5625 matches found
JVN#42880365: WordPress Plugin "WordPress Email Template Designer - WP HTML Mail" vulnerable to cross-site request forgery
WordPress Plugin "WordPress Email Template Designer - WP HTML Mail" provided by codemiq contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in to the affected system with an administrative privilege, unintended operations may be...
A-Stage SCT-40CM01SR and AT-40CM01SR vulnerable to authentication bypass
Overview SCT-40CM01SR and AT-40CM01SR provided by A-Stage Inc. are liquid crystal televisions. SCT-40CM01SR and AT-40CM01SR contain an authentication bypass vulnerability CWE-287. Shinnosuke Tokusho reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
JVN#21636825: A-Stage SCT-40CM01SR and AT-40CM01SR vulnerable to authentication bypass
SCT-40CM01SR and AT-40CM01SR provided by A-Stage Inc. are liquid crystal televisions. SCT-40CM01SR and AT-40CM01SR contain an authentication bypass vulnerability CWE-287. Impact An attacker who can access the device may log in via telnet without authentication and execute an arbitrary command...
EC-CUBE fails to restrict access permissions
Overview EC-CUBE provided by EC-CUBE CO.,LTD. fails to restrict access permissions CWE-284 . EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership...
JVN#57942445: EC-CUBE fails to restrict access permissions
EC-CUBE provided by EC-CUBE CO.,LTD. fails to restrict access permissions CWE-284 . Impact A remote attacker may obtain sensitive information. Solution Update the Softwere Update the software according to the information provided by the developer. The developer has released EC-CUBE 4.0.6-p1 that...
boastMachine vulnerable to cross-site scripting
Overview boastMachine provided by knadh contains a cross-site scripting vulnerability CWE-79. Daiki Fukumori reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on the user's...
IkaIka RSS Reader vulnerable to cross-site scripting
Overview IkaIka RSS Reader contains a cross-site scripting vulnerability CWE-79, due to the improper processing of RSS registration. LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a malicio...
WordPress Plugin "WordPress Popular Posts" vulnerable to cross-site scripting
Overview WordPress Plugin "WordPress Popular Posts" provided by Hector Cabrera contains a cross-site scripting vulnerability CWE-79. Yu Iwama of Secure Sky Technology Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#65660590: boastMachine vulnerable to cross-site scripting
boastMachine provided by knadh contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Stop using "boastMachine" The developer states that the product is no longer supported, therefore stop using the product. Products...
JVN#15185184: IkaIka RSS Reader vulnerable to cross-site scripting
IkaIka RSS Reader contains a cross-site scripting vulnerability CWE-79, due to the improper processing of RSS registration. Impact If a malicious RSS feed is loaded into the product, an arbitrary script may be executed on the web browser where the product is running. Solution Do not use IkaIka RS...
Multiple cross-site scripting vulnerabilities in EC-CUBE
Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20750 Cross-site scripting vulnerability CWE-79 - CVE-2021-20751 hibiki moriyama of STNet, Incorporated reported these...
JVN#63066062: WordPress Plugin "WordPress Popular Posts" vulnerable to cross-site scripting
WordPress Plugin "WordPress Popular Posts" provided by Hector Cabrera contains a cross-site scripting vulnerability CWE-79. Impact A user with the administrative privilege may unintentionally execute a script on his/her web browser. Solution Update the plugin Update the plugin according to the...
JVN#95292458: Multiple cross-site scripting vulnerabilities in EC-CUBE
EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20750 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2|...
Inkdrop vulnerable to OS command injection
Overview Inkdrop provided by Takuya Matsuyama is a Markdown editor. Inkdrop contains an OS command injection vulnerability CWE-78. Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
WordPress plugin "Fudousan plugin" series vulnerable to cross-site scripting
Overview Some of WordPress plugin "Fudousan plugin" series provided by nendeb contain a cross-site scripting vulnerability CWE-79. Yu Iwama of Secure Sky Technology Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#93799513: WordPress plugin "Fudousan plugin" series vulnerable to cross-site scripting
Some of WordPress plugin "Fudousan plugin" series provided by nendeb contain a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who accessed the site using the product. Solution Update the plugin Update the plugin according to th...
