5609 matches found
Multiple cross-site scripting vulnerabilities in Movable Type
Overview Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability in Role authority setting screen CWE-79 - CVE-2021-20663 Cross-site scripting vulnerability in Asset registration screen CWE-79 - CVE-2021-20664...
JVN#66542874: Multiple cross-site scripting vulnerabilities in Movable Type
Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability in Role authority setting screen CWE-79 - CVE-2021-20663 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base...
Multiple vulnerabilities in SolarView Compact
Overview SolarView Compact provided by Contec Co., Ltd. contains multiple vulnerabilities listed below. Exposure of information through directory listing CWE-548 - CVE-2021-20656 Improper access control CWE-284 - CVE-2021-20657 OS command injection CWE-78 - CVE-2021-20658 Unrestricted upload of...
JVN#37417423: Multiple vulnerabilities in SolarView Compact
SolarView Compact provided by Contec Co., Ltd. contains multiple vulnerabilities listed below. Exposure of information through directory listing CWE-548 - CVE-2021-20656 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N| Base Score: 3.5 CVSS v2|...
Multiple Vulnerabilities in JP1/Automatic Operation
Overview Multiple vulnerabilities have been found in JP1/Automatic Operation. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
FileZen vulnerable to OS command injection
Overview FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface. FileZen contains an OS command injection vulnerability CWE-78. Soliton Systems K.K. reported this vulnerability to JPCERT/CC to notify users of its solution through...
JVN#58774946: FileZen vulnerable to OS command injection
FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface. FileZen contains an OS command injection vulnerability CWE-78. Impact A remote attacker who obtained the administrative account of this product may execute an arbitrary OS...
Calsos CSDJ fails to restrict access permissions
Overview Calsos CSDJ provided by NEC Platforms, Ltd. fails to restrict access permissions CWE-264, which may lead to an unauthorized user being able to view the historical data without access privileges. Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this...
JVN#87164507: Calsos CSDJ fails to restrict access permissions
Calsos CSDJ provided by NEC Platforms, Ltd. fails to restrict access permissions CWE-264, which may lead to an unauthorized user being able to view the historical data without access privileges. Impact A user who can login to the product may obtain unauthorized historical data without access...
Wekan vulnerable to cross-site scripting
Overview Wekan, open source kanban board system, is vulnerable to cross-site scripting CWE-79. This vulnerability is treated as one of multiple cross-site scripting vulnerabilities, named "Fieldbleed". Ryoya Koyama at Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA...
JVN#80785288: Wekan vulnerable to cross-site scripting
Wekan, open source kanban board system, is vulnerable to cross-site scripting CWE-79. This vulnerability is treated as one of multiple cross-site scripting vulnerabilities, named "Fieldbleed". Impact When a logged-in user store malicious value containing Javascript code to the system, that...
Improper access control vulnerability in JP1/IT Desktop Management 2 - Manager and JP1/NETM/Asset Information Manager
Overview The JP1/IT Desktop Management 2 - Manager and JP1/NETM/Asset Information Manager contains improper access control vulnerability. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the offici...
Cross-site Scripting Vulnerability in Hitachi Application Server Help
Overview A cross-site scripting vulnerability was found in Hitachi Application Server Help. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
WordPress Plugin "Name Directory" vulnerable to cross-site request forgery
Overview WordPress Plugin "Name Directory" provided by J. Peters contains a cross-site request forgery vulnerability CWE-352. Yuta Asai of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to the developer and...
JVN#50470170: WordPress Plugin "Name Directory" vulnerable to cross-site request forgery
WordPress Plugin "Name Directory" provided by J. Peters contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin...
Trend Micro HouseCall for Home Networks (Windows Edition) may insecurely load Dynamic Link Libraries
Overview HouseCall for Home Networks Windows Edition provided by Trend Micro Incorporated contains an issue with the DLL search path. By reading a malicious DLL placed in the folder specified by the PATH environment variable, arbitrary code with an escalated privilege may be executed CWE-427. Tre...
Panasonic Video Insight VMS vulnerable to arbitrary code execution
Overview Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability CWE-94 because unencrypted communication exists in the communication using non-well known ports. Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its...
