5625 matches found
JVN#34535327: HtmlUnit vulenerable to arbitrary code execution
HtmlUnit is a Java-based library which provides web browser functionality to Java programs, and it supports JavaScript evaluation with embedded Mozilla Rhino engine. Mozilla Rhino engine offers a feature to make Java objects available from JavaScript. HtmlUnit initializes Rhino engine improperly,...
Movable Type vulnerable to cross-site scripting
Overview Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability CWE-79 in block editor and rich text editor. Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the...
JVN#94435544: Movable Type vulnerable to cross-site scripting
Movable Type provided by Six Apart Ltd. contains a cross-site scripting vulnerability CWE-79 in block editor and rich text editor. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the Software Update to the latest version according to the information...
Ghostscript access restriction bypass vulnerability
Overview Ghostscript provided by Artifex Software Inc. contains an access restriction bypass vulnerability CWE-284. Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
JVN#52486659: Ghostscript access restriction bypass vulnerability
Ghostscript provided by Artifex Software Inc. contains an access restriction bypass vulnerability CWE-284. Impact By Ghostscript processing a specially crafted file, arbitrary command may be executed with the privilege of Ghostscript. Solution Update the Software Update the software according to...
AWMS Mobile App vulnerable to improper server certificate verification
Overview AWMS Mobile App is vulnerable to improper server certificate verification CWE-295. Dai Nakamura of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
JVN#00014057: AWMS Mobile App vulnerable to improper server certificate verification
AWMS Mobile App is vulnerable to improper server certificate verification CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the developer...
Android App "MyPallete" vulnerable to improper server certificate verification
Overview Android App "MyPallete" developed by NTT Data Corporation is used by several financial institutions as Android applications for their customers. "MyPallete" is vulnerable to improper server certificate verification CWE-295 and to improper host-matching validation CWE-297. Dai Nakamura of...
JVN#28845872: Android App "MyPallete" vulnerable to improper server certificate verification
Android App "MyPallete" developed by NTT Data Corporation is used by several financial institutions as Android applications for their customers. "MyPallete" is vulnerable to improper server certificate verification CWE-295 and to improper host-matching validation CWE-297. Impact A man-in-the-midd...
Multiple Fuji Xerox mobile applications fails to verify SSL server certificates
Overview Multiple Fuji Xerox mobile applications fail to verify SSL server certificates CWE-295. Hirotaka Niisato reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an...
JVN#66435380: Multiple Fuji Xerox mobile applications fails to verify SSL server certificates
Multiple Fuji Xerox mobile applications fail to verify SSL server certificates CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
Trend Micro Password Manager vulnerable to information disclosure
Overview Password Manager provided by Trend Micro Incorporated generates a key pair and a root certificate on product installation. The generated private key is not properly protected and any non-administrative user can retrieve the private key CWE-200. Note that this vulnerability is different...
Trend Micro Password Manager vulnerable to information disclosure
Overview Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability CWE-200. Under certain conditions, the information ID, password etc. managed by Password Manager are kept on the memory in plaintext. They may be retrieved when the memory scan is done...
JVN#49593434: Trend Micro Password Manager vulnerable to information disclosure
Password Manager provided by Trend Micro Incorporated contains an information disclosure vulnerability CWE-200. Under certain conditions, the information ID, password etc. managed by Password Manager are kept on the memory in plaintext. They may be retrieved when the memory scan is done. Impact A...
JVN#37183636: Trend Micro Password Manager vulnerable to information disclosure
Password Manager provided by Trend Micro Incorporated generates a key pair and a root certificate on product installation. The generated private key is not properly protected and any non-administrative user can retrieve the private key CWE-200. Impact A malicious user who obtains the private key...
Junos OS vulnerable to directory traversal
Overview Junos OS contains a directory traversal vulnerability CWE-22. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Files on the server may be...
Junos OS vulnerable to cross-site scripting
Overview Junos OS contains a cross-site scripting vulnerability CWE-79. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be...
JVN#21753370: Junos OS vulnerable to cross-site scripting
Junos OS contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's J-Web screen. Solution Update the Software Update the software to the latest version according to the information provided by the developer. Apply a Workaround Applying...
JVN#07375820: Junos OS vulnerable to directory traversal
Junos OS contains a directory traversal vulnerability CWE-22. Impact Files on the server may be viewed or deleted by an authenticated J-web user. According to the developer, this issue does not affect system files that can be accessed only by root user. Solution Update the Software Update the...
F-RevoCRM vulnerable to cross-site scripting
Overview F-RevoCRM provided by ThinkingReed inc. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Apply the Patch Apply the patch according to the information provided by the developer. Apply Workaround Applying t...
JVN#97325754: F-RevoCRM vulnerable to cross-site scripting
F-RevoCRM provided by ThinkingReed inc. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Apply the Patch Apply the patch according to the information provided by the developer. Apply Workaround Applying the...
Multiple Vulnerabilities in Hitachi Automation Director
Overview Multiple vulnerabilities have been found in Hitachi Automation Director. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple Vulnerabilities in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor. We would like to thank Piotr Madej ING Tech Poland for reporting the relevant issues. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory...
DoS Vulnerability in Hitachi Compute Systems Manager
Overview A DoS vulnerability was found in Hitachi Compute Systems Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple vulnerabilities in a-blog cms
Overview a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Reflected cross-site scripting CWE-79 - CVE-2019-6033 Script injection due to a flaw in processing cookie CWE-74 - CVE-2019-6034 Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this...
