5609 matches found
Explzh vulnerable to directory traversal
Overview Explzh is a file compression/extraction software supporting multiple file formats. Explzh contains a directory traversal vulnerability CWE-22. Explzh is not vulnerable to relative path traversal but to absolute path traversal. Therefore, an attacker may create new files or overwrite...
JVN#55813866: Explzh vulnerable to directory traversal
Explzh is a file compression/extraction software supporting multiple file formats. Explzh contains a directory traversal vulnerability CWE-22. Explzh is not vulnerable to relative path traversal but to absolute path traversal. Therefore, an attacker may create new files or overwrite existing file...
Multiple vulnerabilities in Aterm HC100RC
Overview Aterm HC100RC provided by NEC Corporation contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2018-0634, CVE-2018-0635, CVE-2018-0636, CVE-2018-0637, CVE-2018-0638, CVE-2018-0639 Buffer Overflow CWE-119 - CVE-2018-0640, CVE-2018-0641 Taizoh Tsukamoto of Mits...
Multiple vulnerabilities in Aterm W300P
Overview Aterm W300P provided by NEC Corporation contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2018-0629, CVE-2018-0630, CVE-2018-0631 Buffer Overflow CWE-119 - CVE-2018-0632, CVE-2018-0633 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this...
Multiple OS command injection vulnerabilities in Aterm WG1200HP
Overview Aterm WG1200HP provided by NEC Corporation contains multiple OS command injection vulnerabilities CWE-78. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#84825660: Multiple vulnerabilities in Aterm HC100RC
Aterm HC100RC provided by NEC Corporation contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2018-0634, CVE-2018-0635, CVE-2018-0636, CVE-2018-0637, CVE-2018-0638, CVE-2018-0639 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H...
JVN#00401783: Multiple OS command injection vulnerabilities in Aterm WG1200HP
Aterm WG1200HP provided by NEC Corporation contains multiple OS command injection vulnerabilities CWE-78. Impact A user who can access the product with administrative privileges may execute an arbitrary OS command. Solution Update the Firmware Apply the latest firmware update according to the...
JVN#26629618: Multiple vulnerabilities in Aterm W300P
Aterm W300P provided by NEC Corporation contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2018-0629, CVE-2018-0630, CVE-2018-0631 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H| Base Score: 6.8 CVSS v2|...
DHC Online Shop App for Android fails to verify SSL server certificates
Overview DHC Online Shop App for Android provided by DHC Corporation fails to verify SSL server certificates. Sho Ueshima and Tsuyoshi Ogawa of SIE Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
The installers of multiple Logicool software programs may insecurely load Dynamic Link Libraries
Overview The installers of multiple software programs provided by Logicool Co. Ltd contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427 . Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinat...
JVN#77409513: DHC Online Shop App for Android fails to verify SSL server certificates
DHC Online Shop App for Android provided by DHC Corporation fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provid...
JVN#52574492: The installers of multiple Logicool software programs may insecurely load Dynamic Link Libraries
The installers of multiple software programs provided by Logicool Co. Ltd contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries(CWE-427). Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the...
Installer of Glary Utilities may insecurely load Dynamic Link Libraries
Overview Installer of Glary Utilities provided by Glarysoft Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Eili Masami reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Ear...
JVN#84967039: Installer of Glary Utilities may insecurely load Dynamic Link Libraries
Installer of Glary Utilities provided by Glarysoft Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the latest installer U...
Cybozu Garoon vulnerable to SQL injection
Overview Cybozu Garoon provided by Cybozu, Inc. contains an SQL injection vulnerability CWE-89 in application "Notifications". Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security...
Multiple vulnerabilities in Calsos CSDX and CSDJ series products
Overview Calsos CSDX and CSDJ series products provided by NEC Platforms, Ltd. contain multiple vulnerabilities listed below. Access Restriction Bypass CWE-284 - CVE-2018-0613 Cross-site scripting CWE-79 - CVE-2018-0614 NEC Platforms, Ltd. reported this vulnerability to JPCERT/CC to notify users o...
