5625 matches found
Information Disclosure Vulnerability in Hitachi Command Suite
Overview An Information Disclosure Vulnerability was found in Hitachi Command Suite. Impact An attacker might exploit this vulnerability to obtain sensitive session information. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...
Jetstar App for iOS fails to verify SSL server certificates
Overview Jetstar App for iOS provided by Jetstar Airways Pty Ltd. fails to verify SSL server certificates. Yuta TESHIMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
php-contact-form vulnerable to cross-site scripting
Overview php-contact-form provided by Kobe Beauty Co., Ltd. contains a cross-site scripting vulnerability CWE-79. Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnershi...
HumHub vulnerable to cross-site scripting
Overview HumHub is a software framework for developing a social networking service SNS. HumHub contains a cross-site scripting vulnerability. Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Ear...
JVN#43529183: Jetstar App for iOS fails to verify SSL server certificates
Jetstar App for iOS provided by Jetstar Airways Pty Ltd. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the application Update to the latest version according to the information provided ...
JVN#85112513: php-contact-form vulnerable to cross-site scripting
php-contact-form provided by Kobe Beauty Co., Ltd. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer. Products...
JVN#56167268: HumHub vulnerable to cross-site scripting
HumHub is a software framework for developing a social networking service SNS. HumHub contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provide...
MP Form Mail CGI Professional Edition vulnerable to directory traversal
Overview MP Form Mail CGI Professional Edition provided by futomi Co., Ltd. contains a directory traversal vulnerability CWE-22. Yuuta Watanabe of STNet, Incorporated reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
JVN#42545812: MP Form Mail CGI Professional Edition vulnerable to directory traversal
MP Form Mail CGI Professional Edition provided by futomi Co., Ltd. contains a directory traversal vulnerability CWE-22. Impact Arbitrary files on the server may be viewed by the product's administrator. Solution Update the software Update to the latest version according to the information provide...
Web Mailing List vulnerable to cross-site scripting
Overview Web Mailing List provided by Epoch Ltd. contains a cross-site scripting vulnerability CWE-79. Yuya Yoshida of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
JVN#43076390: Web Mailing List vulnerable to cross-site scripting
Web Mailing List provided by Epoch Ltd. contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products...
105 BANK App fails to verify SSL server certificates
Overview 105 BANK App provided by THE HYAKUGO BANK, LTD. is a mobile app for internet banking. 105 BANK App fails to verify SSL server certificates. Yuji Tounai of NTT Com Security Japan KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Ear...
JVN#11877654: 百五銀行 (105 BANK) App fails to verify SSL server certificates
百五銀行 105 BANK App provided by THE HYAKUGO BANK, LTD. is a mobile app for internet banking. 百五銀行 App fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Application Update to the latest...
Cybozu KUNAI App fails to verify SSL server certificates
Overview Cybozu KUNAI App provided by Cybozu, Inc. fails to verify SSL server certificates. Kusano Kazuhiko reported this vulnerability to the developer. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an...
a-blog cms vulnerable to cross-site scripting
Overview a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a cross-site scripting vulnerability in the standard template of the comment functionality. Yuya Yoshida of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC...
a-blog cms vulnerable to session management
Overview a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a vulnerability in session management of the comment functionality. Yuya Yoshida of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
JVN#03975805: a-blog cms vulnerable to session management
a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a vulnerability in session management of the comment functionality. Impact An arbitrary comment posted may be deleted or a commenter's e-mail address may be obtained by an unauthenticated remote attacker...
JVN#73166466: a-blog cms vulnerable to cross-site scripting
a-blog cms provided by appleple Inc. is a content management system CMS. a-blog cms contains a cross-site scripting vulnerability in the standard template of the comment functionality. Impact An arbitrary script may be executed on the user's web browser. Solution Apply the Patch Apply the patch...
JVN#11994518: Cybozu KUNAI App fails to verify SSL server certificates
Cybozu KUNAI App provided by Cybozu, Inc. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the developer...
WordPress plugin "Ninja Forms" vulnerable to PHP object injection
Overview WordPress plugin "Ninja Forms" contains a PHP object injection vulnerability due to a flaw where untrusted POST values are unserialized. Impact A remote attacker may execute an arbitrary PHP code. Solution Update the Software Update to a version that addresses the vulnerability according...
FileMaker server issue where PHP source code may be viewable
Overview FileMaker server contains an issue where PHP source code may be viewable when Custom Web Publishing with PHP is enabled. Atsushi Matsuo of Emic Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
JVN#44657371: WordPress plugin "Ninja Forms" vulnerable to PHP object injection
WordPress plugin "Ninja Forms" contains a PHP object injection vulnerability due to a flaw where untrusted POST values are unserialized. Impact A remote attacker may execute an arbitrary PHP code. Solution Update the Software Update to a version that addresses the vulnerability according to the...
JVN#91638315: FileMaker server issue where PHP source code may be viewable
FileMaker server contains an issue where PHP source code may be viewable when Custom Web Publishing with PHP is enabled. Impact PHP source code may be viewable. Solution Apply an Update Update to the latest version according to the information provided by the developer. Products Affected FileMake...
WN-G300R Series vulnerable to cross-site scripting
Overview WN-G300R Series provided by I-O DATA DEVICE, INC. contains a cross-site scripting vulnerability. WN-G300R Series provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-G300R Series contains a stored cross-site scripting vulnerability CWE-79. Satoshi Ogawa of Mitsui Bussan Secure...