JVN#42252698: Panasonic Video Insight VMS vulnerable to arbitrary code execution
Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability CWE-94 because unencrypted communication exists in the communication using non-well known ports. Impact By sending a specially crafted request to the vulnerable product, a remoto attacker may...
Vulnerability in JP1/VERITAS
Overview A vulnerability exists in JP1/VERITAS. Impact Regerding the impact df the vulnerablilty, please refer to the ventor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
OS command injection vulnerability in multiple Infoscience Corporation log management tools
Overview Infoscience Corporation's multiple log management tools provide an FTP upload function as one of the log collection methods, and is able to set to allow the adminitrators to accept FTP uploads. In a situation where the FTP upload function is enabled and there is a flaw of input value...
Android App "ELECOM File Manager" vulnerable to directory traversal
Overview Android App "ELECOM File Manager" provided by ELECOM CO.,LTD. contains a directory traversal vulnerability CWE-22 due to a flaw in the processing of the filenames when extracting the compressed files. Ryohei Koike reported this vulnerability to IPA. JPCERT/CC coordinated with the develop...
JVN#41853173: OS command injection vulnerability in multiple Infoscience Corporation log management tools
Infoscience Corporation's multiple log management tools provide an FTP upload function as one of the log collection methods, and is able to set to allow the adminitrators to accept FTP uploads. In a situation where the FTP upload function is enabled and there is a flaw of input value handling in...
Multiple vulnerabilities in multiple ELECOM products
Overview Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Improper Access Control CWE-284 - CVE-2021-20643 Script injection in web setup page CWE-74 - CVE-2021-20644 Stored cross-site scripting CWE-79 - CVE-2021-20645 Cross-site request forgery CWE-352 ...
Multiple vulnerabilities in multiple LOGITEC products
Overview Multiple products provided by LOGITEC CORPORATION contain multiple vulnerabilities. Improper restriction of excessive authentication attempts CWE-307 - CVE-2021-20635 Cross-site request forgery CWE-352 - CVE-2021-20636, CVE-2021-20641 Improper check or handling of exceptional conditions...
JVN#96783542: Multiple vulnerabilities in multiple LOGITEC products
Multiple products provided by LOGITEC CORPORATION contain multiple vulnerabilities listed below. Improper restriction of excessive authentication attempts CWE-307 - CVE-2021-20635 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N| Base Score: 4.3 CVSS v2|...
JVN#47580234: Multiple vulnerabilities in multiple ELECOM products
Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Improper Access Control CWE-284 - CVE-2021-20643 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N| Base Score: 5.3 CVSS v2| AV:N/AC:L/Au:N/C:N/I:P/A:N| Base Score:...
JVN#98115035: Android App "ELECOM File Manager" vulnerable to directory traversal
Android App "ELECOM File Manager" provided by ELECOM CO.,LTD. contains a directory traversal vulnerability CWE-22 due to a flaw in the processing of the filenames when extracting the compressed files. Impact A remote attacker may create an arbitrary file or overwrite an existing file in a directo...
TP-Link TL-WR841N V13 (JP) vulnerable to OS command injection
Overview ​TP-Link TL-WR841N is a wifi router for home networks. The firmware version 161028 for hardware version V13 JP is reported vulnerable to OS command injection CWE-78. According to the vendor, the firmware for hardware version V14 JP is not affected. Koh You Liang of 3-shake Inc. reported...
Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2
Overview Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities. Aterm WF800HP: Cross-site Scripting CWE-79 - CVE-2021-20620 Aterm WG2600HP and Aterm WG2600HP2: Improper Access Control CWE-284 - CVE-2017-12575 Cross-Site Request Forgery...
JVN#38248512: Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2
Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities listed below. Aterm WF800HP: Cross-site Scripting CWE-79 - CVE-2021-20620 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS...
GROWI vulnerable to cross-site scripting
Overview GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability CWE-79. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
JVN#57544707: GROWI vulnerable to cross-site scripting
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update the software to the latest version according to the information provided by the developer. Products Affect...
Multiple vulnerabilities in acmailer
Overview acmailer provided by Seeds Co.,Ltd. contains multiple vulnerabilities listed below. Improper Access Control CWE-284 - CVE-2021-20617 Privilege Chaining CWE-268 - CVE-2021-20618 ma.la reported these vulnerabilities to the developer, and also to IPA in order to notify users of its solution...