JVN#63895206: Multiple vulnerabilities in Calsos CSDX and CSDJ series products
Calsos CSDX and CSDJ series products provided by NEC Platforms, Ltd. contain multiple vulnerabilities listed below. Access Restriction Bypass CWE-284 - CVE-2018-0613 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H| Base Score: 8.8 CVSS v2|...
JVN#13415512: Cybozu Garoon vulnerable to SQL injection
Cybozu Garoon provided by Cybozu, Inc. contains an SQL injection vulnerability CWE-89 in application "Notifications". Impact A remote authenticated attacker may execute an arbitrary SQL command. Solution Update the Software Update to the latest version according to the information provided by the...
Mailman vulnerable to cross-site scripting
Overview Mailman provided by GNU Mailman contains a stored cross-site scripting vulnerability CWE-79. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
JVN#00846677: Mailman vulnerable to cross-site scripting
Mailman provided by GNU Mailman contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected...
MemoCGI vulnerable to directory traversal
Overview MemoCGI provided by ChamaNet contains a directory traversal vulnerability CWE-22. Ikuo Shoji reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A remote attacker may view files on the server. Solution...
JVN#58362455: MemoCGI vulnerable to directory traversal
MemoCGI provided by ChamaNet contains a directory traversal vulnerability CWE-22. Impact A remote attacker may view files on the server. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected MemoCGI v2.1800 to v2.2200...
ANA App for iOS fails to verify SSL server certificates
Overview ANA App for iOS provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates CWE-295. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...
Chrome Extension "5000 trillion yen converter" vulnerable to cross-site scripting
Overview Chrome Extension "5000 trillion yen converter" provided by Owen contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the extension Update the extension according to the information provided by the...
JVN#71535108: ANA App for iOS fails to verify SSL server certificates
ANA App for iOS provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates CWE-295. Impact A man-in-the-middle attack may allow an attacker to obtain and/or alter on a content of communication. Solution Update the Application Update to the latest version according to the...
JVN#98975951: Chrome Extension "5000 trillion yen converter" vulnerable to cross-site scripting
Chrome Extension "5000 trillion yen converter" provided by Owen contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the extension Update the extension according to the information provided by the developer...
Local File Inclusion vulnerability in Zenphoto
Overview Zenphoto is a content management system CMS. Zenphoto contains a Local File Inclusion vulnerability. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Sensitive information may be obtained or...
JVN#33124193: Local File Inclusion vulnerability in Zenphoto
Zenphoto is a content management system CMS. Zenphoto contains a Local File Inclusion vulnerability. Impact Sensitive information may be obtained or arbitrary code may be executed by a remote administrative user. Solution Update the Software Update to the latest version according to the informati...
LINE for Windows may insecurely load Dynamic Link Libraries
Overview LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software. If a user launches LINE for Windows by clicking the specially crafted link prepared by a remote attacker, it may result in insecurely loading Dynamic Link Libraries CWE-427. LINE...
JVN#92265618: LINE for Windows may insecurely load Dynamic Link Libraries
LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software. If a user launches LINE for Windows by clicking the specially crafted link prepared by a remote attacker, it may result in insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code...
H2O vulnerable to buffer overflow
Overview H2O is open source web server software. H2O contains a buffer overflow vulnerability CWE-119 due to a processing flaw in the output of Access Log. Marlies Ruck of ForAllSecure reported this vulnerability to Kazuho Oku, and Kazuho Oku reported this vulnerability to IPA to notify users of...
JVN#93226941: H2O vulnerable to buffer overflow
H2O is open source web server software. H2O contains a buffer overflow vulnerability CWE-119 due to a processing flaw in the output of Access Log. Impact A remote attacker may be able to cause a denial-of-service DoS condition or may execute arbitrary code. Solution Update the Software Update to...
Multiple vulnerabilities in Pixelpost
Overview Pixelpost provided by Pixelpost.org contains multiple vulnerabilities listed below. Arbitrary code execution - CVE-2018-0604 Cross-site scripting CWE-79 - CVE-2018-0605 SQL injection CWE-89 - CVE-2018-0606 ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the...
