5625 matches found
Fuji Xerox multifunction devices and printers vulnerable to denial-of-service (DoS)
Overview Multifunction devices and printers provided by Fuji Xerox Co.,Ltd. contain a denial-of-service DoS vulnerability. Masahiro Kawada of Ierae Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impa...
JVN#37607293: Fuji Xerox multifunction devices and printers vulnerable to denial-of-service (DoS)
Multifunction devices and printers provided by Fuji Xerox Co.,Ltd. contain a denial-of-service DoS vulnerability. Impact An attacker may cause the products to be terminated by sending a specially crafted command. In order to restart the products, the physical power button on the devices must be...
WordPress plugin "Paid Memberships Pro" vulnerable to SQL injection
Overview WordPress Plugin "Paid Memberships Pro" contains an SQL injection vulnerability CWE-89. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and coordinated on his own. After coordination was completed, this case was reported to JPCERT/CC, and...
JVN#08191557: WordPress plugin "Paid Memberships Pro" vulnerable to SQL injection
WordPress Plugin "Paid Memberships Pro" contains an SQL injection vulnerability CWE-89. Impact An attacker who can access Paid Membership Pro may obtain and/or alter the information stored in the database. Solution Update the plugin Update the plugin according to the information provided by the...
Multiple vulnerabilities in Cybozu Office
Overview Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-1657 Operational restrictions bypass vulnerability in Scheduler CWE-264 - CVE-2021-20624 CyVDB-1727 Operational restrictions bypass vulnerability in Bulletin Board CWE-264 - CVE-2021-20625...
JVN#45797538: Multiple vulnerabilities in Cybozu Office
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. CyVDB-1657 Operational restrictions bypass vulnerability in Scheduler CWE-264 - CVE-2021-20624 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N| Base Score: 4.3 CVSS v2|...
M-System DL8 contains multiple vulnerabilities
Overview DL8 provided by M-System contains the following vulnerabilities: Denial-of-Service CWE-400 - CVE-2021-20675 Improper Access Control CWE-284 - CVE-2021-20676 CVE-2021-20675 Takayuki Sasaki, Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC...
JVN#47497535: M-System DL8 contains multiple vulnerabilities
DL8 provided by M-System contains the following vulnerabilities: Denial-of-Service CWE-400 - CVE-2021-20675 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H| Base Score: 6.5 CVSS v2| AV:N/AC:L/Au:S/C:N/I:N/A:C| Base Score: 6.8 Improper Access Control CWE-28...
Installer of MagicConnect Client program may insecurely load Dynamic Link Libraries
Overview Installer of MagicConnect Client program provided by NTT TechnoCross Corporation contains a vulnerability which may lead to insecurely loading Dynamic Link Libraries CWE-427 when a terminal is connected remotely using Remote desktop. Yuji Tounai of Mitsui Bussan Secure Directions, Inc...
JVN#18056666: Installer of MagicConnect Client program may insecurely load Dynamic Link Libraries
Installer of MagicConnect Client program provided by NTT TechnoCross Corporation contains a vulnerability which may lead to insecurely loading Dynamic Link Libraries CWE-427 when a terminal is connected remotely using Remote desktop. Impact Arbitrary code may be executed with the privilege of the...
Multiple cross-site scripting vulnerabilities in GROWI
Overview GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below. Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters CWE-79 - CVE-2021-20672 Stored cross-site scripting vulnerability in Admin Page CWE-79...
JVN#86438134: Multiple cross-site scripting vulnerabilities in GROWI
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below. Reflected cross-site scripting vulnerability due to insufficient verification of URL query parameters CWE-79 - CVE-2021-20672 Version| Vector| Score ---|---|--- CVSS v3|...
Multiple vulnerabilities in GROWI
Overview GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Stored Cross-site Scripting CWE-79 - CVE-2021-20667 Path Traversal CWE-22 - CVE-2021-20668 Path Traversal CWE-22 - CVE-2021-20669 Improper Access Control CWE-284 - CVE-2021-20670 Improper Input Validation CWE-...
Trend Micro Security (Consumer) vulnerable to code injection
Overview Trend Micro Security Consumer provided by Trend Micro Incorporated contains a code injection vulnerability CWE-94. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN. Impact An attacker who obtained administrative privileges may...
The installers of E START products may insecurely load Dynamic Link Libraries
Overview The installers of E START products by GMO INSIGHT Inc. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the folder specified by the TEMP environment variable or where the installer resides CWE-427, CVE-2015-9267, and CVE-2015-9268...
JVN#68418039: The installers of E START products may insecurely load Dynamic Link Libraries
The installers of E START products by GMO INSIGHT Inc. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the folder specified by the TEMP environment variable or where the installer resides CWE-427, CVE-2015-9267, and CVE-2015-9268. Impact...
