5609 matches found
WordPress plugin "Booking Calendar" vulnerable to cross-site scripting
Overview The WordPress plugin "Booking Calendar" provided by wpdevelop contains a stored cross-site scripting vulnerability CWE-79. Satoshi Takagi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA. JPCERT/C...
WordPress plugin "Booking Calendar" vulnerable to directory traversal
Overview The WordPress plugin "Booking Calendar" provided by wpdevelop contains a directory traversal vulnerability CWE-22. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A local file outside of th...
Hoozin Viewer vulnerable to buffer overflow
Overview Hoozin Viewer provided by ICON CORPORATION contains a buffer overflow vulnerability CWE-121. Touma Hatano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user views a malicious page, arbitrary...
JVN#18739672: WordPress plugin "Booking Calendar" vulnerable to directory traversal
The WordPress plugin "Booking Calendar" provided by wpdevelop contains a directory traversal vulnerability CWE-22. Impact A local file outside of the application on the server may be accessed by a remote attacker. Solution Update the Software Update to the latest version according to the...
JVN#54268888: Multiple JustSystems products including Hanako may insecurely load Dynamic Link Libraries
Hanako and multiple software suites containing Hanako provided by JustSystems Corporation contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be executed with the privileges of the user running the application. Solution...
JVN#93931029: Hoozin Viewer vulnerable to buffer overflow
Hoozin Viewer provided by ICON CORPORATION contains a buffer overflow vulnerability CWE-121. Impact If a user views a malicious page, arbitrary code may be executed. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected...
JVN#54762089: WordPress plugin "Booking Calendar" vulnerable to cross-site scripting
The WordPress plugin "Booking Calendar" provided by wpdevelop contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of a user accessing the page generated by the application. Solution Update the Software Update to the latest...
SEIL Series routers vulnerable to denial-of-service (DoS)
Overview The DNS forwarder, the PPP Access Concentrator L2TP and the MeasureiPerf server function in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service DoS vulnerability due to a flaw in processing certain packets. Internet Initiative Japan Inc. reported th...
JVN#86171513: SEIL Series routers vulnerable to denial-of-service (DoS)
The DNS forwarder, the PPP Access Concentrator L2TP and the MeasureiPerf server function in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service DoS vulnerability due to a flaw in processing certain packets. Impact Receiving a specially crafted packet may...
NETGEAR ProSAFE Plus Configuration Utility vulnerable to improper access control
Overview ProSAFE Plus Configuration Utility provided by NETGEAR is a Windows application to configure and manage NETGEAR's ProSAFE Plus and Click Switches. An operator uses the utility to login and configure NETGEAR switches. When the utility is invoked, it starts listening on a certain port for...
JVN#08740778: NETGEAR ProSAFE Plus Configuration Utility vulnerable to improper access control
ProSAFE Plus Configuration Utility provided by NETGEAR is a Windows application to configure and manage NETGEAR's ProSAFE Plus and Click Switches. An operator uses the utility to login and configure NETGEAR switches. When the utility is invoked, it starts listening on a certain port for SOAP...
Multiple installers of Toshiba memory card related software may insecurely load Dynamic Link Libraries
Overview Multiple installers of Toshiba memory card related software contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the...
WN-AC1167GR vulnerable to cross-site scripting
Overview WN-AC1167GR provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-AC1167GR contains a stored cross-site scripting vulnerability CWE-79. Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
JVN#05340816: Multiple installers of Toshiba memory card related software may insecurely load Dynamic Link Libraries
Multiple installers of Toshiba memory card related software contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user invoking the installer. Solution Use the latest installe...
JVN#01537659: WN-AC1167GR vulnerable to cross-site scripting
WN-AC1167GR provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-AC1167GR contains a stored cross-site scripting vulnerability CWE-79. Impact If a user accesses a malicious URL while logged in, an arbitrary script may be executed on the user's web browser. Solution Update the Firmware...
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
Overview The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability CWE-79. Note that this vulnerability is different from JVN62392065. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC...
