5625 matches found
WordPress plugin "Nofollow Links" vulnerable to cross-site scripting
Overview The WordPress plugin "Nofollow Links" contains a cross-site scripting CWE-79 vulnerability in nofollow-links.php. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#01956993: Vtiger CRM does not properly restrict access to application data
Vtiger CRM is a customer relationship management CRM software. Vtiger CRM contains a vulnerability where it does not properly restrict access to user information data. Impact A user with user privileges may create new users or alter existing user information. Solution Update the software Update t...
JVN#13582657: WordPress plugin "Nofollow Links" vulnerable to cross-site scripting
The WordPress plugin "Nofollow Links" contains a cross-site scripting CWE-79 vulnerability in nofollow-links.php. Impact An arbitrary script may be executed on the web browser of a user who is logged on as an administrator. Solution Update the plugin Update the plugin according to the information...
JVN#68364327: WAONサービスアプリ App for Android fails to verify SSL server certificates
WAONサービスアプリ App for Android provided by AEON CO., LTD. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by...
LINE for Windows may insecurely load Dynamic Link Libraries
Overview LINE for Windows provided by LINE Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...
JVN#51565015: LINE for Windows may insecurely load Dynamic Link Libraries
LINE for Windows provided by LINE Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Impact Arbitrary code may be executed with the privileges of the running application. Solution Update the Software For cuurent users of LINE for...
Apache Commons FileUpload vulnerable to denial-of-service (DoS)
Overview Apache Commons FileUpload provided by the Apache Software Foundation contains a flaw when processing multi-part requests, which may lead to a denial-of-service DoS. TERASOLUNA FWStruts1 Team of NTT DATA Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the...
JVN#89379547: Apache Commons FileUpload vulnerable to denial-of-service (DoS)
Apache Commons FileUpload provided by the Apache Software Foundation contains a flaw when processing multi-part requests, which may lead to a denial-of-service DoS. Impact Processing a specially crafted request may result in the server's CPU resources to be exhausted. Solution Apply the update...
Sushiro App fails to verify SSL server certificates
Overview Sushiro App provided by AKINDO SUSHIRO CO., LTD. fails to verify SSL server certificates. Yuta Teshima of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
JVN#30260727: Sushiro App fails to verify SSL server certificates
Sushiro App provided by AKINDO SUSHIRO CO., LTD. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by the...
DMM Movie Player App fails to verify SSL server certificates
Overview DMM Movie Player App provided by DMM.com Labo Co.,Ltd. fails to verify SSL server certificates. Yuji Tounai of NTT Com Security Japan KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
Multiple Hikari Denwa routers vulnerable to cross-site request forgery
Overview Multiple Hikari Denwa routers contain a cross-site request forgery vulnerability CWE-352. Ryoya Tsukasaki of Urawa Commercial High School reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user...
Multiple Hikari Denwa routers vulnerable to OS command injection
Overview Multiple Hikari Denwa routers contain an OS command injection vulnerability CWE-78. Ryoya Tsukasaki of Urawa Commercial High School reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary OS...
QNAP QTS vulnerable to cross-site scripting
Overview QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a cross-site scripting vulnerability CWE-79. Keigo YAMAZAKI of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
JVN#39594409: DMM Movie Player App fails to verify SSL server certificates
DMM Movie Player App provided by DMM.com Labo Co.,Ltd. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest version according to the information provided by...
JVN#45034304: Multiple Hikari Denwa routers vulnerable to cross-site request forgery
Multiple Hikari Denwa routers contain a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Firmware Apply the appropriate firmware update provided by the developer. Products Affecte...
JVN#42930233: QNAP QTS vulnerable to cross-site scripting
QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Firmware Update to the latest version of firmware according to the information provided by the...
JVN#77403442: Multiple Hikari Denwa routers vulnerable to OS command injection
Multiple Hikari Denwa routers contain an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed on the product by a logged-in attacker. Solution Update the Firmware Apply the appropriate firmware update provided by the developer. Products Affected NIPPON TELEGRA...
WordPress plugin "Welcart e-Commerce" vulnerable to session management
Overview WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a vulnerability in session management. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting
Overview WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a cross-site scripting vulnerability CWE-79. Note that this vulnerability is different from JVN95082904. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with t...
WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting
Overview WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a cross-site scripting vulnerability CWE-79. Note that this vulnerability is different from JVN55826471. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with t...
WordPress plugin "Welcart e-Commerce" vulnerable to PHP object injection
Overview WordPress plugin "Welcart e-Commerce" contains a PHP object injection vulnerability due to a flaw where untrusted POST values are unserialized. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
JVN#47363774: WordPress plugin "Welcart e-Commerce" vulnerable to PHP object injection
WordPress plugin "Welcart e-Commerce" contains a PHP object injection vulnerability due to a flaw where untrusted POST values are unserialized. Impact A remote attacker may execute arbitrary PHP code. Solution Update the Software Update to the latest version according to the information provided ...
JVN#55826471: WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting
WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the develope...
JVN#95082904: WordPress plugin "Welcart e-Commerce" vulnerable to cross-site scripting
WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the develope...
JVN#61578437: WordPress plugin "Welcart e-Commerce" vulnerable to session management
WordPress plugin "Welcart e-Commerce" provided by Collne Inc. contains a vulnerability in session management. Impact A remote attacker who knows a user's e-mail address may log in with the user privilege. As a result, arbitrary operations may be conducted. Solution Update the Software Update to t...
CG-WLR300GNV Series does not limit authentication attempts
Overview CG-WLR300GNV and CG-WLR300GNV-W provided by Corega Inc are wireless LAN routers. The WPS functionality in CG-WLR300GNV Series does not limit PIN authentication attempts, making it susceptible to brute force attacks. Takeshi Okamoto of Kanagawa Institute of Technology and Takaaki Minegish...
CG-WLBARAGM vulnerable to denial-of-service (DoS)
Overview CG-WLBARAGM provided by Corega Inc is a wireless LAN router. CG-WLBARAGM contains a denial-of-service DoS vulnerability. Yuji Ukai of FFRI, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
CG-WLBARGL vulnerable to command injection
Overview CG-WLBARGL provided by Corega Inc is a wireless LAN router. CG-WLBARGL contains a command injection vulnerability. Ohji Kashiwazaki of Global Security Experts Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#75028871: CG-WLR300GNV Series does not limit authentication attempts
CG-WLR300GNV and CG-WLR300GNV-W provided by Corega Inc are wireless LAN routers. The WPS functionality in CG-WLR300GNV Series does not limit PIN authentication attempts, making it susceptible to brute force attacks. Impact An unauthenticated attacker within wireless range of the device may perfor...
JVN#76653039: CG-WLBARGL vulnerable to command injection
CG-WLBARGL provided by Corega Inc is a wireless LAN router. CG-WLBARGL contains a command injection vulnerability. Impact An arbitrary command may be executed by an authenticated attacker. Solution Do not use CG-WLBARGL As of Jun 22nd, 2016, there are no practical solutions to this issue. It is...
JVN#24409899: CG-WLBARAGM vulnerable to denial-of-service (DoS)
CG-WLBARAGM provided by Corega Inc is a wireless LAN router. CG-WLBARAGM contains a denial-of-service DoS vulnerability. Impact An unauthenticated remote attacker may cause the product to reboot. Solution Apply a Workaround The following workarounds may mitigate the affects of this vulnerability...
Apache Struts vulnerable to input validation bypass
Overview Apache Struts provided by the Apache Software Foundation is a software framework for creating web applications in Java. Web applications that are developed using Apache Struts 2 contain an input validation bypass vulnerability. Takeshi Terada of Mitsui Bussan Secure Directions, Inc...
Apache Struts vulnerable to validation bypass in Getter method
Overview Apache Struts provided by the Apache Software Foundation is a software framework for creating web applications in Java. Web applications that are developed using Apache Struts 2 contain a validation bypass in Getter method vulnerability. JPCERT/CC Addendum Update: August 25, 2016...
Apache Struts vulnerable to cross-site request forgery
Overview Apache Struts provided by the Apache Software Foundation is a software framework for creating web applications in Java. Web applications that are developed using Apache Struts 2 contain a cross-site request forgery vulnerability. Takeshi Terada of Mitsui Bussan Secure Directions, Inc...
