulnerabilities listed below. Command injection CWE-77 - CVE-2021-38685 Improper authentication CWE-287 - CVE-2021-38686 Impact An arbitrary command may be executed by a remote attacker. - CVE-2021-38685 A remote attacker can...
Multiple vulnerabilities in multiple Yamaha routers
Overview Multiple routers provided by Yamaha Corporation contain multiple vulnerabilities listed below. Cross-site script inclusion CWE-829 - CVE-2021-20843 Improper neutralization of HTTP request headers for scripting syntax CWE-644 - CVE-2021-20844 Shoji Baba of IERAE SECURITY INC. reported the...
Android Apps developed using Yappli fails to restrict custom URL schemes properly
Overview Yappli provided by Yappli, Inc. is an application development platform. Android Apps that are developed with Yappli provide the function to access a requested URL using Custom URL Scheme. The access to the function is not restricted properly CWE-939 which may be exploited to direct the A...
JVN#66422035: Android Apps developed using Yappli fails to restrict custom URL schemes properly
Yappli provided by Yappli, Inc. is an application development platform. Android Apps that are developed with Yappli provide the function to access a requested URL using Custom URL Scheme. The access to the function is not restricted properly CWE-939 which may be exploited to direct the App to...
Multiple vulnerabilities in GroupSession
Overview GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below. Incorrect Permission Assignment for Critical Resource CWE-732 - CVE-2021-20874 Open redirect CWE-601 - CVE-2021-20875 Path Traversal CWE-22 - CVE-2021-20876 CVE-2021-20874 TAKUMA SHIGA...
JVN#79798166: Multiple vulnerabilities in GroupSession
GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below. Incorrect Permission Assignment for Critical Resource CWE-732 - CVE-2021-20874 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N| Base Score: 7.5 CVSS v2|...
UNIVERGE DT Series vulnerable to missing encryption of sensitive data
Overview UNIVERGE IP Phone DT Series and PC tools for DT Series maintainers IP Phone Manager and Data Maintenance Tool provided by NEC Platforms, Ltd. contain a missing encryption vulnerability CWE-311. NEC Platforms, Ltd. reported this vulnerability to IPA to notify users of its solutions throug...
JVN#13464252: UNIVERGE DT Series vulnerable to missing encryption of sensitive data
UNIVERGE IP Phone DT Series and PC tools for DT Series maintainers IP Phone Manager and Data Maintenance Tool provided by NEC Platforms, Ltd. contain a missing encryption vulnerability CWE-311. Impact If a remote attacker who can access to the internal network setting the product analyzes packets...
Multiple vulnerabilities in Trend Micro Security 2021 family (Consumer)
Overview Trend Micro Incorporated has released security updates for Trend Micro Security 2021 family Consumer. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Maximum Security 2021 A user who can log in to the system where...
Multiple vulnerabilities in multiple ELECOM routers
Overview Multiple routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Improper access control leading to unauthorized activation of telnet service CWE-284 - CVE-2021-20862 OS command injection CWE-78 - CVE-2021-20863 Improper access control leading to unauthorized...
Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields"
Overview WordPress Plugin "Advanced Custom Fields" provided by Delicious Brains contains multiple missing authorization vulnerabilities listed below. Missing authorization related to database browsing CWE-862 - CVE-2021-20865 Missing authorization related to user list obtaining CWE-862 -...
JVN#09136401: Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields"
WordPress Plugin "Advanced Custom Fields" provided by Delicious Brains contains multiple missing authorization vulnerabilities listed below. Missing authorization related to database browsing CWE-862 - CVE-2021-20865 Version| Vector| Score ---|---|--- CVSS v3|...
Multiple vulnerabilities in multiple ELECOM LAN routers
Overview Multiple ELECOM LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Buffer overflow CWE-121 - CVE-2021-20852 OS command injection CWE-78 - CVE-2021-20853, CVE-2021-20854 Cross-site scripting CWE-79 - CVE-2021-20855, CVE-2021-20856 Cross-site scripting...
