5625 matches found
Multiple vulnerabilities in Hikari Denwa router/Home GateWay
Overview Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5985 Cross-site Request Forgery CWE-352 - CVE-2019-5986...
JVN#43172719: Multiple vulnerabilities in Hikari Denwa router/Home GateWay
Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5985 Version| Vector| Score ---|---|--- CVSS v3|...
WordPress Plugin "Custom CSS Pro" vulnerable to cross-site request forgery
Overview WordPress Plugin "Custom CSS Pro" provided by WaspThemes contains a cross-site request forgery vulnerability CWE-352. Dai Nakamura of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the develop...
WordPress Plugin "HTML5 Maps" vulnerable to cross-site request forgery
Overview WordPress Plugin "HTML5 Maps" provided by Fla-Shop.com contains a cross-site request forgery vulnerability CWE-352. Daisuke Shimizu of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the...
JVN#29933378: WordPress Plugin "Custom CSS Pro" vulnerable to cross-site request forgery
WordPress Plugin "Custom CSS Pro" provided by WaspThemes contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information provided...
JVN#49575131: WordPress Plugin ”HTML5 Maps” vulnerable to cross-site request forgery
WordPress Plugin ”HTML5 Maps” provided by Fla-Shop.com contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information provided b...
Multiple vulnerabilities in VAIO Update
Overview VAIO Update provided by Sony Corporation contains multiple vulnerabilities listed below. Improper authorization process CWE-285 - CVE-2019-5981 Improper verification of download file CWE-669 - CVE-2019-5982 Device Security reported this vulnerability to IPA. JPCERT/CC coordinated with th...
JVN#13555032: Multiple vulnerabilities in VAIO Update
VAIO Update provided by Sony Corporation contains multiple vulnerabilities listed below. Improper authorization process CWE-285 - CVE-2019-5981 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H| Base Score: 7.8 CVSS v2| AV:N/AC:M/Au:N/C:P/I:P/A:P| Base Score...
WordPress Plugin "Personalized WooCommerce Cart Page" vulnerable to cross-site request forgery
Overview WordPress Plugin "Personalized WooCommerce Cart Page" provided by N-MEDIA contains a cross-site request forgery vulnerability CWE-352. Akira Yamasaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this...
JVN#88804335: WordPress Plugin "Personalized WooCommerce Cart Page” vulnerable to cross-site request forgery
WordPress Plugin "Personalized WooCommerce Cart Page” provided by N-MEDIA contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the...
WordPress Plugin "Related YouTube Videos" vulnerable to cross-site request forgery
Overview WordPress Plugin "Related YouTube Videos" provided by Chris Doerr contains a cross-site request forgery vulnerability CWE-352. Shoichiro Ishikawa of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability...
JVN#31406910: WordPress Plugin "Related YouTube Videos" vulnerable to cross-site request forgery
WordPress Plugin "Related YouTube Videos" provided by Chris Doerr contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information...
A map plugin for Mincraft server "Dynmap" fails to restrict access permissions
Overview A map plugin for Mincraft server "Dynmap" fails to restrict access permissions CWE-284. RyotaK directly reported this vulnerability to the developer and coordinated on his own. After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer f...
JVN#89046645: A map plugin for Minecraft server "Dynmap" fails to restrict access permissions
A map plugin for Minecraft server "Dynmap" fails to restrict access permissions CWE-284. Impact Under the circumstance where a user is required to login Dynmap, a remote attacker may bypass the login authentication and be able to see a map image that requires authentication. Solution Update the...
WordPress Plugin "Contest Gallery" vulnerable to cross-site request forgery
Overview WordPress Plugin "Contest Gallery" provided by Contest-Gallery contains a cross-site request forgery vulnerability CWE-352. Okazawa Yoshihiro of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to...
JVN#80925867: WordPress Plugin "Contest Gallery” vulnerable to cross-site request forgery
WordPress Plugin "Contest Gallery” provided by Contest-Gallery contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information...