JVN#27978559: Multiple vulnerabilities in Pixelpost
Pixelpost provided by Pixelpost.org contains multiple vulnerabilities listed below. Arbitrary code execution - CVE-2018-0604 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L| Base Score: 4.7 CVSS v2| AV:N/AC:L/Au:S/C:P/I:P/A:P| Base Score: 6.5 Cross-site...
The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" may insecurely invoke an executable file
Overview The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION contains an issue with the DLL search path, which may lead to insecurely invoke an executable file...
JVN#20040004: The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" may insecurely invoke an executable file
The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION contains an issue with the DLL search path, which may lead to insecurely invoke an executable file CWE-427...
WordPress plugin "Site Reviews" vulnerable to cross-site scripting
Overview The WordPress plugin "Site Reviews" provided by Gemini Labs contains a stored cross-site scripting vulnerability CWE-79. Keita Uchida of TDU Cryptography Lab reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
WordPress plugin "Email Subscribers & Newsletters" vulnerable to cross-site scripting
Overview The WordPress plugin "Email Subscribers & Newsletters" provided by Icegram contains a reflected cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
Information Disclosure Vulnerability in Hitachi Automation Director
Overview An Information Disclosure Vulnerability was found in Hitachi Automation Director. Impact Regarding the impact of the vulnerability, please refer to the vendor advisory. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
JVN#60978548: WordPress plugin "Site Reviews" vulnerable to cross-site scripting
The WordPress plugin "Site Reviews" provided by Gemini Labs contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the develope...
JVN#16471686: WordPress plugin "Email Subscribers & Newsletters" vulnerable to cross-site scripting
The WordPress plugin "Email Subscribers & Newsletters" provided by Icegram contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged in user's web browser. Solution Update the plugin Update the plugin according to the information provid...
The installer of PlayMemories Home for Windows may insecurely load Dynamic Link Libraries
Overview PlayMemories Home for Windows provided by Sony Corporation is Image Management Software. The installer of PlayMemories Home for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Yuji Tounai of NTT Communications...
Susie plug-in "axpdfium" may insecurely load Dynamic Link Libraries
Overview Susie plug-in "axpdfium" contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user running the program where "axpdfium" is used. Solution Update the plug-in Update...
JVN#13940333: The installer of PlayMemories Home for Windows may insecurely load Dynamic Link Libraries
PlayMemories Home for Windows provided by Sony Corporation is Image Management Software. The installer of PlayMemories Home for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the...
JVN#79301396: Susie plug-in "axpdfium" may insecurely load Dynamic Link Libraries
Susie plug-in "axpdfium" contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user running the program where "axpdfium" is used. Solution Update the plug-in Update the plug-...
Multiple cross-site scripting vulnerabilities in Cybozu Mailwise
Overview Cybozu Mailwise contains multiple cross-site scripting vulnerabilities below. Stored cross-site scripting vulnerability in "E-mail Details Screen" CWE-79 - CVE-2018-0557 Reflected cross-site scripting vulnerability in "System settings" CWE-79 - CVE-2018-0558 Reflected cross-site scriptin...
Multiple vulnerabilities in baserCMS
Overview baserCMS provided by baserCMS Users Community is an opensource content management system. baserCMS contains multiple vulnerabilities listed below. Command injection CWE-94 - CVE-2018-0569 Cross-site scripting CWE-79 - CVE-2018-0570 Unrestricted Upload of File with Dangerous Type in uploa...
Multiple vulnerabilities in Cybozu Office
Overview Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Information disclosure in the application "Message" when viewing an external image CWE-200 - CVE-2018-0526 Stored cross-site scripting in "E-mail Details Screen" of the application "E-mail" CWE-79 -...
JVN#67881316: Multiple vulnerabilities in baserCMS
baserCMS provided by baserCMS Users Community is an opensource content management system. baserCMS contains multiple vulnerabilities listed below. Command injection CWE-94 - CVE-2018-0569 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L| Base Score: 6.3 CVS...
JVN#51737843: Multiple vulnerabilities in Cybozu Office
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. Information disclosure in the application "Message" when viewing an external image CWE-200 - CVE-2018-0526 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N| Base Score:...