5625 matches found
JVN#69812763: cordova-plugin-ionic-webview vulnerable to path traversal
cordova-plugin-ionic-webview provided by npm, Inc. contains a path traversal vulnerability CWE-22 . Impact A remote attacker may obtain an arbitrary file such as a file related to an application on iOS device. As a result, contents of the file may be disclosed. Solution Recreate iOS application...
JVN#13199224: PgpoolAdmin fails to restrict access permissions
PgpoolAdmin provided by PgPool Global Development Group fails to restrict access permissions CWE-264. Impact A remote attacker may bypass the login authentication and obtain the administrative privilege of the PostgreSQL database. Solution Update the Software Update to the latest version accordin...
Multiple vulnerabilities in Toshiba Lighting & Technology Corporation Home gateway
Overview Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below. Improper access control CWE-284 - CVE-2018-16197 Hidden functionality CWE-912 - CVE-2018-16198 Cross-site scripting CWE-79 - CVE-2018-16199 OS command injection CWE-78 -...
JVN#99810718: Multiple vulnerabilities in Toshiba Lighting & Technology Corporation Home gateway
Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below. Improper access control CWE-284 - CVE-2018-16197 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L| Base Score: 6.3 CVSS v2|...
Multiple vulnerabilities in Aterm WF1200CR and Aterm WG1200CR
Overview Aterm WF1200CR and Aterm WG1200CR provided by NEC Corporation contain multiple vulnerabilities listed below. Information disclosure CWE-200 - CVE-2018-16192 Stored cross-site scripting CWE-79 - CVE-2018-16193 OS command injection CWE-78 - CVE-2018-16194 OS command injection in SOAP...
JVN#87535892: Multiple vulnerabilities in Aterm WF1200CR and Aterm WG1200CR
Aterm WF1200CR and Aterm WG1200CR provided by NEC Corporation contain multiple vulnerabilities listed below. Information disclosure CWE-200 - CVE-2018-16192 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N| Base Score: 4.3 CVSS v2|...
Multiple vulnerabilities in Cybozu Remote Service
Overview Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Upload of arbitrary files in logo setting screen CWE-434 - CVE-2018-16169 Directory traversal in used device management screen CWE-22 - CVE-2018-16170 Directory traversal in client certificates...
Cybozu Garoon access restriction bypass vulnerability
Overview Single sign-on function of Cybozu Garoon provided by Cybozu, Inc. contains a restriction bypass vulnerability CWE-284. Kanta Nishitani reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN...
JVN#25385698: Cybozu Garoon access restriction bypass vulnerability
Single sign-on function of Cybozu Garoon provided by Cybozu, Inc. contains a restriction bypass vulnerability CWE-284. Impact An attacker who can access the product may bypass authentication of Single sign-on function and view the information which is available only for sign-on users. Solution...
JVN#23161885: Multiple vulnerabilities in Cybozu Remote Service
Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Upload of arbitrary files in logo setting screen CWE-434 - CVE-2018-16169 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H| Base Score: 8.8 CVSS v2|...
Multiple vulnerabilities in i-FILTER
Overview i-FILTER provided by Digital Arts Inc. contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2018-16180 HTTP header injection CWE-113 - CVE-2018-16181 Keigo Yamazaki of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...
JVN#32155106: Multiple vulnerabilities in i-FILTER
i-FILTER provided by Digital Arts Inc. contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2018-16180 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N| Base Score: 4.3 HTTP...
Multiple vulnerabilities in multiple SEIKO EPSON printers and scanners
Overview Multiple printers and scanners provided by SEIKO EPSON CORPORATION contain multiple vulnerabilities listed below. Open Redirect CWE-601 - CVE-2018-0688 HTTP header injection CWE-113 - CVE-2018-0689 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability t...
JVN#89767228: Multiple vulnerabilities in multiple SEIKO EPSON printers and scanners
Multiple printers and scanners provided by SEIKO EPSON CORPORATION contain multiple vulnerabilities listed below. Open Redirect CWE-601 - CVE-2018-0688 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N| Base Score: 4.7 CVSS v2| AV:N/AC:M/Au:N/C:N/I:P/A:N|...
Problem with directory permissions in JP1/Operations Analytics
Overview A problem with directory permissions was found in JP1/Operations Analytics. Impact Regarding the impact of the vulnarability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate acti...