JVN#10377257: Multiple vulnerabilities in a-blog cms
a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Reflected cross-site scripting CWE-79 - CVE-2019-6033 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base Score: 4.3...
Android App "NTV News24" fails to verify SSL server certificates
Overview Android App "NTV News24" provided by Nippon Television Network Corporation fails to verify SSL server certificates CWE-295. Shinnosuke Tokusho of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA...
JVN#01236065: Android App "NTV News24" fails to verify SSL server certificates
Android App "NTV News24" provided by Nippon Television Network Corporation fails to verify SSL server certificates CWE-295. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to th...
Multiple vulnerabilities in Cybozu Office
Overview Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Directory traversal in the "Customapp" function CWE-22 - CVE-2019-6022 Browse restriction bypass in the application "Address" CWE-284 - CVE-2019-6023 Two vulnerabilities were reported by the following...
JVN#79854355: Multiple vulnerabilities in Cybozu Office
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Directory traversal in the "Customapp" function CWE-22 - CVE-2019-6022 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N| Base Score: 7.7 CVSS v2|...
Athenz vulnerable to open redirect
Overview Athenz provided by Verizon Media contains an open redirect vulnerability CWE-601. Akaki Tsunoda reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessing a specially crafted URL, the user may b...
Multiple vulnerabilities in "Custom Body Class"
Overview WordPress Plugin "Custom Body Class" provided by Andrei Lupu contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-6029 Cross-site Request Forgery CWE-352 - CVE-2019-6030 Shirai Masatake of Cryptography Laboratory,Department of Information and Communicati...
JVN#57070811: Athenz vulnerable to open redirect
Athenz provided by Verizon Media contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update the software to...
JVN#26847507: Multiple vulnerabilities in "Custom Body Class"
WordPress Plugin "Custom Body Class" provided by Andrei Lupu contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-6029 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N|...
Kinza vulnerable to cross-site scripting
Overview Kinza provided by Dayz Inc. contains a cross-site scripting vulnerability CWE-79. RyotaK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If CSP Content Security Policy on the affected product is...
JVN#63047298: Kinza vulnerable to cross-site scripting
Kinza provided by Dayz Inc. contains a cross-site scripting vulnerability CWE-79. Impact If CSP Content Security Policy on the affected product is disabled, an arbitrary script may be executed on the web browser of the user who uses RSS reader. Solution Update the Software Update to the latest...
Multiple MOTEX products vulnerable to privilege escalation
Overview LanScope Cat and LanScope An provided by MOTEX Inc. contain a privilege escalation vulnerability. Mitsuaki Mitch Shiraishi of Secureworks Japan and Yoshimasa Obana reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#49068796: Multiple MOTEX products vulnerable to privilege escalation
LanScope Cat and LanScope An provided by MOTEX Inc. contain a privilege escalation vulnerability. Impact An user who can login to the PC where the vulnerable product is installed may obtain unauthorized privileges and execute arbitrary code. Solution Update the Software Update to the latest versi...
STAMP Workbench installer may insecurely load Dynamic Link Libraries
Overview STAMP Workbench is a modeling tool for STAMP provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA. It is distirbuted as a ZIP archive or an Windows executable installer. The Windows executable installer contains an issue with the DLL search path, which may lead to insecurely...
WordPress Plugin "WP Spell Check" vulnerable to cross-site request forgery
Overview WordPress Plugin "WP Spell Check" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability CWE-352. Takuya Yamaguchi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported these vulnerabilities...
JVN#26838191: WordPress Plugin "WP Spell Check" vulnerable to cross-site request forgery
WordPress Plugin "WP Spell Check" provided by WP Spell Check contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information...
JVN#19386781: STAMP Workbench installer may insecurely load Dynamic Link Libraries
STAMP Workbench is a modeling tool for STAMP provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA. It is distirbuted as a ZIP archive or an Windows executable installer. The Windows executable installer contains an issue with the DLL search path, which may lead to insecurely loading...
Movable Type vulnerable to open redirect
Overview Movable Type provided by Six Apart Ltd. contains an open redirect vulnerability CWE-601. Hidetomo Hosono of EG Secure Solutions Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessing a...
JVN#65280626: Movable Type vulnerable to open redirect
Movable Type provided by Six Apart Ltd. contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update the...
Arbitrary File Deletion Vulnerability in Hitachi Command Suite
Overview An arbitrary file deletion vulnerability was found in Hitachi Command Suite. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
DoS Vulnerability in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
Overview A DoS vulnerability was found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...
Information Disclosure Vulnerability in Hitachi Command Suite
Overview An Information Disclosure Vulnerability was found in Hitachi Command Suite. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Rakuma App vulnerable to authentication information disclosure
Overview Rakuma App provided by Rakuten, Inc. contains an authentication information disclosure vulnerability CWE-200. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#41566067: Rakuma App vulnerable to authentication information disclosure
Rakuma App provided by Rakuten, Inc. contains an authentication information disclosure vulnerability CWE-200. Impact If a malicious application created by the third party with a purpose to attack a Rakuma user is installed in the Rakuma user's mobile device, it may obtain Rakuma user's...
Trend Micro OfficeScan vulnerable to directory traversal
Overview Trend Micro OfficeScan contains a directory traversal vulnerability CWE-22. If this vulnerability is exploited, an authenticated user on the administrative console of the affected product may upload an arbitrary zip file to the specific folder, then extract and execute it. Trend Micro...