5609 matches found
JVN#29095127: CuteNews vulnerable to cross-site scripting
Cute News provided by CutePHP.com is a system to manage news. Cute News contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user with a login privilege to the website that uses Cute News while accessing the website. Solution...
JVN#88277644: Keijiban Tsumiki vulenrable to OS command injection
Keijiban Tsumiki provided by Mash room - Free CGI - is a CGI to provide Bulletin Board System BBS functions. Keijiban Tsumiki contains an OS command injection vulnerability CWE-78. Impact A remote attacker may execute an arbitrary OS command. Solution Consider stop using Keijiban Tsumiki v1.15...
JVN#32415420: Multiple vulnerabiliteis in Shihonkanri Plus GOOUT
Shihonkanri Plus GOOUT provided by EKAKIN is a CGI that enables to view data stored in Shihonkanri Plus outside. Shihonkanri Plus GOOUT contains multiple vulnerabilities which allow reading/writing an arbitrary file listed below because of the improper validation of input parameter. Directory...
JVN#88033799: WL-Enq (WEB Enquete) vulnerable to cross-site scripting
WL-Enq WEB Enquete provided by WonderLink is a CGI to provide web enquete functions. WL-Enq WEB Enquete contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing a website that uses WL-Enq WEB Enquete. Solution...
JVN#63834780: Shihonkanri Plus GOOUT vulnerable to OS command injection
Shihonkanri Plus GOOUT provided by EKAKIN is a CGI that enables to view data stored in Shihonkanri Plus outside. Shihonkanri Plus GOOUT contains an OS command injection CWE-78 vulnerability. Impact A remote attacker may execute an arbitrary OS command. Solution Consider stop using Shihonkanri Plu...
JVN#58176087: Cute News vulnerable to PHP code execution
Cute News provided by CutePHP.com is a system to manage news. Cute News contains a PHP code execution vulnerability CWE-94. Impact A user who can login to CuteNews may execute arbitrary PHP code. Solution Consider stop using Cute News 2.1.2 Since the developer was unreachable, existence of any...
JVN#77634892: mailform vulnerable to PHP code execution
mailform provided by keitai-site.net is a PHP script providing a mail form function to a website. mailform contains a PHP code execution vulnerability CWE-94 on the server where the product is running. Impact Arbitrary PHP code may be executed on the server where the product is running. Solution...
Cross-site Scripting Vulnerability in JP1/Performance Management - Manager [Web Console]
Overview A Cross-site Scripting Vulnerability was found in JP1/Performance Management - Manager Web Console. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center
Overview Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure an...
Improper LDAPS Certificate Validation in Hitachi Ops Center Common Services
Overview Improper certificate validation in Hitachi Ops Center Common Services. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in OpenBlocks IoT VX2
Overview OpenBlocks IoT VX2 provided by Plat'Home Co., Ltd. contains multiple vulnerabilities. Masahiro Murashima and Genta Kataoka of IERAE SECURITY INC. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
JVN#19666251: Multiple vulnerabilities in OpenBlocks IoT VX2
OpenBlocks IoT VX2 provided by Plat'Home Co., Ltd. contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2020-5535 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Base Score: 8.8 CVSS v2| AV:A/AC:L/Au:N/C:P/I:P/A:P| Base Score:...
GRANDIT vulnerable to session management
Overview GRANDIT provided by GRANDIT CORPORATION contains a vulnerability in session management CWE-639. Kazuki Mitobe of FUJISOFT INCORPORATED reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A user who can...
JVN#73472345: GRANDIT vulnerable to session management
GRANDIT provided by GRANDIT CORPORATION contains a vulnerability in session management CWE-639. Impact A user who can access to the product may impersonate an arbitrary user. As a result, information may be altered or disclosed. Solution Apply the Patch Apply the appropriate patch according to th...
Improper Authentication Vulnerability in RICOH printers
Overview Multiple RICOH printers contain Improper Authentication Vulnerability CWE-287. RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership. Impac...
Improper Access Control Vulnerability in RICOH printers
Overview Multiple RICOH printers contain Improper Access Control CWE-284. RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership. Impact A user who c...
Privilege escalation vulnerability in multiple RICOH printer drivers
Overview Multiple RICOH printer drivers contain a privilege escalation vulnerability. RICOH COMPANY, LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Name of company/Organization coordinated under the Information Security Early Warning...
