5625 matches found
Server Side Request Forgery Vulnerability in Hitachi Ops Center Analyzer viewpoint
Overview A Server Side Request Forgery Vulnerability was found in Hitachi Ops Center Analyzer viewpoint. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Multiple vulnerabilities in TCP/IP function on Mitsubishi Electric GOT2000 series
Overview TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series GT27, GT25, and GT23 contains multiple vulnerabilities listed below. Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119 - CVE-2020-5595 Session Fixation CWE-384 - CVE-2020-5596 NUL...
SHIRASAGI vulnerable to open redirect
Overview SHIRASAGI provided by SHIRASAGI Project contains an open redirect vulnerability CWE-601. Ryoya Koyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When...
JVN#55657988: SHIRASAGI vulnerable to open redirect
SHIRASAGI provided by SHIRASAGI Project contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update to the...
Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of the Java object
Overview Android App "Mercari" Japan version provided by Mercari, Inc. contains vulnerability that an arbitrary Java method execution CWE-749 due to inadequate restrictions on addJavascriptInterface of WebView class. Taichi Kotake of Akatsuki Inc. reported this vulnerability to IPA. JPCERT/CC...
JVN#93167107: Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of Java object
Android App "Mercari" Japan version provided by Mercari, Inc. contains vulnerability which may allow arbitrary Java method execution CWE-749 due to inadequate restrictions on addJavascriptInterface of WebView class. Impact An arbitrary method of a Java object may be executed by a remote attacker...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu, Inc. has released security updates for Cybozu Garoon. CyVDB-2083 Vulnerability in Single sign-on settings to avoid viewing and operation privileges - CVE-2020-5580 CyVDB-2451 Path traversal vulnerability on the portal - CVE-2020-5581 CyVDB-2097 Vulnerability to bypass operation...
DoS Vulnerability in Hitachi Device Manager
Overview A DoS Vulnerability was found in Hitachi Device Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
JVN#55497111: Multiple vulnerabilities in Cybozu Garoon
Cybozu, Inc. has released security updates for Cybozu Garoon. CyVDB-2083 Vulnerability in Single sign-on settings to avoid viewing and operation privileges - CVE-2020-5580 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N| Base Score: 8.5 CVSS v2|...
Chrome Extension for e-Tax Reception System vulnerable to arbitrary command execution
Overview Chrome Extension for e-Tax Reception System provided by National Tax Agency is an extension to use the e-Tax Reception System on Google Chrome and/or Chromium-based versions of Microsoft Edge. When a user runs a Chrome Extension for e-Tax Reception System, a specially crafted parameter b...
Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series vulnerable to cleartext transmission of sensitive information
Overview Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series contain a vulnerability that allows cleartext transmission of sensitive information CWE-319 between CPU modules and GX Works3 and/or GX Works2. Impact If this vulnerability is exploited, disclosure or alteration of information,...
JVN#40039627: Chrome Extension for e-Tax Reception System vulnerable to arbitrary command execution
Chrome Extension for e-Tax Reception System provided by National Tax Agency is an extension to use the e-Tax Reception System on Google Chrome and/or Chromium-based versions of Microsoft Edge. When a user runs a Chrome Extension for e-Tax Reception System, a specially crafted parameter by an...
Vulnerability in Cosminexus HTTP Server
Overview A vulnerability CVE-2019-1551 exists in Cosminexus HTTP Server. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
EC-CUBE vulnerable to directory traversal
Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains a directory traversal vulnerability CWE-22. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning...
JVN#77458946: EC-CUBE vulnerable to directory traversal
EC-CUBE provided by EC-CUBE CO.,LTD. contains a directory traversal vulnerability CWE-22. Impact A user who can login to the management screen of the product may delete arbitrary files and/or directories on the server. Solution Update the Software The update for EC-CUBE 4 is available. Update the...
Path Traversal Vulnerability in Hitachi Automation Director and Hitachi Ops Center Automator
Overview A Path Traversal Vulnerability was found in Hitachi Automation Director and Hitachi Ops Center Automator. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and...
Multiple vulnerabilities in Zenphoto
Overview Zenphoto is a content management system CMS. Zenphoto contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2020-5592 Code Injection CWE-94 - CVE-2020-5593 Tomohisa Maeda of Panasonic Corporation, Product Security Center reported this vulnerability to IPA...
