5625 matches found
JVN#17633442: WordPress plugin "WP Statistics" vulnerable to cross-site scripting
The WordPress plugin "WP Statistics" provided by WP Statistics contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the...
JVN#25598952: ​CS-Cart Japanese Edition fails to restrict access permissions
CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions CWE-425. Impact An unauthenticated remote attacker may create a request of return an item that a consumer has purchased. Solution Update the Software Update to the latest versi...
JVN#14396697: CS-Cart Japanese Edition fails to restrict access permissions
CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions CWE-425. Impact An unauthenticated remote attacker may obtain consumer's information such as its name and street address registered in the website. Solution Update the Software...
Tablacus Explorer vulnerable to script injection
Overview Tablacus Explorer is a tabbled file manager. Tablacus Explorer contains a script injection vulnerability due to improper handling of directory names. Touma Hatano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#64451600: Tablacus Explorer vulnerable to script injection
Tablacus Explorer is a tabbled file manager. Tablacus Explorer contains a script injection vulnerability due to improper handling of directory names. Impact When a user accesses a crafted directory, an arbitrary script may be executed on Tablacus Explorer. As a result, an arbitrary OS command may...
Vulnerability in JP1/Cm2/Network Node Manager i
Overview A vulnerability CVE-2016-4397 exists in JP1/Cm2/Network Node Manager i. Impact An attacker may have unspecified impact. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
CentreCOM AR260S V2 vulnerable to privilege escalation
Overview CentreCOM AR260S V2 provided by Allied Telesis K.K. is a wired LAN router. CentreCOM AR260S V2 contains a privilege escalation vulnerability. Ziv Chang of Trend Micro Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warnin...
JVN#55121369: CentreCOM AR260S V2 vulnerable to privilege escalation
​CentreCOM AR260S V2 provided by Allied Telesis K.K. is a wired LAN router. CentreCOM AR260S V2 contains a privilege escalation vulnerability. Impact Unintended operations may be performed with administrative privileges by a user who can log into the product with "guest" account. Solution Apply...
WordPress plugin "YOP Poll" vulnerable to cross-site scripting
Overview The WordPress plugin "YOP Poll" contains a stored cross-site scripting CWE-79 vulnerability. Sho Ueshima, Takashi Honda, Tsuyoshi Ogawa and Minaho Umehara of SIE Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#55294532: WordPress plugin "YOP Poll" vulnerable to cross-site scripting
The WordPress plugin "YOP Poll" contains a stored cross-site scripting CWE-79 vulnerability. Impact An arbitrary script may be executed on the web browser of a user accessing the poll generated by the application. Solution Update the plugin Update the plugin according to the information provided ...
Installer of PhishWall Client Internet Explorer version may insecurely load Dynamic Link Libraries
Overview PhishWall Client Internet Explorer version, provided by SecureBrain Corporation, is an anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer version contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries...
JVN#93699304: Installer of PhishWall Client Internet Explorer version may insecurely load Dynamic Link Libraries
PhishWall Client Internet Explorer version, provided by SecureBrain Corporation, is an anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer version contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427...
Security guide for website operators vulnerable to OS command injection
Overview Security guide for website operators provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA contains an OS command injection vulnerability CWE-78 due to an issue in loading saved data. This vulnerability was reported by IPA to notify users of its solution through JVN. JPCERT/CC a...
JVN#11448789: Security guide for website operators vulnerable to OS command injection
Security guide for website operators provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA contains an OS command injection vulnerability CWE-78 due to an issue in loading saved data. Impact When specially crafted saved data is loaded, an arbitrary OS command may be executed. Solution Do...
Cybozu KUNAI for Android information management vulnerability
Overview Cybozu KUNAI for Android is a mobile client software for using Cybozu from an Android device. Cybozu KUNAI for Android provides a function to output log information when synchronizing data with Cybozu, however the function is disabled by default. Cybozu KUNAI for Android contains an issu...
