5625 matches found
JVN#88993473: Multiple vulnerabilities in multiple ELECOM LAN routers
Multiple ELECOM LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Buffer overflow CWE-121 - CVE-2021-20852 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H| Base Score: 6.8 CVSS v2| AV:A/AC:L/Au:S/C:P/I:P/A:P| Base Score...
Trend Micro Antivirus for MAC vulnerable to improper access controls
Overview Trend Micro Incorporated has released a security update for Trend Micro Antivirus for MAC. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A user who can login to the system where the affected product is installed may...
Multiple vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2021-41243 Arbitrary code upload vulnerability in Database restore CWE-434 - CVE-2021-41279 CVE-2021-41243 Akagi Yusuke of NTT-ME CORPORATION reported this...
JVN#81376414: Multiple vulnerabilities in baserCMS
baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2021-41243 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H| Base Score: 8.8 CVSS v2| AV:N/AC:L/Au:S/C:C/I:C/A:C| Base Score: 9.0...
WordPress Plugin "Browser and Operating System Finder" vulnerable to cross-site request forgery
Overview WordPress Plugin "Browser and Operating System Finder" provided by Aftab Muni contains a cross-site request forgery vulnerability CWE-352. imai shinpei of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported and coordinated with...
JVN#93562098: WordPress Plugin "Browser and Operating System Finder" vulnerable to cross-site request forgery
WordPress Plugin "Browser and Operating System Finder" provided by Aftab Muni contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin...
PowerCMS XMLRPC API vulnerable to OS command injection
Overview PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability CWE-78. Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning...
JVN#17645965: PowerCMS XMLRPC API vulnerable to OS command injection
PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed by a remote attacker. Solution In the case that not using XMLRPC API: If using as CGI/FCGI Delete mt-xmlrpc.cgi or remove execute permission to...
Multiple Vulnerabilities in JP1/Automatic Operation
Overview Multiple vulnerabilities have been found in JP1/Automatic Operation. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
WordPress Plugin "Push Notifications for WordPress (Lite)" vulnerable to cross-site request forgery
Overview WordPress Plugin "Push Notifications for WordPress Lite" provided by Delite Studio contains a cross-site request forgery vulnerability CWE-352. Ten Katouno of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported and coordinated...
rwtxt vulnerable to cross-site scripting
Overview rwtxt provided by Zack Scholl is a light-weight content management system CMS that enables to share and/or view any text saved online. rwtxt contains a cross-site scripting vulnerability CWE-79. Ito Reo of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/C...
JVN#85492429: WordPress Plugin "Push Notifications for WordPress (Lite)" vulnerable to cross-site request forgery
WordPress Plugin "Push Notifications for WordPress Lite" provided by Delite Studio contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the...
JVN#22515597: rwtxt vulnerable to cross-site scripting
rwtxt provided by Zack Scholl is a light-weight content management system CMS that enables to share and/or view any text saved online. rwtxt contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the website...
Unlimited Sitemap Generator vulnerable to cross-site request forgery
Overview Unlimited Sitemap Generator provided by XML-Sitemaps contains a cross-site request forgery vulnerability CWE-352. Kanta Nishitani of Ierae Security, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impa...
Cross-site Scripting Vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview A Cross-site Scripting vulnerability was found in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official...
JVN#58407606: Unlimited Sitemap Generator vulnerable to cross-site request forgery
Unlimited Sitemap Generator provided by XML-Sitemaps contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the software Update the software to the latest version according to th...
Multiple vulnerabilities in EC-CUBE 2 series
Overview EC-CUBE 2 series provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below. Improper access control in Management screen CWE-284 - CVE-2021-20841 Cross-site request forgery vulnerability in Management screen CWE-352 - CVE-2021-20842 EC-CUBE CO.,LTD. reported these...
JVN#75444925: Multiple vulnerabilities in EC-CUBE 2 series
EC-CUBE 2 series provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below. Improper access control in Management screen CWE-284 - CVE-2021-20841 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N| Base Score: 4.3 CVSS v2|...
WordPress Plugin "Booking Package - Appointment Booking Calendar System" vulnerable to cross-site scripting
Overview WordPress Plugin "Booking Package - Appointment Booking Calendar System" provided by Saasproject contains a cross-site scripting vulnerability CWE-79 due to the flaw in handling some URL query parameters. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IP...