JVN#35906450: Multiple vulnerabilities in acmailer
acmailer provided by Seeds Co.,Ltd. contains multiple vulnerabilities listed below. Improper Access Control CWE-284 - CVE-2021-20617 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Base Score: 9.8 CVSS v2| AV:N/AC:L/Au:N/C:P/I:P/A:P| Base Score: 7.5...
The installer of SKYSEA Client View may insecurely load Dynamic Link Libraries
Overview SKYSEA Client View provided by Sky Co., LTD. is an Enterprise IT Asset Management Tool. The installer of SKYSEA Client View contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. shogo kumamaru of LAC Co.,Ltd reported this...
JVN#69635538: The installer of SKYSEA Client View may insecurely load Dynamic Link Libraries
SKYSEA Client View provided by Sky Co., LTD. is an Enterprise IT Asset Management Tool. The installer of SKYSEA Client View contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of...
Multiple NEC Products vulnerable to authentication bypass
Overview In Intelligent Platform Management Interface IPMI v1.5, Remote Management Control Protocol RMCP to access BMC through LAN is prescribed. Multiple NEC products which conduct RMCP access using IPMI over LAN contain an issue in implementations of the BMC firmware and when accessing BMC...
Multiple vulnerabilities in UNIVERGE SV9500/SV8500 series
Overview Remote system maintenance feature of UNIVERGE SV9500/SV8500 series' Web based remote maintenance console contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2020-5685 Incorrect Implementation of Authentication Algorithm CWE-303 - CVE-2020-5686 NEC Platforms,...
JVN#38784555: Multiple vulnerabilities in UNIVERGE SV9500/SV8500 series
Remote system maintenance feature of UNIVERGE SV9500/SV8500 series' Web based remote maintenance console contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2020-5685 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H| Base Score...
JVN#38752718: Multiple NEC Products vulnerable to authentication bypass
In Intelligent Platform Management Interface IPMI v1.5, Remote Management Control Protocol RMCP to access BMC through LAN is prescribed. Multiple NEC products which conduct RMCP access using IPMI over LAN contain an issue in implementations of the BMC firmware and when accessing BMC through RMCP...
Improper certificate validation vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview The Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer contains improper certificate validation vulnerability. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the...
Cleartext Transmission of Sensitive Information Vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview The Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer contains a cleartext transmission of sensitive information vulnerability due to incomplete document. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer t...
Cross-site Scripting Vulnerability in Hitachi Command Suite
Overview A Cross-site Scripting vulnerability was found in Hitachi Command Suite. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Management software for NEC Storage disk array system vulnerable to improper server certificate verification
Overview Management software for NEC Storage disk array system provided by NEC Corporation is vulnerable to improper server certificate verification CWE-295. Masaaki KOBAYASHI reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
Self-Extracting files created by multiple SEIKO EPSON products may insecurely load Dynamic Link Libraries
Overview Self-Extracting files created by multiple SEIKO EPSON products contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. SEIKO EPSON CORPORATION reported this vulnerability to JPCERT/CC to notify users of its solution through JVN...
JVN#94244575: Self-Extracting files created by multiple SEIKO EPSON products may insecurely load Dynamic Link Libraries
Self-Extracting files created by multiple SEIKO EPSON products contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the Self-Extracting files. Solution Update t...
JVN#10100024: Management software for NEC Storage disk array system vulnerable to improper server certificate verification
Management software for NEC Storage disk array system provided by NEC Corporation is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication or alter the communication. Solution Update the...
Multiple vulnerabilities in GROWI
Overview GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Denial-of-service DoS due to improper verification of input values CWE-400 - CVE-2020-5682 Directory traversal due to improper verification of uploaded files CWE-22 - CVE-2020-5683 These vulnerabilities were...
JVN#94169589: Multiple vulnerabilities in GROWI
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Denial-of-service DoS due to improper verification of input values CWE-400 - CVE-2020-5682 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L| Base Score: 5.3 CVSS v2|...
Multiple vulnerabilities in Aterm SA3500G
Overview Aterm SA3500G provided by NEC Corporation contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2020-5635 OS command injection CWE-78 - CVE-2020-5636 Improper Validation of Integrity Check Value CWE-354 - CVE-2020-5637 These vulnerabilities were reported by th...