Apache Struts vulnerable to denial-of-service (DoS)
Overview Apache Struts provided by the Apache Software Foundation is a software framework for creating web applications in Java. Web applications that are developed using Apache Struts 2 contain a denial-of-service DoS vulnerability due to an issue in URLValidator. ASAI Ken reported this...
Apache Struts vulnerable to remote code execution
Overview Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Web applications that are developed using Apache Struts 2 REST Plugin contain a remote code execution vulnerability. Note that the exploit code for this vulnerability is...
JVN#12352818: Apache Struts 2 vulnerable to denial-of-service (DoS)
Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating web applications in Java. Web applications that are developed using Apache Struts 2 contain a denial-of-service DoS vulnerability due to an issue in URLValidator. Impact An unauthenticated remote...
JVN#07710476: Apache Struts 2 vulnerable to remote code execution
Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating Java web applications. Web applications that are developed using Apache Struts 2 REST Plugin contain a remote code execution vulnerability. Note that the exploit code for this vulnerability is publicly...
JVN#45093481: Multiple vulnerabilities in Apache Struts 2
Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating web applications in Java. Web applications that are developed using Apache Struts 2 contain multiple vulnerabilities listed below. Cross-site request forgery S2-038 - CVE-2016-4430 Version| Vector|...
Deep Discovery Inspector vulnerable to remote code execution
Overview Deep Discovery Inspector provided by Trend Micro Incorporated contains a remote code execution vulnerability. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated under the...
JVN#55428526: Deep Discovery Inspector vulnerable to remote code execution
Deep Discovery Inspector provided by Trend Micro Incorporated contains a remote code execution vulnerability. Impact An attacker who can access the product as an administrator may execute arbitrary code with the root privilege. Solution For Deep Discovery Inspector 3.5 and later: Apply the patch...
ETX-R vulnerable to denial-of-service (DoS)
Overview ETX-R provided by I-O DATA DEVICE, INC. is a wired LAN router. ETX-R contains a denial-of-service DoS vulnerability. Junichi MURAKAMI of FFRI, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
ETX-R vulnerable to cross-site request forgery
Overview ETX-R provided by I-O DATA DEVICE, INC. is a wired LAN router. ETX-R contains a cross-site request forgery vulnerability CWE-352. Junichi MURAKAMI of FFRI, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...
JVN#96052093: ETX-R vulnerable to denial-of-service (DoS)
ETX-R provided by I-O DATA DEVICE, INC. is a wired LAN router. ETX-R contains a denial-of-service DoS vulnerability. Impact A remote unauthenticated attacker may cause the web server on the product to be terminated abnormally. Solution Apply a Workaround The following workarounds may mitigate the...
JVN#61317238: ETX-R vulnerable to cross-site request forgery
ETX-R provided by I-O DATA DEVICE, INC. is a wired LAN router. ETX-R contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Apply a Workaround The following workarounds may mitigate the...
DX Library vulnerable to remote code execution
Overview DX Library is an open source library for creating Windows applications. DX Library contains a remote code execution vulnerability due to an issue in printfDx. Tomoya Kitagawa of Graduate School of Information Science, Nara Institute of Science and Technology reported this vulnerability t...
JVN#15205734: DX Library vulnerable to remote code execution
DX Library is an open source library for creating Windows applications. DX Library contains a remote code execution vulnerability due to an issue in printfDx. Impact When processing a specially crafted string, an application built using DX Library may allow arbitrary code to be executed. Solution...
TERASOLUNA Server Framework for Java(WEB) access restriction bypass vulnerability in the file extention filter
Overview The TERASOLUNA Server Framework for JavaWEB provided by NTT Data Corporation is a software framework for creating web applications. The TERASOLUNA Server Framework for JavaWEB has a function to restrict access to contents with specified file extentions from browser requests. This functio...
Apache Struts 1 vulnerable to input validation bypass
Overview The Apache Struts 1 Validator contains a vulnerability where input validation configurations validation rules, error messages, etc. may be modified. This occurs when the following ActionForm including its subclasses are in the session scope. ValidatorForm ValidatorActionForm Impact Effec...