JVN#68066589: WordPress Plugin "Booking Package - Appointment Booking Calendar System" vulnerable to cross-site scripting
WordPress Plugin "Booking Package - Appointment Booking Calendar System" provided by Saasproject contains a cross-site scripting vulnerability CWE-79 due to the flaw in handling some URL query parameters. Impact An arbitrary script may be executed on the web browser of the user who is accessing t...
File Permission Vulnerability in Hitachi Automation Director, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center
Overview A file permission vulnerability was found in Hitachi Automation Director, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for...
Authentication Bypass Vulnerability in Hitachi Device Manager
Overview An Authentication Bypass Vulnerability was found in Hitachi Device Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X
Overview CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities listed below. Buffer overflow in the Disk Agent CWE-119 - CVE-2021-20700, CVE-2021-20701 Buffer overflow in the Transaction Server CWE-119 - CVE-2021-20702, CVE-2021-20703 Buffer overflow in th...
Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) vulnerable to improper handling of Intent
Overview Android App "Mercari Merpay - Marketplace and Mobile Payments App" Japan version provided by Mercari, Inc. is vulnerable to improper handling of Intent CWE-939. RyotaK reported this vulnerability to Mercari, Inc. and Mercari, Inc. reported it to JPCERT/CC to disclose the vulnerability...
ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS)
Overview ESET Cyber Security and ESET Endpoint series are antivirus software. ESET Cyber Security and ESET Endpoint series for macOS contain a denial-of-service DoS vulnerability CWE-404. Zhou Tingrui of Kaijo Junior & Senior High School reported this vulnerability to the developer and IPA...
JVN#69304877: Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X
CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities listed below. Buffer overflow in the Disk Agent CWE-119 - CVE-2021-20700、CVE-2021-20701 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Base Score: 9.8 CVSS v2|...
JVN#49465877: Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) vulnerable to improper handling of Intent
Android App "Mercari Merpay - Marketplace and Mobile Payments App" Japan version provided by Mercari, Inc. is vulnerable to improper handling of Intent CWE-939. Impact If a user who is using the vulnerable application accesses a malicious page, the malicious page can launch an arbitrary Activity ...
JVN#60553023: ESET Cyber Security and ESET Endpoint series vulnerable to denial-of-service (DoS)
ESET Cyber Security and ESET Endpoint series are antivirus software. ESET Cyber Security and ESET Endpoint series for macOS contain a denial-of-service DoS vulnerability CWE-404. Impact If it is exploited, an attacker may cause a denial-of-service DoS to stop the applications and all daemons of t...
Multiple improper restriction of XML external entity reference (XXE) vulnerabilities in Office Server Document Converter
Overview Office Server Document Converter provided by Antenna House, Inc. contains multiple improper restriction of XML external entity reference XXE vulnerabilities listed below. Improper restriction of XML external entity reference XXE CWE-611 - CVE-2021-20838 Resource exhaustion in the PDF...
JVN#33453839: Multiple improper restriction of XML external entity reference (XXE) vulnerabilities in Office Server Document Converter
Office Server Document Converter provided by Antenna House, Inc. contains multiple improper restriction of XML external entity reference XXE vulnerabilities listed below. Improper restriction of XML external entity reference XXE CWE-611 - CVE-2021-20838 Resource exhaustion in the PDF convert...
Trend Micro Endpoint security products for enterprises vulnerable to privilege escalation
Overview Trend Micro Incorporated has released security updates for Endpoint security products for enterprises. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact An attacker may obtain administrative privileges and an arbitrary...
Movable Type XMLRPC API vulnerable to OS command injection
Overview Movable Type XMLRPC API provided by Six Apart Ltd. contains an OS command injection vulnerability CWE-78. Sending a specially crafted message by POST method to Movavle Type XMLRPC API may allow arbitrary OS command execution. Updated on 2021 November 10 As of 2021 November 10, a...
JVN#41119755: Movable Type XMLRPC API vulnerable to OS command injection
Movable Type XMLRPC API provided by Six Apart Ltd. contains an OS command injection vulnerability CWE-78. Sending a specially crafted message by POST method to Movavle Type XMLRPC API may allow arbitrary OS command execution. 【Updated on 2021 November 10】 As of 2021 November 10, a Proof-of-Concep...
OMRON CX-Supervisor vulnerable to out-of-bounds read
Overview CX-Supervisor provided by OMRON Corporation contains an out-of-bounds read vulnerability CWE-125, CVE-2021-20836. Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact If a user of the product has access to change system settings and...
