5609 matches found
Multiple vulnerabilities in Navigate CMS
Overview Navigate CMS is an open source Contents Management System CMS provided by Naviwebs S.C. Navigate CMS contains multiple vulnerabilities listed below. Reflected cross-site scripting in the Help feature CWE-79 Reflected cross-site scripting CWE-79 - CVE-2021-36454 SQL injection CWE-89 -...
Incorrect permission assignment vulnerability in multiple Trend Micro Endpoint security products for enterprises
Overview Trend Micro Incorporated has released a security update for multiple Endpoint security products for enterprises. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. Impact A local authenticated attacker may escalate privileges a...
Huawei EchoLife HG8045Q vulnerable to OS command injection
Overview EchoLife HT8045Q provided by Huawei is an ONT Optical Network Terminal device. It is equipped with the command line interface for network operators' maintenance purpose, which is disabled by default. When the command line interface is enabled, operators can interact with a certain...
Multiple vulnerabilities in D-Link router DSL-2750U
Overview D-Link router DSL-2750U is vulnerable to unauthorized configuration modification CWE-15, CVE-2021-3707 and OS command injection CWE-78, CVE-2021-3708. Mohammed Hadi reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer. Impact An unauthenticated attacker on t...
JVN#41646618: Huawei EchoLife HG8045Q vulnerable to OS command injection
EchoLife HT8045Q provided by Huawei is an ONT Optical Network Terminal device. It is equipped with the command line interface for network operators' maintenance purpose, which is disabled by default. When the command line interface is enabled, operators can interact with a certain restricted set ...
Plone vulnerable to open redirect
Overview Plone provided by Plone Foundation contains an open redirect vulnerability CWE-601. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessin...
JVN#50804280: Plone vulnerable to open redirect
Plone provided by Plone Foundation contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Apply the Patch Apply the patch according...
WordPress Plugin "Quiz And Survey Master" vulnerable to cross-site scripting
Overview WordPress Plugin "Quiz And Survey Master" provided by ExpressTech contains a cross-site scripting vulnerability CWE-79 due to the flow in handling some URL query parameters. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and coordinated on...
JVN#65388002: WordPress Plugin "Quiz And Survey Master" vulnerable to cross-site scripting
WordPress Plugin "Quiz And Survey Master" provided by ExpressTech contains a cross-site scripting vulnerability CWE-79 due to the flow in handling some URL query parameters. Impact An arbitrary script may be executed on the user's web browser. Solution Update the plugin Update the plugin accordin...
Multiple vulnerabilities in multiple Trend Micro Endpoint security products for enterprises
Overview Multiple Endpoint security products for enterprises provided by Trend Micro Incorporated contain multiple vulnerabilities listed below. Incorrect Permission Assignment CWE-732 - CVE-2021-32464 Improper Preservation of Permissions CWE-281 - CVE-2021-32465 Improper Input Validation CWE-20 ...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-1782 Cross-site scripting vulnerability in Scheduler CWE-79 - CVE-2021-20753 CyVDB-2029 Improper input validation vulnerability in Workflow CWE-20 - CVE-2021-20754 CyVDB-2071 Viewing restrictions...
JVN#54794245: Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-1782 Cross-site scripting vulnerability in Scheduler CWE-79 - CVE-2021-20753 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N| Base Score: 5.4 CVSS v2|...
Minecraft Java Edition vulnerable to directory traversal
Overview Minecraft Java Edition provided by Mojang Studios contains a directory traversal vulnerability CWE-22. RyotaK reported this vulnerability to the developer and coordinated on his own. After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the...
JVN#53278122: Minecraft Java Edition vulnerable to directory traversal
Minecraft Java Edition provided by Mojang Studios contains a directory traversal vulnerability CWE-22. Impact Arbitrary JSON files on the system using the product may be deleted by an attacker. Solution Update Minecraft Update Minecraft to the latest version according to the information provided ...
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) vulnerable to cross-site scripting
Overview Trend Micro Incorporated has released a security update for InterScan Web Security Virtual Appliance IWSVA. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. Impact A user may be redirected to an arbitrary website due to the...
Multiple vulnerabilities in GroupSession
Overview GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20785 Cross-site request forgery CWE-352 - CVE-2021-20786 Cross-site scripting vulnerability CWE-79 - CVE-2021-20787 Sever-side reques...