Panasonic applications register unquoted service paths
Overview Some pre-installed applications on Panasonic PCs register Windows services with unquoted file paths CWE-428. Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information...
JVN#36895151: Panasonic applications register unquoted service paths
Some pre-installed applications on Panasonic PCs register Windows services with unquoted file paths CWE-428. Impact If a malicious executable is placed on a certain path, it may be executed with the elevated privilege. Solution Update the Software Apply "Remediate Service Path Vulnerability...
The installer of MARKET SPEED may insecurely load Dynamic Link Libraries
Overview The installer of MARKET SPEED provided by Rakuten Securities, Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Takashi Sugawara reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
EC-CUBE vulnerable to open redirect
Overview EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an open redirect vulnerability CWE-601. LOCKON CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LOCKON CO.,LTD...
JVN#78422300: The installer of MARKET SPEED may insecurely load Dynamic Link Libraries
The installer of MARKET SPEED provided by Rakuten Securities, Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the latest...
JVN#25359688: EC-CUBE vulnerable to open redirect
EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted page, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a...
Multiple vulnerabilities in RICOH Interactive Whiteboard
Overview RICOH Interactive Whiteboard provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below. Command injection CWE-94 - CVE-2018-16184 Missing file signature - CVE-2018-16185 Hard-coded credentials for the administrator settings screen - CVE-2018-16186 The server...
JVN#55263945: Multiple vulnerabilities in RICOH Interactive Whiteboard
RICOH Interactive Whiteboard provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below. Command injection CWE-94 - CVE-2018-16184 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Base Score: 9.8 CVSS v2| AV:N/AC:L/AU:N/C:C/I:C/A:C| Bas...
JVN#65082538: Multiple vulnerabilities in Panasonic BN-SDWBP3
BN-SDWBP3 provided by Panasonic Corporation is a Wi-Fi Reader/Writer for SD Memory Cards. BN-SDWBP3 contains multiple vulnerabilities listed below. Improper Authentication CWE-287 - CVE-2018-0676 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Base Score:...
Mizuho Bank Mizuho Direct App for Android fails to verify SSL server certificates
Overview Mizuho Bank Mizuho Direct App for Android fails to verify SSL server certificates. Mizuho Bank Mizuho Direct App for Android provided by Mizuho Bank, Ltd. fails to verify SSL server certificates CWE-295. Reo Yoshida reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the...
Multiple Vulnerabilities in JP1/VERITAS
Overview Multiple vulnerabilities have been found in JP1/VERITAS. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Cybozu Dezie vulnerable to directory traversal
Overview Cybozu Dezie provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing parameter of the HTTP request. Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its...
Multiple directory traversal vulnerabilities in Cybozu Office
Overview Cybozu Office provided by Cybozu, Inc. contains multiple directory traversal vulnerabilities below. Directory traversal vulnerability due to a flaw in processing parameter of the HTTP request CWE-22 - CVE-2018-0703 Directory traversal vulnerability due to a flaw in processing parameter...
Cybozu Mailwise vulnerable to directory traversal
Overview Cybozu Mailwise provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing parameter of the HTTP request. Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of it...
JVN#15232217: Multiple directory traversal vulnerabilities in Cybozu Office
Cybozu Office provided by Cybozu, Inc. contains multiple directory traversal vulnerabilities below. Directory traversal vulnerability due to a flaw in processing parameter of the HTTP request CWE-22 - CVE-2018-0703 Version| Vector| Score ---|---|--- CVSS v3|...
JVN#16697622: Cybozu Dezie vulnerable to directory traversal
Cybozu Dezie provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing parameter of the HTTP request. Impact A remote attacker may delete arbitrary files on the server. Solution Update the Software Update to the latest version according to the...
JVN#83739174: Cybozu Mailwise vulnerable to directory traversal
Cybozu Mailwise provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing parameter of the HTTP request. Impact A remote attacker may delete arbitrary files on the server. Solution Update the Software Update to the latest version according to the...
Multiple vulnerabilities in WordPress plugin "LearnPress"
Overview WordPress LMS plugin "LearnPress" contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2018-16173 Open Redirect CWE-601 - CVE-2018-16174 SQL Injection CWE-89 - CVE-2018-16175 Daiki Sueyoshi of Cryptography Laboratory, Department of Information and Communicati...