JVN#88745657: Cybozu KUNAI for Android information management vulnerability
Cybozu KUNAI for Android is a mobile client software for using Cybozu from an Android device. Cybozu KUNAI for Android provides a function to output log information when synchronizing data with Cybozu, however the function is disabled by default. Cybozu KUNAI for Android contains an issue where i...
OneThird CMS vulnerable to cross-site scripting
Overview OneThird CMS provided by SpiQe Software contains a cross-site scripting vulnerability CWE-79 due to an issue in processing the inquiry form. Note that this vulnerability is different from JVN49408248. Satoshi Takagi of Cryptography Laboratory,Department of Information and Communication...
OneThird CMS vulnerable to cross-site scripting
Overview OneThird CMS provided by SpiQe Software contains a cross-site scripting vulnerability CWE-79 due to an issue in processing the language selection screen. Note that this vulnerability is different from JVN13003724. Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this...
JVN#49408248: OneThird CMS vulnerable to cross-site scripting
OneThird CMS provided by SpiQe Software contains a cross-site scripting vulnerability CWE-79 due to an issue in processing the language selection screen. Impact An arbitrary script may be executed on the user's web browser. Solution For the users who have installed OneThird CMS already: Update th...
JVN#13003724: OneThird CMS vulnerable to cross-site scripting
OneThird CMS provided by SpiQe Software contains a cross-site scripting vulnerability CWE-79 due to an issue in processing the inquiry form. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the Software Update to the latest version according to the...
Multiple I-O DATA network camera products vulnerable to buffer overflow
Overview Multiple network camera products provided by I-O DATA DEVICE, INC. contain a Buffer overflow vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
Multiple I-O DATA network camera products vulnerable to OS command injection
Overview Multiple network camera products provided by I-O DATA DEVICE, INC. contain an OS command injection vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Earl...
Multiple I-O DATA network camera products vulnerable to HTTP header injection
Overview Multiple network camera products provided by I-O DATA DEVICE, INC. contain a HTTP header injection vulnerability. Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Ear...
JVN#46830433: Multiple I-O DATA network camera products multiple vulnerabilities
Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below. HTTP header injection CWE-113 - CVE-2017-2111 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N| Base Score: 4.7 CVSS v2|...
Access CX App fails to verify SSL server certificates
Overview Access CX App provided by NISSAN SECURITIES CO., LTD. fails to verify SSL server certificates. Gaku Taniguchi of RiskFinder,inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle...
PrimeDrive Desktop Application Installer may insecurely load Dynamic Link Libraries
Overview PrimeDrive Desktop Application is the client application for PrimeDrive online storage service provided by SoftBank Corp. The installer of PrimeDrive Desktop Application is vulnerable to load specific Dynamic Link Libraries in the same directory CWE-427 . Eiji James Yoshida of Security...
JVN#82619692: Access CX App fails to verify SSL server certificates
Access CX App provided by NISSAN SECURITIES CO., LTD. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by...
JVN#88713190: PrimeDrive Desktop Application Installer may insecurely load Dynamic Link Libraries
PrimeDrive Desktop Application is the client application for PrimeDrive online storage service provided by SoftBank Corp. The installer of PrimeDrive Desktop Application is vulnerable to load specific Dynamic Link Libraries in the same directory CWE-427 . Impact Arbitrary code may be executed wit...
WBCE CMS vulnerable to SQL injection
Overview WBCE CMS provided by WBCE Team is an open-source Contents Management System CMS. WBCE CMS contains an SQL injection vulnerability CWE-89. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
WBCE CMS vulnerable to directory traversal
Overview WBCE CMS provided by WBCE Team is an open-source Contents Management System CMS. WBCE CMS contains a directory traversal vulnerability CWE-22. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impac...