JVN#32252648: Multiple vulnerabilities in Zenphoto
Zenphoto is a content management system CMS. Zenphoto contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2020-5592 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base...
Multiple SONY Wireless Headphones allow improper Bluetooth pairing
Overview Multiple SONY Wireless Headphones have vulnerability that someone within the Bluetooth range can make the Bluetooth pairing. National Institute of Technology, Tokyo College reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warni...
JVN#67447798: Multiple SONY Wireless Headphones allow improper Bluetooth pairing
Multiple SONY Wireless Headphones have vulnerability that someone within the Bluetooth range can make the Bluetooth pairingCWE-306. Impact When using the product, someone within the Bluetooth range may make the Bluetooth pairing and operate such as changing volume of the product. Solution Update...
XACK DNS vulnerable to denial-of-service (DoS)
Overview XACK DNS is DNS server software provided by XACK, Inc. XACK DNS contains a denial-of-service DoS vulnerability due to an issue commonly referred to as NXNSAttack. XACK, Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and XACK, Inc. coordinat...
JVN#40208370: XACK DNS vulnerable to denial-of-service (DoS)
XACK DNS is DNS server software provided by XACK, Inc. XACK DNS contains a denial-of-service DoS vulnerability due to an issue commonly referred to as NXNSAttack. Impact A remote attacker may be able to cause denial-of-service DoS conditions listed below. The performance of the recursive resolver...
Multiples security updates for multiple Cybozu products
Overview Cybozu, Inc. has released multiple security updates for multiple Cybozu products. CyVDB-2465 Credential Disclosure Vulnerability - CVE-2020-5572 CyVDB-2484 Credential Disclosure Vulnerability - CVE-2020-5573 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported these...
JVN#78745667: Multiples security updates for multiple Cybozu products
Cybozu, Inc. has released multiple security updates for multiple Cybozu products. CyVDB-2465 Credential Disclosure Vulnerability - CVE-2020-5572 CyVDB-2484 Credential Disclosure Vulnerability - CVE-2020-5573 Impact A user who can login to the product may obtain sensitive information registered in...
Privilege escalation vulnerability in Hitachi Ops Center Common Services
Overview A privilege escalation vulnerability was found in Hitachi Ops Center Common Services Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate actio...
Cybozu Desktop for Windows vulenerable to arbitrary code execution
Overview Cybozu Desktop for Windows provided by Cybozu, Inc. contains an arbitrary code execution vulnerability due to the improper data processing when applying the software update. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to Cybozu, Inc. and...
JVN#59552136: Cybozu Desktop for Windows vulenerable to arbitrary code execution
Cybozu Desktop for Windows provided by Cybozu, Inc. contains an arbitrary code execution vulnerability due to the improper data processing when applying the software update. Impact A remote attacker may excecute arbitrary code through an attack, such as a man-in-the-middle MITM, subdomain takeove...
WordPress Plugin "Paid Memberships Pro" vulnerable to SQL injection
Overview WordPress Plugin "Paid Memberships Pro" contains an SQL injection vulnerability CWE-89. Kenichi Okuno of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
Panasonic Video Insight VMS vulnerable to arbitrary code execution
Overview Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability CWE-94. Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information...
DoS Vulnerability in JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2
Overview A DoS vulnerability was found in JP1/Automatic Job Management System 3 and JP1/Automatic Job Management System 2. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasu...
Multiple Vulnerabilities in Hitachi Compute Systems Manager
Overview Multiple vulnerabilities have been found in Hitachi Compute Systems Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
JVN#20248858: WordPress Plugin "Paid Memberships Pro" vulnerable to SQL injection
WordPress Plugin "Paid Memberships Pro" contains an SQL injection vulnerability CWE-89. Impact An attacker who can access the administrative page of Paid Membership Pro may obtain and/or alter the information stored in the database. Solution Update the plugin Update the plugin according to the...
JVN#96646182: Panasonic Video Insight VMS vulnerable to arbitrary code execution
Video Insight VMS provided by Panasonic Corporation contains an arbitrary code execution vulnerability CWE-94. Impact An arbitrary code may be executed by a remote attacker. Solution Update the software Update the software to the latest version according to the information provided by the...
