5609 matches found
Multiple vulnerabilities in Zenphoto
Overview Zenphoto is a content management system CMS. Zenphoto contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2020-5592 Code Injection CWE-94 - CVE-2020-5593 Tomohisa Maeda of Panasonic Corporation, Product Security Center reported this vulnerability to IPA...
JVN#32252648: Multiple vulnerabilities in Zenphoto
Zenphoto is a content management system CMS. Zenphoto contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2020-5592 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base...
Multiple SONY Wireless Headphones allow improper Bluetooth pairing
Overview Multiple SONY Wireless Headphones have vulnerability that someone within the Bluetooth range can make the Bluetooth pairing. National Institute of Technology, Tokyo College reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warni...
JVN#67447798: Multiple SONY Wireless Headphones allow improper Bluetooth pairing
Multiple SONY Wireless Headphones have vulnerability that someone within the Bluetooth range can make the Bluetooth pairingCWE-306. Impact When using the product, someone within the Bluetooth range may make the Bluetooth pairing and operate such as changing volume of the product. Solution Update...
XACK DNS vulnerable to denial-of-service (DoS)
Overview XACK DNS is DNS server software provided by XACK, Inc. XACK DNS contains a denial-of-service DoS vulnerability due to an issue commonly referred to as NXNSAttack. XACK, Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and XACK, Inc. coordinat...
JVN#40208370: XACK DNS vulnerable to denial-of-service (DoS)
XACK DNS is DNS server software provided by XACK, Inc. XACK DNS contains a denial-of-service DoS vulnerability due to an issue commonly referred to as NXNSAttack. Impact A remote attacker may be able to cause denial-of-service DoS conditions listed below. The performance of the recursive resolver...
Multiples security updates for multiple Cybozu products
Overview Cybozu, Inc. has released multiple security updates for multiple Cybozu products. CyVDB-2465 Credential Disclosure Vulnerability - CVE-2020-5572 CyVDB-2484 Credential Disclosure Vulnerability - CVE-2020-5573 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported these...
JVN#78745667: Multiples security updates for multiple Cybozu products
Cybozu, Inc. has released multiple security updates for multiple Cybozu products. CyVDB-2465 Credential Disclosure Vulnerability - CVE-2020-5572 CyVDB-2484 Credential Disclosure Vulnerability - CVE-2020-5573 Impact A user who can login to the product may obtain sensitive information registered in...
Privilege escalation vulnerability in Hitachi Ops Center Common Services
Overview A privilege escalation vulnerability was found in Hitachi Ops Center Common Services Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate actio...
Cybozu Desktop for Windows vulenerable to arbitrary code execution
Overview Cybozu Desktop for Windows provided by Cybozu, Inc. contains an arbitrary code execution vulnerability due to the improper data processing when applying the software update. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to Cybozu, Inc. and...
JVN#59552136: Cybozu Desktop for Windows vulenerable to arbitrary code execution
Cybozu Desktop for Windows provided by Cybozu, Inc. contains an arbitrary code execution vulnerability due to the improper data processing when applying the software update. Impact A remote attacker may excecute arbitrary code through an attack, such as a man-in-the-middle MITM, subdomain takeove...
WordPress Plugin "Paid Memberships Pro" vulnerable to SQL injection
Overview WordPress Plugin "Paid Memberships Pro" contains an SQL injection vulnerability CWE-89. Kenichi Okuno of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Panasonic Video Insight VMS vulnerable to arbitrary code execution
Overview Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability CWE-94. Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information...
DoS Vulnerability in JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2
Overview A DoS vulnerability was found in JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasu...
Multiple Vulnerabilities in Hitachi Compute Systems Manager
Overview Multiple vulnerabilities have been found in Hitachi Compute Systems Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
JVN#96646182: Panasonic Video Insight VMS vulnerable to arbitrary code execution
Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability CWE-94. Impact An arbitrary code may be executed by a remote attacker. Solution Update the software Update the software to the latest version according to the information provided by the...
JVN#20248858: WordPress Plugin "Paid Memberships Pro" vulnerable to SQL injection
WordPress Plugin "Paid Memberships Pro" contains an SQL injection vulnerability CWE-89. Impact An attacker who can access the administrative page of Paid Membership Pro may obtain and/or alter the information stored in the database. Solution Update the plugin Update the plugin according to the...
BookStack vulnerable to cross-site scripting
Overview BookStack contains a cross-site scripting vulnerability CWE-79. Kenichi Okuno of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be...