The installer of Windows10 Fall Creators Update Modify module for Security Measures tool may insecurely load Dynamic Link Libraries
Overview The installer of Windows10 Fall Creators Update Modify module for Security Measures tool provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Tomohisa Hasegawa of Canon...
JVN#15709478: The installer of Windows10 Fall Creators Update Modify module for Security Measures tool may insecurely load Dynamic Link Libraries
The installer of Windows10 Fall Creators Update Modify module for Security Measures tool provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be execut...
JVN#85760090: Multiple vulnerabilities in WordPress plugin "LearnPress"
WordPress LMS plugin "LearnPress" contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2018-16173 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base Score: 2.6 Open...
WordPress plugin "Event Calendar WD" vulnerable to cross-site scripting
Overview The WordPress plugin "Event Calendar WD" provided by Web-Dorado contains a stored cross-site scripting vulnerability CWE-79. Yuta Kitaoka of TokyoDenkiUniversity Cryptography Lab reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Mail app for iOS vulnerable to denial-of-service (DoS)
Overview Mail app for iOS provided by Apple contains a denial-of-service DoS vulnerability due to an issue in the handling of a maliciously crafted S/MIME signed message. Yukinobu Nagayasu of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
JVN#75738023: WordPress plugin "Event Calendar WD" vulnerable to cross-site scripting
The WordPress plugin "Event Calendar WD" provided by Web-Dorado contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged-in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the...
JVN#96551318: Mail app for iOS vulnerable to denial-of-service (DoS)
Mail app for iOS provided by Apple contains a denial-of-service DoS vulnerability due to an issue in the handling of a maliciously crafted S/MIME signed message. Impact Mail app may continuously crash when a maliciously crafted S/MIME signed message is listed on it. Solution Update iOS Update iOS...
Confluence Server vulnerable to script injection
Overview User Macros of Confluence Server provided by Atlassian Pty Ltd. contains a script injection vulnerability CWE-74. Kanta Nishitani of Information Science College reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#37943805: Confluence Server vulnerable to script injection
User Macros of Confluence Server provided by Atlassian Pty Ltd. contains a script injection vulnerability CWE-74. Impact When the administrator embeds a malicious script into User Macros, the embedded script may be executed on the user's web browser. Solution Update the Software Update to the...
Multiple vulnerabilities in OpenDolphin
Overview OpenDolphin provided by Life Sciences Computing Corporation contains multiple vulnerabilities listed below. Privilege escalation - CVE-2018-16161 Information disclosure CWE-200 - CVE-2018-16162 Restrict access permissions failure CWE-284 - CVE-2018-16163 Symantec Japan, Inc. Advisory...
JVN#59394343: Multiple vulnerabilities in OpenDolphin
OpenDolphin provided by Life Sciences Computing Corporation contains multiple vulnerabilities listed below. Privilege escalation - CVE-2018-16161 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H| Base Score: 8.8 CVSS v2| AV:N/AC:L/AU:S/C:P/I:P/A:P| Base...
BlueStacks App Player fails to restrict access permissions
Overview BlueStacks App Player fails to restrict access permissions CWE-284. Masaki Kubo and Yoshiki Mori of Cybersecurity Laboratory, National Institute of Information and Communications Technology reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
SecureCore Standard Edition vulnerable to authentication bypass
Overview SecureCore Standard Edition provided by Feitian Japan Co., Ltd. contains an authentication bypass vulnerability CWE-287. Daisuke Ota of BizReach, inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...
JVN#60702986: BlueStacks App Player fails to restrict access permissions
BlueStacks App Player fails to restrict access permissions CWE-284. Impact A user with access to the network that is connected to the affected product may gain unauthorized access. Solution Update the Software Windows users should update to the latest version of software according to the...
JVN#21528670: SecureCore Standard Edition vulnerable to authentication bypass
SecureCore Standard Edition provided by Feitian Japan Co., Ltd. contains an authentication bypass vulnerability CWE-287. Impact An attacker may bypass the product's authentication and log in to a Windows PC. Solution Update the Software Update the software to the latest version according to the...
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
Overview Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate acti...