BookStack vulnerable to cross-site scripting
Overview BookStack contains a cross-site scripting vulnerability CWE-79. Kenichi Okuno of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be...
Multiple vulnerabilities in Movable Type
Overview Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. HTML attribute value injection vulnerability CWE-74 - CVE-2020-5574 Cross-site scripting due to a flaw in processing multiple query strings CWE-79 - CVE-2020-5575 Cross-site request forgery CWE-352 -...
JVN#28806943: Multiple vulnerabilities in Movable Type
Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. HTML attribute value injection vulnerability CWE-74 - CVE-2020-5574 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N| Base Score: 4.7 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N...
JVN#41035278: BookStack vulnerable to cross-site scripting
BookStack contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update the software to the latest version according to the information provided by the developer. The developer states as follows; Aft...
PALLET CONTROL vulnerable to arbitrary code execution
Overview PALLET CONTROL provided by JAL Information Technology Co., Ltd. is IT asset management software. PALLET CONTROL contains an arbitrary code execution vulnerability due to improper file access permission CWE-284. Yoshimasa Obana reported this vulnerability to IPA. JPCERT/CC coordinated wit...
JVN#61849442: PALLET CONTROL vulnerable to arbitrary code execution
PALLET CONTROL provided by JAL Information Technology Co., Ltd. is IT asset management software. PALLET CONTROL contains an arbitrary code execution vulnerability due to improper file access permission CWE-284. Impact A user who can login to the computer where the vulnerable product is installed...
Sales Force Assistant vulnerable to cross-site scripting
Overview Sales Force Assistant provided by NI Consulting CO.,Ltd. contains a cross-site scripting vulnerability CWE-79. Masanobu Miyagi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may...
Cybozu Garoon contains multiple vulnerabilities
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Authentication bypass in the API used to specify the fields CWE-287 - CVE-2020-5563 Cross-site scripting in the application "E-mail" CWE-79 - CVE-2020-5564 Input validation bypass in the applications...
Directory Permission Vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
Overview A directory permission vulnerability was found in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official...
JVN#47668991: Sales Force Assistant vulnerable to cross-site scripting
Sales Force Assistant provided by NI Consulting CO.,Ltd. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser while logging in Sales Force Assistant. Solution Update the Software Update the software to the latest version...
JVN#35649781: Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Authentication bypass in the API used to specify the fields CWE-287 - CVE-2020-5563 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N| Base Score: 5.3 CVSS v2|...
Multiple SHARP Android devices vulnerable to information disclosure
Overview Multiple SHARP Android devices contain an information disclosure vulnerability CWE-200. Impact Sensitive information of the device may be obtained by the other android application installed in the device. Solution Update the Firmware Update the firmware to the latest version according to...
JVN#93064451: Multiple SHARP Android devices vulnerable to information disclosure
Multiple SHARP Android devices contain an information disclosure vulnerability CWE-200. Impact Sensitive information of the device may be obtained by the other android application installed in the device. Solution Update the Firmware Update the firmware to the latest version according to the...
Toshiba Electronic Devices & Storage software registers unquoted service paths
Overview Some of Toshiba Electronic Devices & Storage software registers Windows services with unquoted file paths CWE-428. Toshiba Electronic Devices & Storage Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and TOSHIBA ELECTRONIC DEVIC...
JVN#13467854: Toshiba Electronic Devices & Storage software registers unquoted service paths
Some of Toshiba Electronic Devices & Storage software registers Windows services with unquoted file paths CWE-428. Impact When a registered path contains spaces, and a malicious executable is placed on a certain path, it may be executed with the privilege of the Windows service. Solution The...
Multiple vulnerabilities in EasyBlocks IPv6
Overview EasyBlocks IPv6 provided by Plat'Home Co., Ltd. contains multiple vulnerabilities listed below. Cross site request forgeryCWE-352 - CVE-2020-5549 Session fixation CWE-384 - CVE-2020-5550 Hideki SAKAMOTO of Tsukuba Secure Network Research reported this vulnerability to IPA. JPCERT/CC...
JVN#89224521: Multiple vulnerabilities in EasyBlocks IPv6
EasyBlocks IPv6 provided by Plat'Home Co., Ltd. contains multiple vulnerabilities listed below. Cross site request forgeryCWE-352 - CVE-2020-5549 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N| Base Score: 4.3 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base...