Multiple vulnerabilities in Movable Type
Overview Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. HTML attribute value injection vulnerability CWE-74 - CVE-2020-5574 Cross-site scripting due to a flaw in processing multiple query strings CWE-79 - CVE-2020-5575 Cross-site request forgery CWE-352 -...
JVN#28806943: Multiple vulnerabilities in Movable Type
Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. HTML attribute value injection vulnerability CWE-74 - CVE-2020-5574 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N| Base Score: 4.7 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N...
JVN#41035278: BookStack vulnerable to cross-site scripting
BookStack contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update the software to the latest version according to the information provided by the developer. The developer states as follows; Aft...
PALLET CONTROL vulnerable to arbitrary code execution
Overview PALLET CONTROL provided by JAL Information Technology Co., Ltd. is IT asset management software. PALLET CONTROL contains an arbitrary code execution vulnerability due to improper file access permission CWE-284. Yoshimasa Obana reported this vulnerability to IPA. JPCERT/CC coordinated wit...
JVN#61849442: PALLET CONTROL vulnerable to arbitrary code execution
PALLET CONTROL provided by JAL Information Technology Co., Ltd. is IT asset management software. PALLET CONTROL contains an arbitrary code execution vulnerability due to improper file access permission CWE-284. Impact A user who can login to the computer where the vulnerable product is installed...
Sales Force Assistant vulnerable to cross-site scripting
Overview Sales Force Assistant provided by NI Consulting CO.,Ltd. contains a cross-site scripting vulnerability CWE-79. Masanobu Miyagi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may...
Cybozu Garoon contains multiple vulnerabilities
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Authentication bypass in the API used to specify the fields CWE-287 - CVE-2020-5563 Cross-site scripting in the application "E-mail" CWE-79 - CVE-2020-5564 Input validation bypass in the applications...
Directory Permission Vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview A directory permission vulnerability was found in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official...
JVN#47668991: Sales Force Assistant vulnerable to cross-site scripting
Sales Force Assistant provided by NI Consulting CO.,Ltd. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser while logging in Sales Force Assistant. Solution Update the Software Update the software to the latest version...
JVN#35649781: Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Authentication bypass in the API used to specify the fields CWE-287 - CVE-2020-5563 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N| Base Score: 5.3 CVSS v2|...
Multiple SHARP Android devices vulnerable to information disclosure
Overview Multiple SHARP Android devices contain an information disclosure vulnerability CWE-200. Impact Sensitive information of the device may be obtained by the other android application installed in the device. Solution Update the Firmware Update the firmware to the latest version according to...
JVN#93064451: Multiple SHARP Android devices vulnerable to information disclosure
Multiple SHARP Android devices contain an information disclosure vulnerability CWE-200. Impact Sensitive information of the device may be obtained by the other android application installed in the device. Solution Update the Firmware Update the firmware to the latest version according to the...
Toshiba Electronic Devices & Storage software registers unquoted service paths
Overview Some of Toshiba Electronic Devices & Storage software registers Windows services with unquoted file paths CWE-428. Toshiba Electronic Devices & Storage Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and TOSHIBA ELECTRONIC DEVIC...
JVN#13467854: Toshiba Electronic Devices & Storage software registers unquoted service paths
Some of Toshiba Electronic Devices & Storage software registers Windows services with unquoted file paths CWE-428. Impact When a registered path contains spaces, and a malicious executable is placed on a certain path, it may be executed with the privilege of the Windows service. Solution The...
Multiple vulnerabilities in EasyBlocks IPv6
Overview EasyBlocks IPv6 provided by Plat'Home Co., Ltd. contains multiple vulnerabilities listed below. Cross site request forgeryCWE-352 - CVE-2020-5549 Session fixation CWE-384 - CVE-2020-5550 Hideki SAKAMOTO of Tsukuba Secure Network Research reported this vulnerability to IPA. JPCERT/CC...
JVN#89224521: Multiple vulnerabilities in EasyBlocks IPv6
EasyBlocks IPv6 provided by Plat'Home Co., Ltd. contains multiple vulnerabilities listed below. Cross site request forgeryCWE-352 - CVE-2020-5549 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N| Base Score: 4.3 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base...
Joomla! plugin "AcyMailing" vulnerable to arbitrary file uploads
Overview Joomla! plugin "AcyMailing" allows an unauthenticated user to upload arbitrary files CWE-434. qw3rTyTy reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Arbitrary PHP code may be executed. Solution...