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
Overview The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability CWE-79 in multiple pages due to a flaw in processing HTTP Referer headers. Note that this vulnerability is different from JVN77253951. Gen Sato of Mitsui Bussan Secure...
JVN#62392065: WordPress plugin "WP Statistics" vulnerable to cross-site scripting
The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability CWE-79 in multiple pages due to a flaw in processing HTTP Referer headers. Impact An arbitrary script may be executed on the web browser of a user accessing the page generated by th...
JVN#77253951: WordPress plugin "WP Statistics" vulnerable to cross-site scripting
The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of a user accessing the page generated by the application. Solution Update the plugin Update the plugin accordi...
The API in Cybozu Office vulnerable to denial-of-service (DoS)
Overview The API in Cybozu Office contains a denial-of-service DoS vulnerability. Cybozu, Inc. reported this vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership. Impact A...
Cybozu Office fails to restrict access permission in the templates delete function in "customapp"
Overview Cybozu Office contains an access restriction flaw in the templates delete function in "customapp". Cybozu, Inc. reported this vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning...
Cybozu Office fails to restrict access permission in the file export function in "customapp"
Overview Cybozu Office contains an access restriction flaw in the file export function in "customapp". Cybozu, Inc. reported this vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning...
The design setting screen in Cybozu Office vulnerable to cross-site scripting
Overview The design setting screen in Cybozu Office contains a cross-site scripting vulnerability. Kazuto Sagamihara reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the...
ASSETBASE vulnerable to cross-site scripting
Overview ASSETBASE provided by UCHIDA YOKO CO., LTD. is an IT asset management tool. ASSETBASE contains a cross-site scripting vulnerability CWE-79. Keitaro Yamazaki of Kyoto University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
JVN#17535578: Multiple vulnerabilities in Cybozu Office
Cybozu Office contains multiple vulnerabilities listed below. Cross-site scripting in the design setting screen CWE-79 - CVE-2017-2114 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N| Base Score: 5.4 CVSS v2| AV:N/AC:L/Au:S/C:N/I:P/A:N| Base Score: 4.0...
JVN#82019695: ASSETBASE vulnerable to cross-site scripting
ASSETBASE provided by UCHIDA YOKO CO., LTD. is an IT asset management tool. ASSETBASE contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of a user who logged-in as an administrator. Solution Update the Software Update to the latest...
CS-Cart Japanese Edition vulnerable to cross-site request forgery
Overview CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition contains a cross-site request forgery CWE-352 vulnerability. Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
CS-Cart Japanese Edition fails to restrict access permissions
Overview CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions CWE-425. Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
Overview The WordPress plugin "WP Statistics" provided by WP Statistics contains a reflected cross-site scripting vulnerability CWE-79. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
CS-Cart Japanese Edition fails to restrict access permissions
Overview CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions CWE-425. Note that this vulnerability is different from JVN14396697. Hirota Kazuki of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/C...
WN-G300R3 vulnerable to stack based buffer overflow
Overview WN-G300R3 provided by I-O DATA DEVICE, INC. contain a stack based buffer overflow vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
WN-G300R3 vulnerable to OS command injection
Overview WN-G300R3 provided by I-O DATA DEVICE, INC. contain an OS command injection vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
JVN#17633442: WordPress plugin "WP Statistics" vulnerable to cross-site scripting
The WordPress plugin "WP Statistics" provided by WP Statistics contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the...
JVN#25598952: CS-Cart Japanese Edition fails to restrict access permissions
CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions CWE-425. Impact An unauthenticated remote attacker may create a request of return an item that a consumer has purchased. Solution Update the Software Update to the latest versi...
JVN#87770873: CS-Cart Japanese Edition vulnerable to cross-site request forgery
CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition contains a cross-site request forgery CWE-352 vulnerability. Impact If a consumer views a malicious page while logged in, an unintended item may be purchased. Solution Update the Software Update to the latest...
