5609 matches found
JVN#32396594: Yodobashi App for Android fails to restrict access permissions
Yodobashi App for Android provided by Yodobashi Camera Co.,Ltd. implements the function to access a requested URL using an Intent. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an Intent from an arbitrary App and to access an...
CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to XML external entity injection (XXE)
Overview CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain an XML external entity injection XXE vulnerability CWE-611. NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under the Informatio...
"Shadankun Server Security Type" vulnerable to denial-of-service (DoS)
Overview "Shadankun Server Security Type" provided by Cyber Security Cloud , Inc. contains a denial-of-service DoS vulnerability. When "Rule id"s assigned by the product's internal script overlap, it would not be able to add newly detected attack source IP addresses as the blocking targets CWE-70...
JVN#06446084: CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to XML external entity injection (XXE)
CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain an XML external entity injection XXE vulnerability CWE-611. Impact By reading a specially crafted XML files, an arbitrary file on the server may be read by the attacker. Solution Update the Software The following updates are...
JVN#42665874: "Shadankun Server Security Type" vulnerable to denial-of-service (DoS)
"Shadankun Server Security Type" provided by Cyber Security Cloud , Inc. contains a denial-of-service DoS vulnerability. When "Rule id"s assigned by the product's internal script overlap, it would not be able to add newly detected attack source IP addresses as the blocking targets CWE-703. The...
Multiple NETGEAR switching hubs vulnerable to cross-site request forgery
Overview GS716Tv2 and GS724Tv3 switching hubs provided by NETGEAR contain a cross-site request forgery vulnerability. Rei Yano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user views a malicious page...
JVN#29903998: Multiple NETGEAR switching hubs vulnerable to cross-site request forgery
GS716Tv2 and GS724Tv3 switching hubs provided by NETGEAR contain a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in to the management screen, the product's settings may be changed unintentionally. Solution Apply a workaround Applying the following...
Multiple vulnerabilities in XOOPS module "XooNIps"
Overview XOOPS module "XooNIps" contains multiple vulnerabilities listed below. SQL injection CWE-89 - CVE-2020-5624 Cross-site Scripting CWE-79 - CVE-2020-5625 Neuroinformatics Unit, Integrative Computational Brain Science Collaboration Division, RIKEN Center for Brain Science reported this...
JVN#40725650: Multiple vulnerabilities in XOOPS module "XooNIps"
XOOPS module "XooNIps" contains multiple vulnerabilities listed below. SQL injectionCWE-89 - CVE-2020-5624 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L| Base Score: 7.3 CVSS v2| AV:N/AC:L/Au:N/C:P/I:P/A:P| Base Score: 7.5 Cross-site Scripting CWE-79 -...
NITORI App fails to restrict access permissions
Overview NITORI App provided by Nitori Holdings Co., Ltd. implements the function to access a requested URL using Custom URL Scheme. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an request from an arbitrary App and execute th...
JVN#77402327: NITORI App fails to restrict access permissions
NITORI App provided by Nitori Holdings Co., Ltd. implements the function to access a requested URL using Custom URL Scheme. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an request from an arbitrary App and execute the access...
Apache Struts 2 vulnerable to denial-of-service (DoS)
Overview Apache Struts 2 provided by The Apache Software Foundation contains a denial-of-service DoS vulnerability CWE-400. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#50890770: Apache Struts 2 vulnerable to denial-of-service (DoS)
Apache Struts 2 provided by The Apache Software Foundation contains a denial-of-service DoS vulnerability CWE-400. Impact An attacker may be able to cause a denial-of-service DoS. Solution Update the Software Update to the latest version according to the information provided by the developer Appl...
Multiple cross-site scripting vulnerabilities in Exment
Overview Exment provided by Kajitori Co.,Ltd contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in some input fields CWE-79 - CVE-2020-5619 Stored cross-site scripting vulnerability in upload files CWE-79 - CVE-2020-5620 Ryoya Koyama of...
JVN#88315581: Multiple cross-site scripting vulnerabilities in Exment
Exment provided by Kajitori Co.,Ltd contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in some input fields CWE-79 - CVE-2020-5619 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N| Base Score: 5.4...