JVN#29949691: Inkdrop vulnerable to OS command injection
Inkdrop provided by Takuya Matsuyama is a Markdown editor. Inkdrop contains an OS command injection vulnerability CWE-78. Impact If a file or code snippet containing an invalid iframe is loaded into Inkdrop, an arbitrary OS command may be executed on the system where it runs. Solution Update the...
Hitachi Virtual File Platform vulnerable to OS command injection
Overview Hitachi Virtual File Platform provided by Hitachi contains an OS command injection vulnerability CWE-78 due to a flaw in processing parameters of the HTTP requests. Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
JVN#21298724: Hitachi Virtual File Platform vulnerable to OS command injection
Hitachi Virtual File Platform provided by Hitachi contains an OS command injection vulnerability CWE-78 due to a flaw in processing parameters of the HTTP requests. Impact A remote attacker who can log in to the product may execute an arbitrary OS command with root privilege. Solution Update the...
Hitachi Application Server Help vulnerable cross-site scripting
Overview Hitachi Application Server Help contains a cross-site scripting vulnerability CWE-79. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrar...
JVN#03776901: Hitachi Application Server Help vulnerable cross-site scripting
Hitachi Application Server Help contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Apply the appropriate latest version of the help according to the information provided by the developer. Product...
Multiple cross-site scripting vulnerabilities in multiple EC-CUBE plugins provided by EC-CUBE
Overview Multiple EC-CUBE plugins provided by EC-CUBE CO.,LTD. contain multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20742 Cross-site scripting vulnerability CWE-79 - CVE-2021-20743 Cross-site scripting vulnerability CWE-79 -...
Multiple ETUNA EC-CUBE plugins vulnerable to cross-site scripting
Overview Multiple EC-CUBE plugins provided by ETUNA contain a cross-site scripting vulnerability CWE-79. An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE. As of 2021 June 15, an attack exploting this vulnerability has been observed in the wil...
JVN#57524494: Multiple cross-site scripting vulnerabilities in multiple EC-CUBE plugins provided by EC-CUBE
Multiple EC-CUBE plugins provided by EC-CUBE CO.,LTD. contain multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability CWE-79 - CVE-2021-20742 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L| Base Score: 7.1 CVSS v2|...
JVN#79254445: Multiple ETUNA EC-CUBE plugins vulnerable to cross-site scripting
Multiple EC-CUBE plugins provided by ETUNA contain a cross-site scripting vulnerability CWE-79. An arbitrary script may be executed by executing a specific operation on the management page of EC-CUBE. As of 2021 June 15, an attack exploting this vulnerability has been observed in the wild. Impact...
Asken App for Android fails to restrict custom URL schemes properly
Overview Asken App for Android by asken Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a user to access ...
Multiple vulnerabilities in GROWI
Overview GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. NoSQL injection CWE-943 - CVE-2021-20736 Improper authentication CWE-287 - CVE-2021-20737 Impact The expected impact depends on each vulnerability, but it may be affected as follows. A user who can access the...
JVN#95457785: Multiple vulnerabilities in GROWI
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. NoSQL injection CWE-943 - CVE-2021-20736 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L| Base Score: 7.3 CVSS v2| AV:N/AC:L/Au:N/C:P/I:P/A:P| Base Score: 7.5 Improper...
JVN#38034268: あすけん App for Android fails to restrict custom URL schemes properly
あすけん App for Android by asken Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-939 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a user to access an arbitra...
WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting
Overview WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a stored cross-site scripting vulnerability CWE-79. Yu Iwama of Secure Sky Technology Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#70566757: WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting
WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a stored cross-site scripting vulnerability CWE-79. Impact If a user views a malicious page while logged in to the affected system with the administrative privilege, an arbitrary script may be executed. Solution Update the...
urllib3 vulnerable to Regular expression Denial-of-Service (ReDoS)
Overview urllib3 contains a Regular expression Denial-of-Service DoS vulnerability. urllib3, an HTTP client module for Python, contains a Regular expression Denial-of-Service ReDoS vulnerability CWE-400, CVE-2021-33503 due to catastrophic backtracking while processing a malicious URL. Nariyoshi...
ATOM - Smart life App vulnerable to improper server certificate verification
Overview ATOM - Smart life App provided by ATOM tech Inc. is vulnerable to improper server certificate verification CWE-295. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#64064138: ATOM - Smart life App vulnerable to improper server certificate verification
ATOM - Smart life App provided by ATOM tech Inc. is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update the application to the latest version...
goo blog App fails to restrict custom URL schemes properly
Overview goo blog App by NTT Resonant Incorporated provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-284 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a user to...