JVN#86026700: Multiple vulnerabilities in GroupSession
GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20785 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2|...
Optical BB unit E-WMTA2.3 vulnerable to cross-site request forgery
Overview Optical BB unit E-WMTA2.3 provided by SoftBank contains a cross-site request forgery vulnerability CWE-352. Hiroki Nishino reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user views a malicious...
JVN#34364599: Optical BB unit E-WMTA2.3 vulnerable to cross-site request forgery
Optical BB unit E-WMTA2.3 provided by SoftBank contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the firmware According to the developer, the fixed firmware for this...
Multiple vulnerabilities in Retty App
Overview Retty App provided by Retty Inc. contains multiple vulnerabilities listed below. The app is launched by Custom URL Scheme and a user may be led to access an arbitrary URL CWE-939 - CVE-2021-20747 The App uses a hard-coded API key for external services CWE-798 - CVE-2021-20748 Ryo Sato of...
JVN#26891339: Multiple vulnerabilities in Retty App
Retty App provided by Retty Inc. contains multiple vulnerabilities listed below. The app is launched by Custom URL Scheme and a user may be led to access an arbitrary URL CWE-939 - CVE-2021-20747 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N| Base Score:...
voidtools "Everything" vulnerable to HTTP header injection
Overview The HTTP server of Everything provided by voidtools contains an HTTP header injection vulnerability CWE-644. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact On the web browser of a...
JVN#68971465: voidtools "Everything" vulnerable to HTTP header injection
The HTTP server of Everything provided by voidtools contains an HTTP header injection vulnerability CWE-644. Impact On the web browser of a user who accessed a website which uses the product, an arbitrary script may be executed or the displayed page may be altered. Solution Update the application...
WordPress Plugin "WordPress Meta Data Filter & Taxonomies Filter" vulnerable to cross-site request forgery
Overview WordPress Plugin "WordPress Meta Data Filter & Taxonomies Filter" provided by realmag777 contains a cross-site request forgery vulnerability CWE-352. Ryoma Nishioka of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this...
WordPress Plugin "Software License Manager" vulnerable to cross-site request forgery
Overview WordPress Plugin "Software License Manager" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability CWE-352. Koken Tokuda of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University. reported this vulnerability to...
JVN#48413554: WordPress Plugin "WordPress Meta Data Filter & Taxonomies Filter" vulnerable to cross-site request forgery
WordPress Plugin "WordPress Meta Data Filter & Taxonomies Filter" provided by realmag777 contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update t...
JVN#89054582: WordPress Plugin "Software License Manager" vulnerable to cross-site request forgery
WordPress Plugin "Software License Manager" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Upda...
Multiple vulnerabilities in Elecom routers
Overview Multiple routers provided by ELECOM CO.,LTD. contain information disclosure and OS command injection vulnerabilities. Multiple routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. WRC-1167FS-W, WRC-1167FS-B, WRC-1167FSA Information disclosure CWE-200 -...
GU App for Android fails to restrict access permissions
Overview GU App for Android provided by G.U. CO., LTD. contains an access restriction bypass issue CWE-939. The App launched by a Custom URL Scheme may lead an user to access an arbitrary URL. Nao Komatsu of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the develope...
JVN#25850723: GU App for Android fails to restrict access permissions
GU App for Android provided by G.U. CO., LTD. contains an access restriction bypass issue CWE-939. The App launched by a Custom URL Scheme may lead an user to access an arbitrary URL. Impact A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, if t...
Multiple vulnerabilities in Trend Micro Password Manager
Overview Trend Micro Incorporated has released a security update for Trend Micro Password Manager. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Privilege escalation and buffer overflow due to improper processing of integ...
WordPress Plugin "WordPress Email Template Designer - WP HTML Mail" vulnerable to cross-site request forgery
Overview WordPress Plugin "WordPress Email Template Designer - WP HTML Mail" provided by codemiq contains a cross-site request forgery vulnerability CWE-352. Konan Nagashima of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this...
WordPress Plugin "WPCS - WordPress Currency Switcher" vulnerable to cross-site request forgery
Overview WordPress Plugin "WPCS - WordPress Currency Switcher" provided by realmag777 contains a cross-site request forgery vulnerability CWE-352. Mizuki Takagi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported and coordinated with...
