5625 matches found
WordPress Plugin "Live Chat - Live support" vulnerable to cross-site request forgery
Overview WordPress Plugin "Live Chat - Live support" provided by onWebChat contains a cross-site request forgery vulnerability CWE-352. Yusuke Fukuda of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to the...
JVN#92404841: WordPress Plugin "Live Chat – Live support" vulnerable to cross-site request forgery
WordPress Plugin "Live Chat - Live support" provided by onWebChat contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious web page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the...
Trend Micro Antivirus for Mac vulnerable to a privilege escalation
Overview Antivirus for Mac provided by Trend Micro Incorporated contain a symbolic link privilege escalation vulnerability CWE-61. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated unde...
OS command injection vulnerability in multiple ELECOM LAN routers
Overview Multiple ELECOM LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability CWE-78. Katsuhiko Satoa.k.a. gorohkun of 00One, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
JVN#82892096: OS command injection vulnerability in multiple ELECOM LAN routers
Multiple ELECOM LAN routers provided by ELECOM CO.,LTD. contain an OS command injection vulnerability CWE-78. Impact A remote attacker who can access the management screen of the affected device may execute an arbitrary OS command with root privilege. Solution Apply the appropriate firmware updat...
InfoCage SiteShell installs their files with improper access permissions
Overview InfoCage SiteShell provided by NEC Corporation installs their files with improper access permissions CWE-732. Especially, the service executable files can be modified by Everyone users. NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN...
JVN#07426151: InfoCage SiteShell installs their files with improper access permissions
InfoCage SiteShell provided by NEC Corporation installs their files with improper access permissions CWE-732. Especially, the service executable files can be modified by Everyone users. Impact The service executable files may be modified by local users, resulting in arbitrary code execution with ...
CMONOS.JP vulnerable to cross-site scripting
Overview CMONOS.JP provided CMONOS Co. Ltd. is a content management system CMS. CMONOS.JP contains a stored cross-site scripting vulnerability CWE-79. stypr of Flatt Security Inc. reported this vulnerability to the developer and coordinated on his own. After coordination was completed, this case...
ServerProtect for Linux vulnerable to OS command injection
Overview ServerProtect for Linux provided by Trend Micro Incorporated contains an OS command injection vulnerability CWE-78. Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact A remote authenticated attacker may execute arbitrary code. Soluti...
Multiple vulnerabilities in Active Update function implemented in multiple Trend Micro products
Overview Active Update function implemented in Premium Security 2019 for Windows v15, Maximum Security 2019 for Windows v15, Internet Security 2019 for Windows v15 and Antivirus+ 2019 for Windows v15 provided by Trend Micro Incorporated contain multiple vulnerabilities listed below. Update files...
JVN#60093979: Multiple vulnerabilities in Active Update function implemented in multiple Trend Micro products
Active Update function implemented in Premium Security 2019 for Windows v15, Maximum Security 2019 for Windows v15, Internet Security 2019 for Windows v15 and Antivirus+ 2019 for Windows v15 provided by Trend Micro Incorporated contain multiple vulnerabilities listed below. Update files are not...
Multiple access restriction bypass vulnerabilities in UNIQLO App
Overview UNIQLO App provided by UNIQLO CO., LTD. contains multiple access restriction bypass vulnerabilities below. A remote attacker may be able to lead a user to access an arbitrary website via the vulnerable App. The App launched by a Custom URL Scheme may lead a user to access an arbitrary UR...
JVN#31864411: Multiple access restriction bypass vulnerabilities in UNIQLO App
UNIQLO App provided by UNIQLO CO., LTD. contains multiple access restriction bypass vulnerabilities below. A remote attacker may be able to lead a user to access an arbitrary website via the vulnerable App. The App launched by a Custom URL Scheme may lead a user to access an arbitrary URL -...
Multiple vulnerabilities in Buffalo AirStation WHR-G54S
Overview Buffalo AirStation WHR-G54S contains multiple vulnerabilities listed below. Directory Traversal - CVE-2020-5605 Cross-site Scripting - CVE-2020-5606 RyotaK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
JVN#09166495: Multiple vulnerabilities in Buffalo AirStation WHR-G54S
Buffalo AirStation WHR-G54S contains multiple vulnerabilities listed below. Directory Traversal - CVE-2020-5605 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N| Base Score: 4.1 CVSS v2| AV:A/AC:L/Au:S/C:P/I:N/A:N| Base Score: 2.7 Cross-site Scripting -...