JVN#56890693: Joomla! plugin "AcyMailing" vulnerable to arbitrary file uploads
Joomla! plugin "AcyMailing" allows an unauthenticated user to upload arbitrary files CWE-434. Impact Arbitrary PHP code may be executed. Solution Update the plugin Update the plugin according to the information provided by the developer. Products Affected AcyMailing versions prior to 6.9.2...
Multiple Yamaha network devices vulnerable to denial-of-service (DoS)
Overview Multiple network devices provided by Yamaha Corporation contain a denial-of-service DoS vulnerability. NIWA Naoya of Amano Lab, Dept. of Information and Computer Science, Faculty of Science and Technology, Keio University reported this vulnerability to IPA. JPCERT/CC coordinated with the...
Denial-of-service (DoS) vulnerability in Mitsubishi Electric MELSOFT transmission port
Overview MELSOFT transmission port UDP/IP of MELSEC iQ-R, iQ-F, Q, L, and F series provided by Mitsubishi Electric Coporation contains an uncontrolled resource consumption issue CWE-400. When MELSOFT transmission port receives massive amount of data, resource consumption occurs and the port does...
JVN#38732359: Multiple Yamaha network devices vulnerable to denial-of-service (DoS)
Multiple network devices provided by Yamaha Corporation contain a denial-of-service DoS vulnerability CWE-400 due to an issue in processing received packets. Impact A remote attacker may be able to cause a denial-of-service DoS condition. Solution Update the firmware Update to the latest version ...
WL-Enq (WEB Enquete) vulnerable to OS command injection
Overview WL-Enq WEB Enquete provided by WonderLink is a CGI to provide web enquete functions. WL-Enq WEB Enquete contains an OS command injection vulnerability CWE-78. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on January 16, 2020, it was...
WL-Enq (WEB Enquete) vulnerable to cross-site scripting
Overview WL-Enq WEB Enquete provided by WonderLink is a CGI to provide web enquete functions. WL-Enq WEB Enquete contains a cross-site scripting vulnerability CWE-79. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on January 16, 2020, it was judg...
Keijiban Tsumiki vulnerable to OS command injection
Overview Keijiban Tsumiki provided by Mash room - Free CGI - is a CGI to provide Bulletin Board System BBS functions. Keijiban Tsumiki contains an OS command injection vulnerability CWE-78. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on Januar...
mailform vulnerable to cross-site scripting
Overview mailform provided by keitai-site.net is a PHP script providing mail form functions to a website. mailform contains a stored cross-site scripting vulnerability CWE-79. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on January 16, 2020, it...
mailform vulnerable to PHP code execution
Overview mailform provided by keitai-site.net is a PHP script providing a mail form function to a website. mailform contains a PHP code execution vulnerability CWE-94 on the server where the product is running. During the meeting of Committee for authorizing the disclosure of unresolved...
Multiple vulnerabilities in Shihonkanri Plus GOOUT
Overview Shihonkanri Plus GOOUT provided by EKAKIN is a CGI that enables to view data stored in Shihonkanri Plus outside. Shihonkanri Plus GOOUT contains multiple vulnerabilities which allow reading/writing an arbitrary file listed below because of the improper validation of input parameter...
Shihonkanri Plus GOOUT vulnerable to OS command injection
Overview Shihonkanri Plus GOOUT provided by EKAKIN is a CGI that enables to view data stored in Shihonkanri Plus outside. Shihonkanri Plus GOOUT contains an OS command injection CWE-78 vulnerability. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held...
CuteNews vulnerable to cross-site scripting
Overview Cute News provided by CutePHP.com is a system to manage news. Cute News contains a cross-site scripting vulnerability CWE-79. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on January 16, 2020, it was judged that an advisory for this...
Cute News vulnerable to PHP code execution
Overview Cute News provided by CutePHP.com is a system to manage news. Cute News contains a PHP code execution vulnerability CWE-94. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on January 16, 2020, it was judged that an advisory for this...
JVN#85942151: mailform vulnerable to cross-site scripting
mailform provided by keitai-site.net is a PHP script providing mail form functions to a website. mailform contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of an administrator who is accessing a website using mailform...
JVN#27951364: WL-Enq (WEB Enquete) vulnerable to OS command injection
WL-Enq WEB Enquete provided by WonderLink is a CGI to provide web enquete functions. WL-Enq WEB Enquete contains an OS command injection vulnerability CWE-78. Impact A remote attacker may execute arbitrary OS commands with the administrative privilege. Solution Consider stop using WL-Enq 1.12 Sin...