Wi-Fi STATION SH-52A vulnerable to cross-site scripting
Overview Wi-Fi STATION SH-52A provided by NTT DOCOMO, INC. contains a cross-site scripting vulnerability CWE-79. Takayuki Sasaki of Yokohama National University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impac...
JVN#19482703: Wi-Fi STATION SH-52A vulnerable to cross-site scripting
Wi-Fi STATION SH-52A provided by NTT DOCOMO, INC. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the WebUI of the product. Solution Apply an Update Apply the update according to the information...
JVN#88993473: Multiple vulnerabilities in multiple ELECOM LAN routers
Multiple ELECOM LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Buffer overflow CWE-121 - CVE-2021-20852 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H| Base Score: 6.8 CVSS v2| AV:A/AC:L/Au:S/C:P/I:P/A:P| Base Score...
Trend Micro Antivirus for MAC vulnerable to improper access controls
Overview Trend Micro Incorporated has released a security update for Trend Micro Antivirus for MAC. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A user who can login to the system where the affected product is installed may...
Multiple vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2021-41243 Arbitrary code upload vulnerability in Database restore CWE-434 - CVE-2021-41279 CVE-2021-41243 Akagi Yusuke of NTT-ME CORPORATION reported this...
JVN#81376414: Multiple vulnerabilities in baserCMS
baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2021-41243 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H| Base Score: 8.8 CVSS v2| AV:N/AC:L/Au:S/C:C/I:C/A:C| Base Score: 9.0...
WordPress Plugin "Browser and Operating System Finder" vulnerable to cross-site request forgery
Overview WordPress Plugin "Browser and Operating System Finder" provided by Aftab Muni contains a cross-site request forgery vulnerability CWE-352. imai shinpei of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported and coordinated with...
JVN#93562098: WordPress Plugin "Browser and Operating System Finder" vulnerable to cross-site request forgery
WordPress Plugin "Browser and Operating System Finder" provided by Aftab Muni contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin...
PowerCMS XMLRPC API vulnerable to OS command injection
Overview PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability CWE-78. Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning...
JVN#17645965: PowerCMS XMLRPC API vulnerable to OS command injection
PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed by a remote attacker. Solution In the case that not using XMLRPC API: If using as CGI/FCGI Delete mt-xmlrpc.cgi or remove execute permission to...
Multiple Vulnerabilities in JP1/Automatic Operation
Overview Multiple vulnerabilities have been found in JP1/Automatic Operation. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
WordPress Plugin "Push Notifications for WordPress (Lite)" vulnerable to cross-site request forgery
Overview WordPress Plugin "Push Notifications for WordPress Lite" provided by Delite Studio contains a cross-site request forgery vulnerability CWE-352. Ten Katouno of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported and coordinated...
rwtxt vulnerable to cross-site scripting
Overview rwtxt provided by Zack Scholl is a light-weight content management system CMS that enables to share and/or view any text saved online. rwtxt contains a cross-site scripting vulnerability CWE-79. Ito Reo of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/C...
JVN#85492429: WordPress Plugin "Push Notifications for WordPress (Lite)" vulnerable to cross-site request forgery
WordPress Plugin "Push Notifications for WordPress Lite" provided by Delite Studio contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the...
JVN#22515597: rwtxt vulnerable to cross-site scripting
rwtxt provided by Zack Scholl is a light-weight content management system CMS that enables to share and/or view any text saved online. rwtxt contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the website...
Unlimited Sitemap Generator vulnerable to cross-site request forgery
Overview Unlimited Sitemap Generator provided by XML-Sitemaps contains a cross-site request forgery vulnerability CWE-352. Kanta Nishitani of Ierae Security, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impa...
Cross-site Scripting Vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview A Cross-site Scripting vulnerability was found in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official...
JVN#58407606: Unlimited Sitemap Generator vulnerable to cross-site request forgery
Unlimited Sitemap Generator provided by XML-Sitemaps contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the software Update the software to the latest version according to th...