WBCE CMS vulnerable to cross-site scripting
Overview WBCE CMS provided by WBCE Team is an open-source Contents Management System CMS. WBCE CMS contains a cross-site scripting vulnerability CWE-79. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impa...
CubeCart vulnerable to directory traversal
Overview CubeCart from CubeCart Limited is an open source system for creating online shopping websites. CubeCart contains a directory traversal vulnerability CWE-22. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#63474730: CubeCart vulnerable to directory traversal
CubeCart from CubeCart Limited is an open source system for creating online shopping websites. CubeCart contains a directory traversal vulnerability CWE-22. Impact A local file outside of CubeCart may be accessed by an administrator of CubeCart. Solution Update the Software Update to the latest...
JVN#73083905: Multiple vulnerabilities in WBCE CMS
WBCE CMS provided by WBCE Team is an open-source Contents Management System CMS. WBCE CMS contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2017-2118 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2|...
Cybozu Garoon fails to restrict access permission in the mail function
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an access restriction flaw in the mail function. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact A user may alter the order of the mail folders. Solution...
Cybozu Garoon fails to restrict access permission in Workflow and the function "MultiReport"
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an access restriction flaw in Workflow and the function "MultiReport". Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact A user may alter or delete...
Cybozu Garoon vulnerable to information disclosure
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an information disclosure vulnerability. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact Token used for cross-site request forgery CSRF protection may be...
Cybozu Garoon vulnerable to SQL injection
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an SQL injection vulnerability. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early...
Cybozu Garoon fails to restrict access permission in the Phone Messages function
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an access restriction flaw in the Phone Messages function Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC...
Cybozu Garoon vulnerable to cross-site scripting
Overview Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a cross-site scripting. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning...
JVN#73182875: Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains multiple vulnerabilities listed below. SQL injection CWE-89 - CVE-2017-2090 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L| Base Score: 6.3 CVSS v2| AV:N/AC:L/Au:S/C:P/I:P/A:P|...
Self-Extracting Archives created by 7-ZIP32.DLL may insecurely load Dynamic Link Libraries
Overview 7-ZIP32.DLL is an open source library for compressing and decompressing 7z and zip format files. It can also create self-extracting archive files. Self-extracting archive files created by 7-ZIP32.DLL contain an issue with the DLL search path, which may lead to insecurely loading Dynamic...
JVN#86200862: Self-Extracting Archives created by 7-ZIP32.DLL may insecurely load Dynamic Link Libraries
7-ZIP32.DLL is an open source library for compressing and decompressing 7z and zip format files. It can also create self-extracting archive files. Self-extracting archive files created by 7-ZIP32.DLL contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link...
Apache Brooklyn vulnerable to cross-site scripting
Overview Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains cross-site scripting vulnerabilities. It is known that proof-of-concept code to exploit these vulnerabilties exist. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc...
Apache Brooklyn vulnerable to cross-site request forgery
Overview Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains a cross-site request forgery vulnerability. It is known that proof-of-concept code to exploit these vulnerabilties exist. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions,...
JVN#55489964: Multiple vulnerabilities in Apache Brooklyn
Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains the following vulnerabilities. It is known that proof-of-concept code to exploit these vulnerabilties exist. Cross-site Scripting Vulnerabilities CWE-79 - CVE-2017-3165 Version| Vector|...
TVer App for Android fails to verify SSL server certificates
Overview TVer App for Android provided by PRESENTCAST INC. fails to verify SSL server certificates. Yuto Iso of NTT Security Japan KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attac...
Norton Download Manager may insecurely load Dynamic Link Libraries
Overview Norton Download Manager provided by Symantec Japan, Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
JVN#53880182: TVer App for Android fails to verify SSL server certificates
TVer App for Android provided by PRESENTCAST INC. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by the...
JVN#40667528: Norton Download Manager may insecurely load Dynamic Link Libraries
Norton Download Manager provided by Symantec Japan, Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be executed with the privileges of the user running the application. Solution Use the latest Norton Download...