Multiple vulnerabilities in WordPress Plugin "Online Lesson Booking"
Overview WordPress Plugin "Online Lesson Booking" provided by SUKIMALAB.COM contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2019-5972 Cross-site request forgery vulnerability CWE-352 - CVE-2019-5973 Natsumi Matsuoka of Cryptography...
Multiple vulnerabilities in WordPress Plugin "Attendance Manager"
Overview WordPress Plugin "Attendance Manager" provided by SUKIMALAB.COM contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2019-5970 Cross-site request forgery vulnerability CWE-352 - CVE-2019-5971 Natsumi Matsuoka of Cryptography...
JVN#96988995: Multiple vulnerabilities in WordPress Plugin "Online Lesson Booking"
WordPress Plugin "Online Lesson Booking" provided by SUKIMALAB.COM contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2019-5972 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2|...
JVN#95685939: Multiple vulnerabilities in WordPress Plugin "Attendance Manager"
WordPress Plugin "Attendance Manager" provided by SUKIMALAB.COM contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2019-5970 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2|...
Multiple vulnerabilities in GROWI
Overview GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Cross-site request forgery vulnerability in the process of updating user's "Basic Info" CWE-352 - CVE-2019-5968 Open redirect vulnerability in the process of login CWE-601 - CVE-2019-5969 Security Group of...
Joruri CMS 2017 vulnerable to cross-site scripting
Overview Joruri CMS 2017 provided by SiteBridge Inc. contains a cross-site scripting vulnerability CWE-79. Yuji Tounai of Mercari, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may...
Multiple vulnerabilities in Joruri Mail
Overview Joruri Mail provided by SiteBridge Inc. contains multiple vulnerabilities listed below. Open Redirect CWE-601 - CVE-2019-5965 Session Management CWE-639 - CVE-2019-5966 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated...
JVN#29188908: Joruri CMS 2017 vulnerable to cross-site scripting
Joruri CMS 2017 provided by SiteBridge Inc. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affect...
JVN#84876282: Multiple vulnerabilities in GROWI
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Cross-site request forgery vulnerability in the process of updating user's "Basic Info" CWE-352 - CVE-2019-5968 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N| Base Score: 4.3...
JVN#58052567: Multiple vulnerabilities in Joruri Mail
Joruri Mail provided by SiteBridge Inc. contains multiple vulnerabilities listed below. Open Redirect CWE-601 - CVE-2019-5965 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N| Base Score: 4.7 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base Score: 2.6 Session...
Vulnerability in Cosminexus HTTP Server and Hitachi Web Server
Overview A vulnerability CVE-2019-0220 exists in Cosminexus HTTP Server and Hitachi Web Server. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate...
Multiple vulnerabilities in WordPress Plugin "Zoho SalesIQ"
Overview WordPress Plugin "Zoho SalesIQ" provided by Zoho SalesIQ Team contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5962 Cross-site Request Forgery CWE-352 - CVE-2019-5963 Kouhei Ikeda of Cryptography Laboratory,Department of Information and Communication...
JVN#88962935: Multiple vulnerabilities in WordPress Plugin "Zoho SalesIQ"
WordPress Plugin "Zoho SalesIQ" provided by Zoho SalesIQ Team contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5962 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N|...
Android App "Tootdon for Mastodon" fails to verify SSL server certificates
Overview Android App "Tootdon for Mastodon" provided by Tsukurito, Inc. fails to verify SSL server certificates CWE-295. Gomasy reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may...
JVN#57806517: Android App "Tootdon for Mastodon" fails to verify SSL server certificates
Android App "Tootdon for Mastodon" provided by Tsukurito, Inc. fails to verify SSL server certificates CWE-295. Impact A man-in-the-middle attack may allow an attacker to obtain and/or alter a content of communication. Solution Update the Application Update to the latest version according to the...
WordPress plugin "WP Open Graph" vulnerable to cross-site request forgery
Overview WordPress plugin "WP Open Graph" provided by Custom4Web contains a cross-site request forgery vulnerability CWE-352. Koichi Kuriyama of Cryptography Laboratory,Department ofInformation and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the...
JVN#33652328: WordPress plugin "WP Open Graph" vulnerable to cross-site request forgery
WordPress plugin "WP Open Graph" provided by Custom4Web contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Update the plugin according to the information provided ...