JVN#91691168: goo blog App fails to restrict custom URL schemes properly
goo blog App by NTT Resonant Incorporated provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly CWE-284 which may be exploited to direct the App to access any sites. Impact A remote attacker may lead a user to access an...
Multiple vulnerabilities in Buffalo WSR-1166DHP3 and WSR-1166DHP4 routers
Overview Buffalo WSR-1166DHP3 and WSR-1166DHP4 routers provided by Buffalo Inc. contain multiple vulnerabilities listed below. Improper access control CWE-284 - CVE-2021-20730 OS command injection CWE-78 - CVE-2021-20731 Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC...
Zettlr vulnerable to cross-site scripting
Overview Zettlr provided by Hendrik Erz is a Markdown editor. Zettlr contains a cross-site scripting vulnerability CWE-79. Eiji Mori of flatt security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If ...
JVN#98239374: Zettlr vulnerable to cross-site scripting
Zettlr provided by Hendrik Erz is a Markdown editor. Zettlr contains a cross-site scripting vulnerability CWE-79. Impact If a file or code snippet containing an invalid iframe is loaded into Zettlr, an arbitrary script may be executed on the system where it runs. Solution Update the Software Upda...
Hitachi Ops Center Analyzer vulnerability of communication using a certificate not intended by the user
Overview Hitachi Ops Center Analyzer has a vulnerability of communication using a certificate not intended by the user. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure...
The installers of ScanSnap Manager may insecurely load Dynamic Link Libraries
Overview The installers of ScanSnap Manager provided by FUJITSU LIMITED contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated wi...
Installer of Overwolf may insecurely load Dynamic Link Libraries
Overview Overwolf is a software framework for creating applications for games. The Overwolf Installer contains an issue with the DLL search path CWE-427, which may lead to insecurely loading Dynamic Link Libraries stored in the same directory where the installer resides. Shogo kumamaru of LAC Co....
Multiple cross-site scripting vulnerabilities in multiple PHP Factory products
Overview Multiple products provided by PHP Factory contain multiple cross-site scripting vulnerabilities listed below. Reflected cross-site scripting vulnerability CWE-79 - CVE-2021-20723 Reflected cross-site scripting vulnerability in the admin page CWE-79 - CVE-2021-20724 Reflected cross-site...
QND vulnerable to privilege escalation
Overview QND provided by QualitySoft Corporation contains a privilege escalation vulnerability CWE-268. Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. RedTeam reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
JVN#78254777: Installer of Overwolf may insecurely load Dynamic Link Libraries
Overwolf is a software framework for creating applications for games. The Overwolf Installer contains an issue with the DLL search path CWE-427, which may lead to insecurely loading Dynamic Link Libraries stored in the same directory where the installer resides. Impact Arbitrary code may be...
JVN#53910556: Multiple cross-site scripting vulnerabilities in multiple PHP Factory products
Multiple products provided by PHP Factory contain multiple cross-site scripting vulnerabilities listed below. Reflected cross-site scripting vulnerability CWE-79 - CVE-2021-20723 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 4.7 CVSS v2|...
JVN#65733194: The installers of ScanSnap Manager may insecurely load Dynamic Link Libraries
The installers of ScanSnap Manager provided by FUJITSU LIMITED contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the latest...
JVN#74686032: QND vulnerable to privilege escalation
QND provided by QualitySoft Corporation contains a privilege escalation vulnerability CWE-268. Impact A user who can log in to the PC where the product's Windows client is installed may obtain administrative privileges. As a result, sensitive information may be modified/obtained or unintended...
mod_auth_openidc vulnerable to denial-of-service (DoS)
Overview modauthopenidc provided by ZmartZone is an OpenID Connect's Relying Party module for Apache HTTP Server. This module contains a denial-of-service DoS vulnerability CWE-400. Tatsuhiko Yasumatsu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Multiple vulnerabilities in Cisco Small Business Series Wireless Access Points
Overview Cisco Small Business Series Wireless Access Points provided by Cisco Systems, Inc. contain multiple vulnerabilities listed below. Improper access control CWE-284 - CVE-2021-1400 Command injection CWE-78 - CVE-2021-1401 Shuto Imai of LAC Co., Ltd. reported this vulnerability to IPA...