Multiple cross-site scripting vulnerabilities in Movable Type
Overview Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability in Role authority setting screen CWE-79 - CVE-2021-20663 Cross-site scripting vulnerability in Asset registration screen CWE-79 - CVE-2021-20664...
JVN#66542874: Multiple cross-site scripting vulnerabilities in Movable Type
Movable Type provided by Six Apart Ltd. contains multiple cross-site scripting vulnerabilities listed below. Cross-site scripting vulnerability in Role authority setting screen CWE-79 - CVE-2021-20663 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base...
Multiple vulnerabilities in SolarView Compact
Overview SolarView Compact provided by Contec Co., Ltd. contains multiple vulnerabilities listed below. Exposure of information through directory listing CWE-548 - CVE-2021-20656 Improper access control CWE-284 - CVE-2021-20657 OS command injection CWE-78 - CVE-2021-20658 Unrestricted upload of...
JVN#37417423: Multiple vulnerabilities in SolarView Compact
SolarView Compact provided by Contec Co., Ltd. contains multiple vulnerabilities listed below. Exposure of information through directory listing CWE-548 - CVE-2021-20656 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N| Base Score: 3.5 CVSS v2|...
Multiple Vulnerabilities in JP1/Automatic Operation
Overview Multiple vulnerabilities have been found in JP1/Automatic Operation. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
FileZen vulnerable to OS command injection
Overview FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface. FileZen contains an OS command injection vulnerability CWE-78. Soliton Systems K.K. reported this vulnerability to JPCERT/CC to notify users of its solution through...
JVN#58774946: FileZen vulnerable to OS command injection
FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface. FileZen contains an OS command injection vulnerability CWE-78. Impact A remote attacker who obtained the administrative account of this product may execute an arbitrary OS...
Calsos CSDJ fails to restrict access permissions
Overview Calsos CSDJ provided by NEC Platforms, Ltd. fails to restrict access permissions CWE-264, which may lead to an unauthorized user being able to view the historical data without access privileges. Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this...
JVN#87164507: Calsos CSDJ fails to restrict access permissions
Calsos CSDJ provided by NEC Platforms, Ltd. fails to restrict access permissions CWE-264, which may lead to an unauthorized user being able to view the historical data without access privileges. Impact A user who can login to the product may obtain unauthorized historical data without access...
Wekan vulnerable to cross-site scripting
Overview Wekan, open source kanban board system, is vulnerable to cross-site scripting CWE-79. This vulnerability is treated as one of multiple cross-site scripting vulnerabilities, named "Fieldbleed". Ryoya Koyama at Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA...
JVN#80785288: Wekan vulnerable to cross-site scripting
Wekan, open source kanban board system, is vulnerable to cross-site scripting CWE-79. This vulnerability is treated as one of multiple cross-site scripting vulnerabilities, named "Fieldbleed". Impact When a logged-in user store malicious value containing Javascript code to the system, that...
Improper access control vulnerability in JP1/IT Desktop Management 2 - Manager and JP1/NETM/Asset Information Manager
Overview The JP1/IT Desktop Management 2 - Manager and JP1/NETM/Asset Information Manager contains improper access control vulnerability. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the offici...
Cross-site Scripting Vulnerability in Hitachi Application Server Help
Overview A cross-site scripting vulnerability was found in Hitachi Application Server Help. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
WordPress Plugin "Name Directory" vulnerable to cross-site request forgery
Overview WordPress Plugin "Name Directory" provided by J. Peters contains a cross-site request forgery vulnerability CWE-352. Yuta Asai of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to the developer and...
JVN#50470170: WordPress Plugin "Name Directory" vulnerable to cross-site request forgery
WordPress Plugin "Name Directory" provided by J. Peters contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin...
Trend Micro HouseCall for Home Networks (Windows Edition) may insecurely load Dynamic Link Libraries
Overview HouseCall for Home Networks Windows Edition provided by Trend Micro Incorporated contains an issue with the DLL search path. By reading a malicious DLL placed in the folder specified by the PATH environment variable, arbitrary code with an escalated privilege may be executed CWE-427. Tre...
Panasonic Video Insight VMS vulnerable to arbitrary code execution
Overview Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability CWE-94 because unencrypted communication exists in the communication using non-well known ports. Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its...
JVN#42252698: Panasonic Video Insight VMS vulnerable to arbitrary code execution
Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability CWE-94 because unencrypted communication exists in the communication using non-well known ports. Impact By sending a specially crafted request to the vulnerable product, a remoto attacker may...