Cross-site Request Forgery Vulnerability in RICOH printers
Overview Multiple RICOH printers contain Cross-site Request Forgery CWE-352. RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership. Impact If a user...
Information Disclosure Vulnerability in RICOH printers
Overview Multiple RICOH printers contain Information Disclosure CWE-200. RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership. Impact A user who ca...
JVN#52962201: Multiple vulnerabilities in RICOH printers
Multiple RICOH printers contain multiple vulnerabilities listed below. Information Disclosure CWE-200 - CVE-CVE-2019-14301 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N| Base Score: 6.5 CVSS v2| AV:A/AC:L/Au:N/C:P/I:N/A:N| Base Score: 3.3 Improper Access...
JVN#15697526: Privilege escalation vulnerability in multiple RICOH printer drivers
Multiple RICOH printer drivers contain a privilege escalation vulnerability. Impact If a user who can login to the computer where the affected printer driver is installed uses the specially crafted printer driver, that may result in administrative privileges being taken by privilege escalation...
Multiple OS command injection vulnerabilities in Aterm WF1200C, Aterm WG1200CR, and Aterm WG2600HS
Overview Aterm WF1200C, Aterm WG1200CR, and Aterm WG2600HS provided by NEC Corporation contain multiple OS command injection vulnerabilities listed below. OS command injection vulnerability in UPnP function CWE-78 - CVE-2020-5524 OS command injection vulnerability in management screen CWE-78 -...
Multiple vulnerabilities in Aterm WG2600HS
Overview Aterm WG2600HS provided by NEC Corporation contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2020-5533 OS command injection CWE-78 - CVE-2020-5534 Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated wit...
JVN#25766797: Multiple OS command injection vulnerabilities in Aterm WF1200C, Aterm WG1200CR, and Aterm WG2600HS
Aterm WF1200C, Aterm WG1200CR, and Aterm WG2600HS provided by NEC Corporation contain multiple OS command injection vulnerabilities listed below. OS command injection vulnerability in UPnP function CWE-78 - CVE-2020-5524 Version| Vector| Score ---|---|--- CVSS v3|...
JVN#49410695: Multiple vulnerabilities in Aterm WG2600HS
Aterm WG2600HS provided by NEC Corporation contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2020-5533 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base Score: 2.6 OS...
WordPress Plugin "Easy Property Listings" vulnerable to cross-site request forgery
Overview WordPress Plugin "Easy Property Listings" provided by Merv Barrett contains a cross-site request forgery vulnerability CWE-352. Rei Nakahara of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to the...
Multiple vulnerabilities in TCP/IP function on Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000
Overview MELSEC C Controller Module and MELIPC Series MI5000 provided by Mitsubishi Electric Corporation have multiple vulnerabilities due to the vulnerabilities called "URGENT/11" in TCP/IP function IPnet of VxWorks, a real-time OS distributed by Wind River. Q24DHCCPU-V and Q24DHCCPU-VG Buffer...
JVN#89259622: WordPress Plugin "Easy Property Listings" vulnerable to cross-site request forgery
WordPress Plugin "Easy Property Listings" provided by Merv Barrett contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the informatio...
Security information for Hitachi Disk Array Systems
Overview A cross site scripting vulnerability exists in the SVPStorage Navigator of the Hitachi disk array system. Impact Regerding the impact df the vulnerablilty, please refer to the ventor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and...
ilbo App vulnerable to authentication bypass
Overview ilbo App provided by EXTRUN Ltd. contains an authentication bypass vulnerability CWE-287. Impact A user who can login to ilbo App may view the images which were recorded by the other user's ilbo device. Solution Update the Application Update to the latest version according to the...
Multiple Trend Micro products vulnerable to denial-of-service (DoS)
Overview Premium Security 2019 for Windows, Maximum Security 2019 for Windows, Internet Security 2019 for Windows, and Antivirus+ Security 2019 for Windows provided by Trend Micro Incorporated contain a denial-of-service DoS vulnerability CWE-400. BlackWingCat of Pink Flying Whale reported this...
JVN#02921757: Multiple Trend Micro products vulnerable to denial-of-service (DoS)
Premium Security 2019 for Windows, Maximum Security 2019 for Windows, Internet Security 2019 for Windows, and Antivirus+ Security 2019 for Windows provided by Trend Micro Incorporated contain a denial-of-service DoS vulnerability CWE-400. Impact An attacker may disable Premium Security 2019 for...
