JVN#97845465: Multiple integer overflow vulnerabilities in LINE(Android)

LINEAndroid provided by LINE Corporation contains multiple integer overflow vulnerabilities CWE-190 listed below. Integer overflow vulnerability in processing images using apng-drawable - CVE-2019-6007 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L| Base...

Multiple buffer overflow vulnerabilities in multiple Ricoh printers and Multifunction Printers (MFPs)

Overview Multiple printers and Multifunction Printers MFPs provided by RICOH COMPANY, LTD. contain multiple buffer overflows vulnerabilities listed below. Buffer overflow in parsing HTTP cookie header CWE-119 - CVE-2019-14300 Buffer overflow in parsing HTTP parameter setting for Wifi, mDNS, POP3,...

JVN#11708203: Multiple buffer overflow vulnerabilities in multiple Ricoh printers and Multifunction Printers (MFPs)

Multiple printers and Multifunction Printers MFPs provided by RICOH COMPANY, LTD. contain multiple buffer overflows vulnerabilities listed below. Buffer overflow in parsing HTTP cookie header CWE-119 - CVE-2019-14300 Version| Vector| Score ---|---|--- CVSS v3|...

apng-drawable vulnerable to integer overflow

Overview apng-drawable provided by LINE Corporation contains an integer overflow vulnerability CWE-190. LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning...

JVN#39383894: apng-drawable vulnerable to integer overflow

apng-drawable provided by LINE Corporation contains an integer overflow vulnerability CWE-190. Impact An attacker may cause a denial of service DoS condition or execute arbitrary code. Solution Update the Software The developer released apng-drawable that contains a fix for this vulnerability...

SHIRASAGI vulnerable to open redirect

Overview SHIRASAGI provided by SHIRASAGI Project contains an open redirect vulnerability CWE-601. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...

JVN#74699196: SHIRASAGI vulnerable to open redirect

SHIRASAGI provided by SHIRASAGI Project contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update to the...

Multiple Vulnerabilities in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor

Overview Multiple vulnerabilities have been found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure...

Panasonic Video Insight VMS vulnerable to SQL injection

Overview Video Insight VMS provided by Panasonic Corporation is a video management suite for video security system. Vide Insight VMS contains a SQL injection vulnerability CWE-89. Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC...

JVN#93833849: Panasonic Video Insight VMS vulnerable to SQL injection

Video Insight VMS provided by Panasonic Corporation is a video management suite for video security system. Vide Insight VMS contains a SQL injection vulnerability CWE-89. Impact A logged in user may execute an arbitrary SQL statement to the database. Solution Update the software Update the softwa...

Cybozu Garoon vulnerable to SQL injection

Overview Cybozu Garoon provided by Cybozu, Inc. contains an SQL injection vulnerability CWE-89 in the processing of Todo portlet. Shoji Baba reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/C...

JVN#71877187: Cybozu Garoon vulnerable to SQL injection

Cybozu Garoon provided by Cybozu, Inc. contains an SQL injection vulnerability CWE-89 in the processing of Todo portlet. Impact A user who can login to the product may obtain or alter information stored in the database. Solution Apply the Patch Apply the patch according to the information provide...

Smart TV Box fails to restrict access permissions

Overview Smart TV Box provided by KDDI CORPORATION enables access to Android Debug Bridge via port 5555/TCP of LAN side interface. When a cable television provider sets up Smart TV Box at an individual residence, direct access from outside to the LAN side interface of Smart TV Box is disabled...

JVN#17127920: Smart TV Box fails to restrict access permissions

Smart TV Box provided by KDDI CORPORATION enables access to Android Debug Bridge via port 5555/TCP of LAN side interface. When a cable television provider sets up Smart TV Box at an individual residence, direct access from outside to the LAN side interface of Smart TV Box is disabled. However if...

ApeosWare Management Suite and ApeosWare Management Suite 2 contain open redirect vulnerability

Overview ApeosWare Management Suite and ApeosWare Management Suite 2 provided by Fuji Xerox Co.,Ltd. are software products to manage devices and their usages; providing authentication, printing, log accounting, and document distribution. These software products contain an open redirect...

JVN#07679150: ApeosWare Management Suite and ApeosWare Management Suite 2 contain open redirect vulnerability

ApeosWare Management Suite and ApeosWare Management Suite 2 provided by Fuji Xerox Co.,Ltd. are software products to manage devices and their usages; providing authentication, printing, log accounting, and document distribution. These software products contain an open redirect vulnerability...