Yodobashi App for Android fails to restrict access permissions
Overview Yodobashi App for Android provided by Yodobashi Camera Co.,Ltd. implements the function to access a requested URL using an Intent. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an Intent from an arbitrary App and to...
JVN#32396594: Yodobashi App for Android fails to restrict access permissions
Yodobashi App for Android provided by Yodobashi Camera Co.,Ltd. implements the function to access a requested URL using an Intent. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an Intent from an arbitrary App and to access an...
CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to XML external entity injection (XXE)
Overview CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain an XML external entity injection XXE vulnerability CWE-611. NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under the Informatio...
"Shadankun Server Security Type" vulnerable to denial-of-service (DoS)
Overview "Shadankun Server Security Type" provided by Cyber Security Cloud , Inc. contains a denial-of-service DoS vulnerability. When "Rule id"s assigned by the product's internal script overlap, it would not be able to add newly detected attack source IP addresses as the blocking targets CWE-70...
JVN#06446084: CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to XML external entity injection (XXE)
CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain an XML external entity injection XXE vulnerability CWE-611. Impact By reading a specially crafted XML files, an arbitrary file on the server may be read by the attacker. Solution Update the Software The following updates are...
JVN#42665874: "Shadankun Server Security Type" vulnerable to denial-of-service (DoS)
"Shadankun Server Security Type" provided by Cyber Security Cloud , Inc. contains a denial-of-service DoS vulnerability. When "Rule id"s assigned by the product's internal script overlap, it would not be able to add newly detected attack source IP addresses as the blocking targets CWE-703. The...
Multiple NETGEAR switching hubs vulnerable to cross-site request forgery
Overview GS716Tv2 and GS724Tv3 switching hubs provided by NETGEAR contain a cross-site request forgery vulnerability. Rei Yano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user views a malicious page...
JVN#29903998: Multiple NETGEAR switching hubs vulnerable to cross-site request forgery
GS716Tv2 and GS724Tv3 switching hubs provided by NETGEAR contain a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in to the management screen, the product's settings may be changed unintentionally. Solution Apply a workaround Applying the following...
Multiple vulnerabilities in XOOPS module "XooNIps"
Overview XOOPS module "XooNIps" contains multiple vulnerabilities listed below. SQL injection CWE-89 - CVE-2020-5624 Cross-site Scripting CWE-79 - CVE-2020-5625 Neuroinformatics Unit, Integrative Computational Brain Science Collaboration Division, RIKEN Center for Brain Science reported this...
JVN#40725650: Multiple vulnerabilities in XOOPS module "XooNIps"
XOOPS module "XooNIps" contains multiple vulnerabilities listed below. SQL injectionCWE-89 - CVE-2020-5624 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L| Base Score: 7.3 CVSS v2| AV:N/AC:L/Au:N/C:P/I:P/A:P| Base Score: 7.5 Cross-site Scripting CWE-79 -...
NITORI App fails to restrict access permissions
Overview NITORI App provided by Nitori Holdings Co., Ltd. implements the function to access a requested URL using Custom URL Scheme. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an request from an arbitrary App and execute th...
JVN#77402327: NITORI App fails to restrict access permissions
NITORI App provided by Nitori Holdings Co., Ltd. implements the function to access a requested URL using Custom URL Scheme. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an request from an arbitrary App and execute the access...
Apache Struts 2 vulnerable to denial-of-service (DoS)
Overview Apache Struts 2 provided by The Apache Software Foundation contains a denial-of-service DoS vulnerability CWE-400. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#50890770: Apache Struts 2 vulnerable to denial-of-service (DoS)
Apache Struts 2 provided by The Apache Software Foundation contains a denial-of-service DoS vulnerability CWE-400. Impact An attacker may be able to cause a denial-of-service DoS. Solution Update the Software Update to the latest version according to the information provided by the developer Appl...
Multiple cross-site scripting vulnerabilities in Exment
Overview Exment provided by Kajitori Co.,Ltd contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in some input fields CWE-79 - CVE-2020-5619 Stored cross-site scripting vulnerability in upload files CWE-79 - CVE-2020-5620 Ryoya Koyama of...
JVN#88315581: Multiple cross-site scripting vulnerabilities in Exment
Exment provided by Kajitori Co.,Ltd contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in some input fields CWE-79 - CVE-2020-5619 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N| Base Score: 5.4...
Multiple vulnerabilities in CyberMail
Overview CyberMail contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2020-5540 Open Redirect CWE-601 - CVE-2020-5541 Tony Kuo and Chia-Lung Hsieh of CHT Security reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
JVN#46258789: Multiple vulnerabilities in CyberMail
CyberMail contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2020-5540 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base Score: 4.3 Open Redirect CWE-601 -...