JVN#35496038: ilbo App vulnerable to authentication bypass
ilbo App provided by EXTRUN Ltd. contains an authentication bypass vulnerability CWE-287. Impact A user who can login to ilbo App may view the images which were recorded by the other user's ilbo device. Solution Update the Application Update to the latest version according to the information...
HtmlUnit vulenerable to arbitrary code execution
Overview HtmlUnit is a Java-based library which provides web browser functionality to Java programs, and it supports JavaScript evaluation with embedded Mozilla Rhino engine. Mozilla Rhino engine offers a feature to make Java objects available from JavaScript. HtmlUnit initializes Rhino engine...
JVN#34535327: HtmlUnit vulenerable to arbitrary code execution
HtmlUnit is a Java-based library which provides web browser functionality to Java programs, and it supports JavaScript evaluation with embedded Mozilla Rhino engine. Mozilla Rhino engine offers a feature to make Java objects available from JavaScript. HtmlUnit initializes Rhino engine improperly,...
Movable Type vulnerable to cross-site scripting
Overview Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability CWE-79 in block editor and rich text editor. Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the...
JVN#94435544: Movable Type vulnerable to cross-site scripting
Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability CWE-79 in block editor and rich text editor. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the Software Update to the latest version according to the information...
Ghostscript access restriction bypass vulnerability
Overview Ghostscript provided by Artifex Software Inc. contains an access restriction bypass vulnerability CWE-284. Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
JVN#52486659: Ghostscript access restriction bypass vulnerability
Ghostscript provided by Artifex Software Inc. contains an access restriction bypass vulnerability CWE-284. Impact By Ghostscript processing a specially crafted file, arbitrary command may be executed with the privilege of Ghostscript. Solution Update the Software Update the software according to...
AWMS Mobile App vulnerable to improper server certificate verification
Overview AWMS Mobile App is vulnerable to improper server certificate verification CWE-295. Dai Nakamura of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
JVN#00014057: AWMS Mobile App vulnerable to improper server certificate verification
AWMS Mobile App is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the developer...
Android App "MyPallete" vulnerable to improper server certificate verification
Overview Android App "MyPallete" developed by NTT Data Corporation is used by several financial institutions as Android applications for their customers. "MyPallete" is vulnerable to improper server certificate verification CWE-295 and to improper host-matching validation CWE-297. Dai Nakamura of...
JVN#28845872: Android App "MyPallete" vulnerable to improper server certificate verification
Android App "MyPallete" developed by NTT Data Corporation is used by several financial institutions as Android applications for their customers. "MyPallete" is vulnerable to improper server certificate verification CWE-295 and to improper host-matching validation CWE-297. Impact A man-in-the-midd...
Multiple Fuji Xerox mobile applications fails to verify SSL server certificates
Overview Multiple Fuji Xerox mobile applications fail to verify SSL server certificates CWE-295. Hirotaka Niisato reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an...
JVN#66435380: Multiple Fuji Xerox mobile applications fails to verify SSL server certificates
Multiple Fuji Xerox mobile applications fail to verify SSL server certificates CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
Trend Micro Password Manager vulnerable to information disclosure
Overview Password Manager provided by Trend Micro Incorporated generates a key pair and a root certificate on product installation. The generated private key is not properly protected and any non-administrative user can retrieve the private key CWE-200. Note that this vulnerability is different...
Trend Micro Password Manager vulnerable to information disclosure
Overview Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability CWE-200. Under certain conditions, the information ID, password etc. managed by Password Manager are kept on the memory in plaintext. They may be retrieved when the memory scan is done...
JVN#49593434: Trend Micro Password Manager vulnerable to information disclosure
Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability CWE-200. Under certain conditions, the information ID, password etc. managed by Password Manager are kept on the memory in plaintext. They may be retrieved when the memory scan is done. Impact A...
JVN#37183636: Trend Micro Password Manager vulnerable to information disclosure
Password Manager provided by Trend Micro Incorporated generates a key pair and a root certificate on product installation. The generated private key is not properly protected and any non-administrative user can retrieve the private key CWE-200. Impact A malicious user who obtains the private key...
Junos OS vulnerable to directory traversal
Overview Junos OS contains a directory traversal vulnerability CWE-22. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Files on the server may be...