WonderCMS vulnerable to directory traversal

Overview WonderCMS contains a directory traversal vulnerability CWE-22. Note that the original fix for this vulnerability was insufficient CVE-2018-7172. However, an updated version of the software, which completely addressed this vulnerability has been released by the developer. Sosuke Tokuda...

EC-CUBE plugin "Amazon Pay Plugin 2.12,2.13" vulnerable to cross-site scripting

Overview EC-CUBE plugin "Amazon Pay Plugin 2.12,2.13" provided by IPLOGIC CO.,LTD. contains a cross-site scripting vulnerability CWE-79. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...

JVN#29343839: EC-CUBE plugin "Amazon Pay Plugin 2.12,2.13" vulnerable to cross-site scripting

EC-CUBE plugin "Amazon Pay Plugin 2.12,2.13" provided by IPLOGIC CO.,LTD. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who logs in to the product with the administrative privilege. Solution Update the Plugin Update...

Central Dogma vulnerable to cross-site scripting

Overview Central Dogma provided by LINE Corporation contains a cross-site scripting vulnerability CWE-79. LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning...

JVN#94889214: Central Dogma vulnerable to cross-site scripting

Central Dogma provided by LINE Corporation contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affecte...

WordPress Plugin "Category Specific RSS feed Subscription" vulnerable to cross-site request forgery

Overview WordPress Plugin "Category Specific RSS feed Subscription" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability CWE-352. Gota Abe of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this...

JVN#92510087: WordPress Plugin "Category Specific RSS feed Subscription" vulnerable to cross-site request forgery

WordPress Plugin "Category Specific RSS feed Subscription" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin...

WordPress Plugin "WordPress Ultra Simple Paypal Shopping Cart" vulnerable to cross-site request forgery

Overview WordPress Plugin "WordPress Ultra Simple Paypal Shopping Cart" provided by Mike Castro Demaria contains a cross-site request forgery vulnerability CWE-352. Yuta Kikuchi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this...

Multiple vulnerabilities in Cybozu Garoon

Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. DOM-based cross-site scripting in the application "Portal" CWE-79 - CVE-2019-5975 Denial-of-service DoS CWE-20 - CVE-2019-5976 Mail header injection in the application "E-mail" CWE-74 - CVE-2019-5977...

JVN#62618482: Multiple vulnerabilities in Cybozu Garoon

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. DOM-based cross-site scripting in the application "Portal" CWE-79 - CVE-2019-5975 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N| Base Score: 4.4 CVSS v2|...

JVN#48981892: WordPress Plugin "WordPress Ultra Simple Paypal Shopping Cart" vulnerable to cross-site request forgery

WordPress Plugin "WordPress Ultra Simple Paypal Shopping Cart" provided by Mike Castro Demaria contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin...

Intel Dual Band Wireless-AC 8260 vulnerable to denial-of-service (DoS)

Overview Intel Dual Band Wireless-AC 8260 contains a denial-of-service DoS vulnerability CWE-400. Yusuke Ogawa of Cisco Systems G.K. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An attacker may be able to...

JVN#75617741: Intel Dual Band Wireless-AC 8260 vulnerable to denial-of-service (DoS)

Intel Dual Band Wireless-AC 8260 contains a denial-of-service DoS vulnerability CWE-400. Impact An attacker may be able to cause a denial-of-service DoS. Solution Update the device driver Apply the appropriate device driver update according to the information provided by the developer. Products...

Multiple vulnerabilities in Access analysis CGI An-Analyzer

Overview Access analysis CGI An-Analyzer provided by ANGLERSNET Co,.Ltd. contains multiple vulnerabilities listed below. OS command injection in the Management Page CWE-78 - CVE-2019-5987 Stored cross-site scripting in the Management Page CWE-79 - CVE-2019-5988 DOM-based cross-site scripting in t...

JVN#37230341: Multiple vulnerabilities in Access analysis CGI An-Analyzer

Access analysis CGI An-Analyzer provided by ANGLERSNET Co,.Ltd. contains multiple vulnerabilities listed below. OS command injection in the Management Page CWE-78 - CVE-2019-5987 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L| Base Score: 6.3 CVSS v2|...

The management console of iDoors Reader vulnerable to authentication bypass

Overview The management console of iDoors Reader provided by A.T.WORKS, Inc. contains an authentication bypass vulnerability CWE-288. Yusuke Nakano of Secure Cycle Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnershi...

JVN#28218613: The management console of iDoors Reader vulnerable to authentication bypass

The management console of iDoors Reader provided by A.T.WORKS, Inc. contains an authentication bypass vulnerability CWE-288. Impact An attacker in the same segment may access the management console and operate the product. Solution Update the Firmware Apply the firmware update according to the...