Apache Camel vulnerable to XML external entity injection (XXE)
Overview Apache Camel provided by The Apache Software Foundation contains an XML external entity injection XXE vulnerability CWE-611 due to using an outdated vulnerable JSON-lib library. Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC...
JVN#71498764: Apache Camel vulnerable to XML external entity injection (XXE)
Apache Camel provided by The Apache Software Foundation contains an XML external entity injection XXE vulnerability CWE-611 due to using an outdated vulnerable JSON-lib library. Impact By processing a specially crafted request, an arbitrary file on the server may be read. Solution Update the...
DoS Vulnerability in Hitachi IT Operations Director, JP1/IT Desktop Management - Manager and JP1/IT Desktop Management 2 - Manager
Overview A DoS Vulnerability was found in Hitachi IT Operations Director, JP1/IT Desktop Management - Manager and JP1/IT Desktop Management 2 - Manager. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section...
Multiple Vulnerabilities in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure...
Electronic reception and examination of application for radio licenses Offline may insecurely load Dynamic Link Libraries
Overview Electronic reception and examination of application for radio licenses Offline contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privileges of the running software. Solution Upda...
Installer of Electronic reception and examination of application for radio licenses Online may insecurely load Dynamic Link Libraries
Overview Installer of Electronic reception and examination of application for radio licenses Online contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the...
CREATE SD official App for Android fails to restrict access permissions
Overview CREATE SD official App for Android provided by CREATE SD CO., LTD. implements the function to access a requested URL using an Intent. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an Intent from an arbitrary App and t...
JVN#69903953: Electronic reception and examination of application for radio licenses Offline may insecurely load Dynamic Link Libraries
Electronic reception and examination of application for radio licenses Offline contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privileges of the running software. Solution Update the...
JVN#87655507: CREATE SD official App for Android fails to restrict access permissions
CREATE SD official App for Android provided by CREATE S・D CO., LTD. implements the function to access a requested URL using an Intent. This function contains an improper access control vulnerability CWE-284 that may allow the vulnerable App to receive an Intent from an arbitrary App and to access...
JVN#91361851: Installer of Electronic reception and examination of application for radio licenses Online may insecurely load Dynamic Link Libraries
Installer of Electronic reception and examination of application for radio licenses Online contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer...
Multiple vulnerabilities in Cybozu Garoon
Overview Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Cross-site scripting in the additional processing of Customize Item function CWE-79 - CVE-2019-5928 Cross-site scripting in the application "Memo" CWE-79 - CVE-2019-5929 Browse restriction bypass in th...
Multiple Vulnerabilities in Cosminexus
Overview Cosminexus Developer's Kit for Java and Hitachi Developer's Kit for Java contain the following vulnerabilities: CVE-2019-2602, CVE-2019-2684, CVE-2019-2697, CVE-2019-2698 Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the...
JVN#58849431: Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Cross-site scripting in the additional processing of Customize Item function CWE-79 - CVE-2019-5928 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS...
GNU Wget vulnerable to buffer overflow
Overview GNU Wget contains a buffer overflow vulnerability CWE-119. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An attacker may be able to cause a denial-of-service DoS or may execute an...
JVN#25261088: GNU Wget vulnerable to buffer overflow
GNU Wget contains a buffer overflow vulnerability CWE-119. Impact An attacker may be able to cause a denial-of-service DoS or may execute an arbitrary code. Solution Apply the update Update GNU Wget according to the information provided by the developer. Products Affected GNU Wget 1.20.1 and earl...
The installer of Microsoft Teams may insecurely load Dynamic Link Libraries
Overview The installer of Microsoft Teams contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Microsoft states that the root cause of this vulnerability is "Application Directory App Dir DLL planting", thus there is no plan to release a...
API server used by JR East Japan train operation information push notification App for Android fails to restrict access permissions
Overview JR East Japan train operation information push notification App for Android provided by East Japan Railway Company fails to restrict access permissions CWE-284. The application is no longer available/supported, and its service was ended in 2019 march 23. Tomoya Takahashi of TCU...