Vulnerability in JP1/VERITAS
Overview A vulnerability exists in JP1/VERITAS. Impact Regerding the impact df the vulnerablilty, please refer to the ventor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
OS command injection vulnerability in multiple Infoscience Corporation log management tools
Overview Infoscience Corporation's multiple log management tools provide an FTP upload function as one of the log collection methods, and is able to set to allow the adminitrators to accept FTP uploads. In a situation where the FTP upload function is enabled and there is a flaw of input value...
Android App "ELECOM File Manager" vulnerable to directory traversal
Overview Android App "ELECOM File Manager" provided by ELECOM CO.,LTD. contains a directory traversal vulnerability CWE-22 due to a flaw in the processing of the filenames when extracting the compressed files. Ryohei Koike reported this vulnerability to IPA. JPCERT/CC coordinated with the develop...
JVN#41853173: OS command injection vulnerability in multiple Infoscience Corporation log management tools
Infoscience Corporation's multiple log management tools provide an FTP upload function as one of the log collection methods, and is able to set to allow the adminitrators to accept FTP uploads. In a situation where the FTP upload function is enabled and there is a flaw of input value handling in...
Multiple vulnerabilities in multiple ELECOM products
Overview Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Improper Access Control CWE-284 - CVE-2021-20643 Script injection in web setup page CWE-74 - CVE-2021-20644 Stored cross-site scripting CWE-79 - CVE-2021-20645 Cross-site request forgery CWE-352 ...
Multiple vulnerabilities in multiple LOGITEC products
Overview Multiple products provided by LOGITEC CORPORATION contain multiple vulnerabilities. Improper restriction of excessive authentication attempts CWE-307 - CVE-2021-20635 Cross-site request forgery CWE-352 - CVE-2021-20636, CVE-2021-20641 Improper check or handling of exceptional conditions...
JVN#96783542: Multiple vulnerabilities in multiple LOGITEC products
Multiple products provided by LOGITEC CORPORATION contain multiple vulnerabilities listed below. Improper restriction of excessive authentication attempts CWE-307 - CVE-2021-20635 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N| Base Score: 4.3 CVSS v2|...
JVN#98115035: Android App "ELECOM File Manager" vulnerable to directory traversal
Android App "ELECOM File Manager" provided by ELECOM CO.,LTD. contains a directory traversal vulnerability CWE-22 due to a flaw in the processing of the filenames when extracting the compressed files. Impact A remote attacker may create an arbitrary file or overwrite an existing file in a directo...
JVN#47580234: Multiple vulnerabilities in multiple ELECOM products
Multiple products provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. Improper Access Control CWE-284 - CVE-2021-20643 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N| Base Score: 5.3 CVSS v2| AV:N/AC:L/Au:N/C:N/I:P/A:N| Base Score:...
TP-Link TL-WR841N V13 (JP) vulnerable to OS command injection
Overview TP-Link TL-WR841N is a wifi router for home networks. The firmware version 161028 for hardware version V13 JP is reported vulnerable to OS command injection CWE-78. According to the vendor, the firmware for hardware version V14 JP is not affected. Koh You Liang of 3-shake Inc. reported...
Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2
Overview Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities. Aterm WF800HP: Cross-site Scripting CWE-79 - CVE-2021-20620 Aterm WG2600HP and Aterm WG2600HP2: Improper Access Control CWE-284 - CVE-2017-12575 Cross-Site Request Forgery...
JVN#38248512: Multiple vulnerabilities in Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2
Aterm WF800HP, Aterm WG2600HP, and Aterm WG2600HP2 provided by NEC Corporation contain multiple vulnerabilities listed below. Aterm WF800HP: Cross-site Scripting CWE-79 - CVE-2021-20620 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS...
GROWI vulnerable to cross-site scripting
Overview GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability CWE-79. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
JVN#57544707: GROWI vulnerable to cross-site scripting
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update the software to the latest version according to the information provided by the developer. Products Affect...
Multiple vulnerabilities in acmailer
Overview acmailer provided by Seeds Co.,Ltd. contains multiple vulnerabilities listed below. Improper Access Control CWE-284 - CVE-2021-20617 Privilege Chaining CWE-268 - CVE-2021-20618 ma.la reported these vulnerabilities to the developer, and also to IPA in order to notify users of its solution...
JVN#35906450: Multiple vulnerabilities in acmailer
acmailer provided by Seeds Co.,Ltd. contains multiple vulnerabilities listed below. Improper Access Control CWE-284 - CVE-2021-20617 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Base Score: 9.8 CVSS v2| AV:N/AC:L/Au:N/C:P/I:P/A:P| Base Score: 7.5...