Multiple vulnerabilities in Panasonic BN-SDWBP3

Overview BN-SDWBP3 provided by Panasonic Corporation is a Wi-Fi Reader/Writer for SD Memory Cards. BN-SDWBP3 contains multiple vulnerabilities listed below. Improper Authentication CWE-287 - CVE-2018-0676 OS Command InjectionCWE-78 - CVE-2018-0677 Buffer Overflow CWE-119 - CVE-2018-0678 Taizoh...

Multiple vulnerabilities in Hikari Denwa router/Home GateWay

Overview Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5985 Cross-site Request Forgery CWE-352 - CVE-2019-5986...

JVN#43172719: Multiple vulnerabilities in Hikari Denwa router/Home GateWay

Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5985 Version| Vector| Score ---|---|--- CVSS v3|...

WordPress Plugin "Custom CSS Pro" vulnerable to cross-site request forgery

Overview WordPress Plugin "Custom CSS Pro" provided by WaspThemes contains a cross-site request forgery vulnerability CWE-352. Dai Nakamura of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the develop...

WordPress Plugin "HTML5 Maps" vulnerable to cross-site request forgery

Overview WordPress Plugin "HTML5 Maps" provided by Fla-Shop.com contains a cross-site request forgery vulnerability CWE-352. Daisuke Shimizu of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the...

JVN#29933378: WordPress Plugin "Custom CSS Pro" vulnerable to cross-site request forgery

WordPress Plugin "Custom CSS Pro" provided by WaspThemes contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information provided...

JVN#49575131: WordPress Plugin ”HTML5 Maps” vulnerable to cross-site request forgery

WordPress Plugin ”HTML5 Maps” provided by Fla-Shop.com contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information provided b...

Multiple vulnerabilities in VAIO Update

Overview VAIO Update provided by Sony Corporation contains multiple vulnerabilities listed below. Improper authorization process CWE-285 - CVE-2019-5981 Improper verification of download file CWE-669 - CVE-2019-5982 Device Security reported this vulnerability to IPA. JPCERT/CC coordinated with th...

JVN#13555032: Multiple vulnerabilities in VAIO Update

VAIO Update provided by Sony Corporation contains multiple vulnerabilities listed below. Improper authorization process CWE-285 - CVE-2019-5981 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H| Base Score: 7.8 CVSS v2| AV:N/AC:M/Au:N/C:P/I:P/A:P| Base Score...

WordPress Plugin "Personalized WooCommerce Cart Page" vulnerable to cross-site request forgery

Overview WordPress Plugin "Personalized WooCommerce Cart Page" provided by N-MEDIA contains a cross-site request forgery vulnerability CWE-352. Akira Yamasaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this...

JVN#88804335: WordPress Plugin "Personalized WooCommerce Cart Page” vulnerable to cross-site request forgery

WordPress Plugin "Personalized WooCommerce Cart Page” provided by N-MEDIA contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the...

WordPress Plugin "Related YouTube Videos" vulnerable to cross-site request forgery

Overview WordPress Plugin "Related YouTube Videos" provided by Chris Doerr contains a cross-site request forgery vulnerability CWE-352. Shoichiro Ishikawa of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability...

JVN#31406910: WordPress Plugin "Related YouTube Videos" vulnerable to cross-site request forgery

WordPress Plugin "Related YouTube Videos" provided by Chris Doerr contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information...

A map plugin for Mincraft server "Dynmap" fails to restrict access permissions

Overview A map plugin for Mincraft server "Dynmap" fails to restrict access permissions CWE-284. RyotaK directly reported this vulnerability to the developer and coordinated on his own. After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer f...

JVN#89046645: A map plugin for Minecraft server "Dynmap" fails to restrict access permissions

A map plugin for Minecraft server "Dynmap" fails to restrict access permissions CWE-284. Impact Under the circumstance where a user is required to login Dynmap, a remote attacker may bypass the login authentication and be able to see a map image that requires authentication. Solution Update the...

WordPress Plugin "Contest Gallery" vulnerable to cross-site request forgery

Overview WordPress Plugin "Contest Gallery" provided by Contest-Gallery contains a cross-site request forgery vulnerability CWE-352. Okazawa Yoshihiro of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to...

JVN#80925867: WordPress Plugin "Contest Gallery” vulnerable to cross-site request forgery

WordPress Plugin "Contest Gallery” provided by Contest-Gallery contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information...