Multiple vulnerabilities in CyberMail
Overview CyberMail contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2020-5540 Open Redirect CWE-601 - CVE-2020-5541 Tony Kuo and Chia-Lung Hsieh of CHT Security reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
JVN#46258789: Multiple vulnerabilities in CyberMail
CyberMail contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2020-5540 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base Score: 4.3 Open Redirect CWE-601 -...
DoS Vulnerability in HiRDB
Overview A DoS vulnerability was found in HiRDB. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center
Overview Multiple vulnerabilities have been found in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution...
SKYSEA Client View vulnerable to privilege escalation
Overview SKYSEA Client View provided by Sky Co., LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View contains a privilege escalation vulnerability CWE-268. Sky Co., LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC coordinated unde...
JVN#25422698: SKYSEA Client View vulnerable to privilege escalation
SKYSEA Client View provided by Sky Co., LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View contains a privilege escalation vulnerability CWE-268. Impact A user who can login to the PC where the product is installed may obtain unauthorized privileges and modify/obtain sensitive...
Multiple vulnerabilities in multiple PHP Factory products
Overview Multiple products provided by PHP Factory contain multiple vulnerabilities listed below. Cross-site Request Forgery CWE-352 - CVE-2020-5615 Authentication bypass CWE-287 - CVE-2020-5616 Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC...
FANUC i Series CNC vulnerable to denial-of-service (DoS)
Overview Fanuc i Series CNC provided by FANUC CORPORATION contains a denial-of-service DoS CWE-400 vulnerability. Industrial Control Security Laboratory of Qi An Xin Technology Group Inc. from China reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
JVN#73169744: Multiple vulnerabilities in multiple PHP Factory products
Multiple products provided by PHP Factory contain multiple vulnerabilities listed below. Cross-site Request Forgery CWE-352 - CVE-2020-5615 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N| Base Score: 4.3 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base Score: 2....
JVN#84959128: FANUC i Series CNC vulnerable to denial-of-service (DoS)
Fanuc i Series CNC provided by FANUC CORPORATION contains a denial-of-service DoS CWE-400 vulnerability. Impact A remote attacker may cause a denial-of-service DoS condition and access to the other devices may be blocked. Solution Update the software or apply the patch The developer states that t...
TOYOTA MOTOR's Global TechStream vulnerable to buffer overflow
Overview Global TechStream GTS is a diagnostic tool that Toyota Motor Corporation provides for Toyota dealers technicians and independent repairers to utilize. Global TechStream GTS contains a buffer overflow vulnerability CWE-121. Tomoya Kitagawa of LAC Co., Ltd. reported this vulnerability to...
JVN#40400577: TOYOTA MOTOR's Global TechStream vulnerable to buffer overflow
Global TechStream GTS is a diagnostic tool that Toyota Motor Corporation provides for Toyota dealers technicians and independent repairers to utilize. Global TechStream GTS contains a buffer overflow vulnerability CWE-121. Impact An attacker may execute arbitrary code or cause a denial of service...
JavaFX WebEngine does not properly restrict Java method execution
Overview JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10. Since OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community. JavaFX WebEngine component is capable of web content rendering, and possible to be configured ...
Multiple vulnerabilities in KonaWiki2 and KonaWiki3
Overview KonaWiki2 and KonaWiki3 are lightweight wiki clones that support Japanese wiki notation. KonaWiki2 and KonaWiki3 contain multiple vulnerabilities listed below. KonaWiki2 Cross-site Scripting CWE-79 - CVE-2020-5612 KonaWiki3 Cross-site Scripting CWE-79 - CVE-2020-5613 Path Traversal CWE-2...
JVN#48194211: Multiple vulnerabilities in KonaWiki2 and KonaWiki3
KonaWiki2 and KonaWiki3 are lightweight wiki clones that support Japanese wiki notation. KonaWiki2 and KonaWiki3 contain multiple vulnerabilities listed below. KonaWiki2 Cross-site Scripting CWE-79 - CVE-2020-5612 Version| Vector| Score ---|---|--- CVSS v3|...
JVN#62161191: JavaFX WebEngine does not properly restrict Java method execution
JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10. Since OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community. JavaFX WebEngine component is capable of web content rendering, and possible to be configured to allow...
WordPress Plugin "Social Sharing Plugin" vulnerable to cross-site request forgery
Overview WordPress Plugin "Social Sharing Plugin" provided by Social Rocket contains a cross-site request forgery vulnerability CWE-352. Akio Furui of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to the...