JVN#42880365: WordPress Plugin "WordPress Email Template Designer - WP HTML Mail" vulnerable to cross-site request forgery
WordPress Plugin "WordPress Email Template Designer - WP HTML Mail" provided by codemiq contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in to the affected system with an administrative privilege, unintended operations may be...
JVN#91372527: WordPress Plugin "WPCS - WordPress Currency Switcher" vulnerable to cross-site request forgery
WordPress Plugin "WPCS – WordPress Currency Switcher" provided by realmag777 contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in to the affected system with an administrative privilege, unintended operations may be performed. Soluti...
A-Stage SCT-40CM01SR and AT-40CM01SR vulnerable to authentication bypass
Overview SCT-40CM01SR and AT-40CM01SR provided by A-Stage Inc. are liquid crystal televisions. SCT-40CM01SR and AT-40CM01SR contain an authentication bypass vulnerability CWE-287. Shinnosuke Tokusho reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
JVN#21636825: A-Stage SCT-40CM01SR and AT-40CM01SR vulnerable to authentication bypass
SCT-40CM01SR and AT-40CM01SR provided by A-Stage Inc. are liquid crystal televisions. SCT-40CM01SR and AT-40CM01SR contain an authentication bypass vulnerability CWE-287. Impact An attacker who can access the device may log in via telnet without authentication and execute an arbitrary command...
EC-CUBE fails to restrict access permissions
Overview EC-CUBE provided by EC-CUBE CO.,LTD. fails to restrict access permissions CWE-284 . EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership...
JVN#57942445: EC-CUBE fails to restrict access permissions
EC-CUBE provided by EC-CUBE CO.,LTD. fails to restrict access permissions CWE-284 . Impact A remote attacker may obtain sensitive information. Solution Update the Softwere Update the software according to the information provided by the developer. The developer has released EC-CUBE 4.0.6-p1 that...
boastMachine vulnerable to cross-site scripting
Overview boastMachine provided by knadh contains a cross-site scripting vulnerability CWE-79. Daiki Fukumori reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on the user's...
IkaIka RSS Reader vulnerable to cross-site scripting
Overview IkaIka RSS Reader contains a cross-site scripting vulnerability CWE-79, due to the improper processing of RSS registration. LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a malicio...
WordPress Plugin "WordPress Popular Posts" vulnerable to cross-site scripting
Overview WordPress Plugin "WordPress Popular Posts" provided by Hector Cabrera contains a cross-site scripting vulnerability CWE-79. Yu Iwama of Secure Sky Technology Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#65660590: boastMachine vulnerable to cross-site scripting
boastMachine provided by knadh contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Stop using "boastMachine" The developer states that the product is no longer supported, therefore stop using the product. Products...
JVN#15185184: IkaIka RSS Reader vulnerable to cross-site scripting
IkaIka RSS Reader contains a cross-site scripting vulnerability CWE-79, due to the improper processing of RSS registration. Impact If a malicious RSS feed is loaded into the product, an arbitrary script may be executed on the web browser where the product is running. Solution Do not use IkaIka RS...
Multiple cross-site scripting vulnerabilities in EC-CUBE
Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20750 Cross-site scripting vulnerability CWE-79 - CVE-2021-20751 hibiki moriyama of STNet, Incorporated reported these...
JVN#63066062: WordPress Plugin "WordPress Popular Posts" vulnerable to cross-site scripting
WordPress Plugin "WordPress Popular Posts" provided by Hector Cabrera contains a cross-site scripting vulnerability CWE-79. Impact A user with the administrative privilege may unintentionally execute a script on his/her web browser. Solution Update the plugin Update the plugin according to the...
JVN#95292458: Multiple cross-site scripting vulnerabilities in EC-CUBE
EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20750 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2|...
Inkdrop vulnerable to OS command injection
Overview Inkdrop provided by Takuya Matsuyama is a Markdown editor. Inkdrop contains an OS command injection vulnerability CWE-78. Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
WordPress plugin "Fudousan plugin" series vulnerable to cross-site scripting
Overview Some of WordPress plugin "Fudousan plugin" series provided by nendeb contain a cross-site scripting vulnerability CWE-79. Yu Iwama of Secure Sky Technology Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#93799513: WordPress plugin "Fudousan plugin" series vulnerable to cross-site scripting
Some of WordPress plugin "Fudousan plugin" series provided by nendeb contain a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who accessed the site using the product. Solution Update the plugin Update the plugin according to th...