128 Technology Session Smart Router vulnerable to authentication bypass
Overview 128 Technology Session Smart Router provided by 128 Technology contains an authentication bypass vulnerability CWE-287. Genta Kataoka of IERAE SECURITY INC. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
JVN#85073657: 128 Technology Session Smart Router vulnerable to authentication bypass
128 Technology Session Smart Router provided by 128 Technology contains an authentication bypass vulnerability CWE-287. Impact A remote attacker may bypass the authentication and execute an arbitrary OS command with the root privilege. Solution Update the software Update the software to the lates...
Apache HTTP Server vulnerable to directory traversal
Overview Apache HTTP Server provided by The Apache Software Foundation contains a directory traversal vulnerability CWE-22. Shungo Kumasaka of Internet Initiative Japan Inc. reported this vulnerability to the developer, and also to IPA in order to notify users of its solution through JVN. JPCERT/...
Nike App fails to restrict custom URL schemes properly
Overview Nike App by Nike, Inc. provides the function to access a requested URL using Custom URL Scheme. The app does not restrict access to the function properly CWE-939 which may be exploited to direct the app to access any sites. Impact A remote attacker may lead a user to access an arbitrary...
JVN#89126639: Nike App fails to restrict custom URL schemes properly
Nike App by Nike, Inc. provides the function to access a requested URL using Custom URL Scheme. The app does not restrict access to the function properly CWE-939 which may be exploited to direct the app to access any sites. Impact A remote attacker may lead a user to access an arbitrary website v...
JVN#51106450: Apache HTTP Server vulnerable to directory traversal
Apache HTTP Server provided by The Apache Software Foundation contains a directory traversal vulnerability CWE-22. Impact A remote attacker may access the unprotected files in "require all denied" placed outside of the document root. Moreover, if CGI scripts are enabled, arbitrary code may be...
Information Disclosure Vulnerability in Hitachi Tuning Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview Hitachi Tuning Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer contains information disclosure vulnerability. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section...
Trend Micro ServerProtect family vulnerable to authentication bypass
Overview Trend Micro Incorporated has released security updates for ServerProtect family. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A remote attacker may bypass authentication for the products. For more information, refer...
Multiple vulnerabilities in Cybozu Remote Service
Overview Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-525 Cross-site request forgery vulnerability in the management screen CWE-352 - CVE-2021-20795 CyVDB-1742 Path traversal vulnerability in the management screen CWE-22 - CVE-2021-20796...
Trend Micro HouseCall for Home Networks vulnerable to privilege escalation
Overview Trend Micro Incorporated has released a security update for HouseCall for Home Networks. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A user who can log in to the product may obtain administrative privileges. As a...
JVN#52694228: Multiple vulnerabilities in Cybozu Remote Service
Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-525 Cross-site request forgery vulnerability in the management screen CWE-352 - CVE-2021-20795 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N| Base Score:...
SNKRDUNK Market Place App for iOS vulnerable to improper server certificate verification
Overview SNKRDUNK Market Place App for iOS provided SODA, Inc. is vulnerable to improper server certificate verification CWE-295. Okazawa Yoshihiro of Cryptography Laboratory , Information and Communication Engineering ,Graduate School of Engineering , Tokyo Denki University reported this...
WordPress Plugin "OG Tags" vulnerable to cross-site request forgery
Overview WordPress Plugin "OG Tags" provided by Mario Valney contains a cross-site request forgery vulnerability CWE-352. Ryota Nakazato of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported and coordinated with the developer to fix...
InBody App vulnerable to information disclosure
Overview InBody App provided by InBody Japan Inc. works with the household body composition analyzer InBody Dial manufactured and sold by InBody Japan Inc., and as a part of its functions, it manages and stores data such as weight, BMI, skeletal muscle mass, and fat mass measured by InBody Dial...
JVN#63023305: InBody App vulnerable to information disclosure
InBody App provided by InBody Japan Inc. works with the household body composition analyzer InBody Dial manufactured and sold by InBody Japan Inc., and as a part of its functions, it manages and stores data such as weight, BMI, skeletal muscle mass, and fat mass measured by InBody Dial. InBody Ap...
JVN#29428319: WordPress Plugin "OG Tags" vulnerable to cross-site request forgery
WordPress Plugin "OG Tags" provided by Mário Valney contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according...