JVN#05502028: WordPress Plugin "Social Sharing Plugin" vulnerable to cross-site request forgery
WordPress Plugin "Social Sharing Plugin" provided by Social Rocket contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the...
Cross-site Scripting Vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview A Cross-site Scripting vulnerability was found in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official...
Server Side Request Forgery Vulnerability in Hitachi Ops Center Analyzer viewpoint
Overview A Server Side Request Forgery Vulnerability was found in Hitachi Ops Center Analyzer viewpoint. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Multiple vulnerabilities in TCP/IP function on Mitsubishi Electric GOT2000 series
Overview TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series GT27, GT25, and GT23 contains multiple vulnerabilities listed below. Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119 - CVE-2020-5595 Session Fixation CWE-384 - CVE-2020-5596 NUL...
SHIRASAGI vulnerable to open redirect
Overview SHIRASAGI provided by SHIRASAGI Project contains an open redirect vulnerability CWE-601. Ryoya Koyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When...
JVN#55657988: SHIRASAGI vulnerable to open redirect
SHIRASAGI provided by SHIRASAGI Project contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update to the...
Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of the Java object
Overview Android App "Mercari" Japan version provided by Mercari, Inc. contains vulnerability that an arbitrary Java method execution CWE-749 due to inadequate restrictions on addJavascriptInterface of WebView class. Taichi Kotake of Akatsuki Inc. reported this vulnerability to IPA. JPCERT/CC...
JVN#93167107: Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of Java object
Android App "Mercari" Japan version provided by Mercari, Inc. contains vulnerability which may allow arbitrary Java method execution CWE-749 due to inadequate restrictions on addJavascriptInterface of WebView class. Impact An arbitrary method of a Java object may be executed by a remote attacker...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu, Inc. has released security updates for Cybozu Garoon. CyVDB-2083 Vulnerability in Single sign-on settings to avoid viewing and operation privileges - CVE-2020-5580 CyVDB-2451 Path traversal vulnerability on the portal - CVE-2020-5581 CyVDB-2097 Vulnerability to bypass operation...
DoS Vulnerability in Hitachi Device Manager
Overview A DoS Vulnerability was found in Hitachi Device Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
JVN#55497111: Multiple vulnerabilities in Cybozu Garoon
Cybozu, Inc. has released security updates for Cybozu Garoon. CyVDB-2083 Vulnerability in Single sign-on settings to avoid viewing and operation privileges - CVE-2020-5580 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N| Base Score: 8.5 CVSS v2|...
Chrome Extension for e-Tax Reception System vulnerable to arbitrary command execution
Overview Chrome Extension for e-Tax Reception System provided by National Tax Agency is an extension to use the e-Tax Reception System on Google Chrome and/or Chromium-based versions of Microsoft Edge. When a user runs a Chrome Extension for e-Tax Reception System, a specially crafted parameter b...
Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series vulnerable to cleartext transmission of sensitive information
Overview Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series contain a vulnerability that allows cleartext transmission of sensitive information CWE-319 between CPU modules and GX Works3 and/or GX Works2. Impact If this vulnerability is exploited, disclosure or alteration of information,...
JVN#40039627: Chrome Extension for e-Tax Reception System vulnerable to arbitrary command execution
Chrome Extension for e-Tax Reception System provided by National Tax Agency is an extension to use the e-Tax Reception System on Google Chrome and/or Chromium-based versions of Microsoft Edge. When a user runs a Chrome Extension for e-Tax Reception System, a specially crafted parameter by an...
Vulnerability in Cosminexus HTTP Server
Overview A vulnerability CVE-2019-1551 exists in Cosminexus HTTP Server. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
EC-CUBE vulnerable to directory traversal
Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains a directory traversal vulnerability CWE-22. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning...
JVN#77458946: EC-CUBE vulnerable to directory traversal
EC-CUBE provided by EC-CUBE CO.,LTD. contains a directory traversal vulnerability CWE-22. Impact A user who can login to the management screen of the product may delete arbitrary files and/or directories on the server. Solution Update the Software The update for EC-CUBE 4 is available. Update the...
Path Traversal Vulnerability in Hitachi Automation Director and Hitachi Ops Center Automator
Overview A Path Traversal Vulnerability was found in Hitachi Automation Director and Hitachi Ops Center Automator. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and...