DoS Vulnerability in HiRDB
Overview A DoS vulnerability was found in HiRDB. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center
Overview Multiple vulnerabilities have been found in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution...
SKYSEA Client View vulnerable to privilege escalation
Overview SKYSEA Client View provided by Sky Co., LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View contains a privilege escalation vulnerability CWE-268. Sky Co., LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC coordinated unde...
JVN#25422698: SKYSEA Client View vulnerable to privilege escalation
SKYSEA Client View provided by Sky Co., LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View contains a privilege escalation vulnerability CWE-268. Impact A user who can login to the PC where the product is installed may obtain unauthorized privileges and modify/obtain sensitive...
Multiple vulnerabilities in multiple PHP Factory products
Overview Multiple products provided by PHP Factory contain multiple vulnerabilities listed below. Cross-site Request Forgery CWE-352 - CVE-2020-5615 Authentication bypass CWE-287 - CVE-2020-5616 Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC...
FANUC i Series CNC vulnerable to denial-of-service (DoS)
Overview Fanuc i Series CNC provided by FANUC CORPORATION contains a denial-of-service DoS CWE-400 vulnerability. Industrial Control Security Laboratory of Qi An Xin Technology Group Inc. from China reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
JVN#84959128: FANUC i Series CNC vulnerable to denial-of-service (DoS)
Fanuc i Series CNC provided by FANUC CORPORATION contains a denial-of-service DoS CWE-400 vulnerability. Impact A remote attacker may cause a denial-of-service DoS condition and access to the other devices may be blocked. Solution Update the software or apply the patch The developer states that t...
JVN#73169744: Multiple vulnerabilities in multiple PHP Factory products
Multiple products provided by PHP Factory contain multiple vulnerabilities listed below. Cross-site Request Forgery CWE-352 - CVE-2020-5615 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N| Base Score: 4.3 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base Score: 2....
TOYOTA MOTOR's Global TechStream vulnerable to buffer overflow
Overview Global TechStream GTS is a diagnostic tool that Toyota Motor Corporation provides for Toyota dealers technicians and independent repairers to utilize. Global TechStream GTS contains a buffer overflow vulnerability CWE-121. Tomoya Kitagawa of LAC Co., Ltd. reported this vulnerability to...
JVN#40400577: TOYOTA MOTOR's Global TechStream vulnerable to buffer overflow
Global TechStream GTS is a diagnostic tool that Toyota Motor Corporation provides for Toyota dealers technicians and independent repairers to utilize. Global TechStream GTS contains a buffer overflow vulnerability CWE-121. Impact An attacker may execute arbitrary code or cause a denial of service...
JavaFX WebEngine does not properly restrict Java method execution
Overview JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10. Since OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community. JavaFX WebEngine component is capable of web content rendering, and possible to be configured ...
Multiple vulnerabilities in KonaWiki2 and KonaWiki3
Overview KonaWiki2 and KonaWiki3 are lightweight wiki clones that support Japanese wiki notation. KonaWiki2 and KonaWiki3 contain multiple vulnerabilities listed below. KonaWiki2 Cross-site Scripting CWE-79 - CVE-2020-5612 KonaWiki3 Cross-site Scripting CWE-79 - CVE-2020-5613 Path Traversal CWE-2...
JVN#48194211: Multiple vulnerabilities in KonaWiki2 and KonaWiki3
KonaWiki2 and KonaWiki3 are lightweight wiki clones that support Japanese wiki notation. KonaWiki2 and KonaWiki3 contain multiple vulnerabilities listed below. KonaWiki2 Cross-site Scripting CWE-79 - CVE-2020-5612 Version| Vector| Score ---|---|--- CVSS v3|...
JVN#62161191: JavaFX WebEngine does not properly restrict Java method execution
JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10. Since OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community. JavaFX WebEngine component is capable of web content rendering, and possible to be configured to allow...
WordPress Plugin "Social Sharing Plugin" vulnerable to cross-site request forgery
Overview WordPress Plugin "Social Sharing Plugin" provided by Social Rocket contains a cross-site request forgery vulnerability CWE-352. Akio Furui of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to the...
JVN#05502028: WordPress Plugin "Social Sharing Plugin" vulnerable to cross-site request forgery
WordPress Plugin "Social Sharing Plugin" provided by Social Rocket contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the...
Cross-site Scripting Vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview A Cross-site Scripting vulnerability was found in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official...