JVN#14396697: CS-Cart Japanese Edition fails to restrict access permissions
CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions CWE-425. Impact An unauthenticated remote attacker may obtain consumer's information such as its name and street address registered in the website. Solution Update the Software...
JVN#81024552: Multiple vulnerabilities in WN-G300R3
WN-G300R3 provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-G300R3 contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2017-2141 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H| Base Score: 6.8 CVSS v2|...
Tablacus Explorer vulnerable to script injection
Overview Tablacus Explorer is a tabbled file manager. Tablacus Explorer contains a script injection vulnerability due to improper handling of directory names. Touma Hatano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#64451600: Tablacus Explorer vulnerable to script injection
Tablacus Explorer is a tabbled file manager. Tablacus Explorer contains a script injection vulnerability due to improper handling of directory names. Impact When a user accesses a crafted directory, an arbitrary script may be executed on Tablacus Explorer. As a result, an arbitrary OS command may...
Vulnerability in JP1/Cm2/Network Node Manager i
Overview A vulnerability CVE-2016-4397 exists in JP1/Cm2/Network Node Manager i. Impact An attacker may have unspecified impact. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
CentreCOM AR260S V2 vulnerable to privilege escalation
Overview CentreCOM AR260S V2 provided by Allied Telesis K.K. is a wired LAN router. CentreCOM AR260S V2 contains a privilege escalation vulnerability. Ziv Chang of Trend Micro Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warnin...
JVN#55121369: CentreCOM AR260S V2 vulnerable to privilege escalation
CentreCOM AR260S V2 provided by Allied Telesis K.K. is a wired LAN router. CentreCOM AR260S V2 contains a privilege escalation vulnerability. Impact Unintended operations may be performed with administrative privileges by a user who can log into the product with "guest" account. Solution Apply...
WordPress plugin "YOP Poll" vulnerable to cross-site scripting
Overview The WordPress plugin "YOP Poll" contains a stored cross-site scripting CWE-79 vulnerability. Sho Ueshima, Takashi Honda, Tsuyoshi Ogawa and Minaho Umehara of SIE Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#55294532: WordPress plugin "YOP Poll" vulnerable to cross-site scripting
The WordPress plugin "YOP Poll" contains a stored cross-site scripting CWE-79 vulnerability. Impact An arbitrary script may be executed on the web browser of a user accessing the poll generated by the application. Solution Update the plugin Update the plugin according to the information provided ...
Installer of PhishWall Client Internet Explorer version may insecurely load Dynamic Link Libraries
Overview PhishWall Client Internet Explorer version, provided by SecureBrain Corporation, is an anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer version contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries...
JVN#93699304: Installer of PhishWall Client Internet Explorer version may insecurely load Dynamic Link Libraries
PhishWall Client Internet Explorer version, provided by SecureBrain Corporation, is an anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer version contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427...
Security guide for website operators vulnerable to OS command injection
Overview Security guide for website operators provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA contains an OS command injection vulnerability CWE-78 due to an issue in loading saved data. This vulnerability was reported by IPA to notify users of its solution through JVN. JPCERT/CC a...
JVN#11448789: Security guide for website operators vulnerable to OS command injection
Security guide for website operators provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA contains an OS command injection vulnerability CWE-78 due to an issue in loading saved data. Impact When specially crafted saved data is loaded, an arbitrary OS command may be executed. Solution Do...
Cybozu KUNAI for Android information management vulnerability
Overview Cybozu KUNAI for Android is a mobile client software for using Cybozu from an Android device. Cybozu KUNAI for Android provides a function to output log information when synchronizing data with Cybozu, however the function is disabled by default. Cybozu KUNAI for Android contains an issu...
JVN#88745657: Cybozu KUNAI for Android information management vulnerability
Cybozu KUNAI for Android is a mobile client software for using Cybozu from an Android device. Cybozu KUNAI for Android provides a function to output log information when synchronizing data with Cybozu, however the function is disabled by default. Cybozu KUNAI for Android contains an issue where i...