WN-GDN/R3 Series does not limit authentication attempts
Overview WN-GDN/R3 Series provided by I-O DATA DEVICE, INC. does not limit authentication attempts. WN-GDN/R3 series provided by I-O DATA DEVICE, INC. is a wireless LAN router. WPS functionality in WN-GDN/R3 Series does not limit PIN authentication attempts, making it susceptible to brute force...
JVN#25674893: WN-GDN/R3 Series does not limit authentication attempts
WN-GDN/R3 series provided by I-O DATA DEVICE, INC. is a wireless LAN router. WPS functionality in WN-GDN/R3 Series does not limit PIN authentication attempts, making it susceptible to brute force attacks. Impact An unauthenticated attacker within wireless range of the device may perform a brute...
JVN#22978346: WN-G300R Series vulnerable to cross-site scripting
WN-G300R Series provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-G300R Series contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Firmware Apply the appropriate firmware update provide...
Apache Cordova vulnerable to arbitrary plugin execution
Overview Apache Cordova contains a vulnerability where arbitrary plugins may be executed. Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms. iOS applications built using Apache Cordova contain a vulnerability where...
Apache Cordova fails to restrict access permissions
Overview Apache Cordova contains a vulnerability where whitelist restrictions are not properly applied. Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms. iOS applications built using Apache Cordova contain a...
JVN#35341085: Apache Cordova fails to restrict access permissions
Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms. iOS applications built using Apache Cordova contain a vulnerability where whitelist restrictions are not properly applied. Impact Accessing a specially crafted URL may...
JVN#41772178: Apache Cordova vulnerable to arbitrary plugin execution
Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms. iOS applications built using Apache Cordova contain a vulnerability where arbitrary plugins may be executed. Impact Accessing a specially crafted URL may result in...
EC-CUBE vulnerable to cross-site request forgery
Overview EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site request forgery vulnerability CWE-352. LOCKON CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LOCKON CO.,LTD...
Multiple shiro8 Co., Ltd. freearea_ addition_plugins for EC-CUBE vulnerable to cross-site scripting
Overview EC-CUBE plugin "categoryfreearea additionplugin" and "itemdetailfreearea additionplugin" provided by shiro8 Co., Ltd. contain a cross-site scripting vulnerability CWE-79. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the...
EC-CUBE fails to restrict access permissions
Overview EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE fails to restrict access permissions. Note that this vulnerability is different from JVN47473944. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC...
EC-CUBE fails to restrict access permissions
Overview EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE fails to restrict access permissions. Note that this vulnerability is different from JVN11458774. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC...
JVN#63384827: Multiple shiro8 Co., Ltd. freearea_ addition_plugins for EC-CUBE vulnerable to cross-site scripting
EC-CUBE plugin "categoryfreearea additionplugin" and "itemdetailfreearea additionplugin" provided by shiro8 Co., Ltd. contain a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the Software Update to the...
JVN#47473944: EC-CUBE fails to restrict access permissions
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE fails to restrict access permissions. Impact A remote attacker may bypass IP address restrictions and access the login page to the management screen. Solution Apply the update or the patch Apply the upda...
JVN#11458774: EC-CUBE fails to restrict access permissions
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE fails to restrict access permissions. Impact A logged in attacker may bypass access restrictions, or delete access restriction settings. Solution Apply the update or the patch Apply the update or the pat...
JVN#73776243: EC-CUBE vulnerable to cross-site request forgery
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site request forgery vulnerability CWE-352. Impact If an administrator views a malicious page while logged in, unintended operations may be performed. Solution Apply the update or the...
kintone mobile for Android fails to verify SSL server certificates
Overview kintone mobile for Android provided by Cybozu, Inc. fails to verify SSL server certificates. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an...
kintone mobile for Android information management vulnerability
Overview kintone mobile for Android provided by Cybozu, Inc. contains an authentication information management vulnerability. Kusano Kazuhiko and Gopinath reported this vulnerability to the developer. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...
JVN#91816422: kintone mobile for Android fails to verify SSL server certificates
kintone mobile for Android provided by Cybozu, Inc. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...
JVN#89026267: kintone mobile for Android information management vulnerability
kintone mobile for Android provided by Cybozu, Inc. contains an authentication information management vulnerability. Impact If using Android versions prior to 4.1, the token may be disclosed by an application with READLOGS permission or by a user who can access the device. If using Android versio...
Electron may insecurely load Node modules
Overview Electron fails to restrict the path for loading Node modules, which may lead to execution of arbitrary JavaScript. Electron is a software framework for developing cross-platformm desktop applications with web technologies, such as HTML, CSS, JavaScript with Chromium and Node.js. Electron...
JVN#00324715: Electron may insecurely load Node modules
Electron is a software framework for developing cross-platformm desktop applications with web technologies, such as HTML, CSS, JavaScript with Chromium and Node.js. Electron is used in applications such as Atom editor, Microsoft Visual Studio Code, etc.. Electron contains a flaw where the search...
Photopt App fails to verify SSL server certificates
Overview Photopt App provided by NTT Communications Corporation fails to verify SSL server certificates. Yuto Iso reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an...
JVN#11815655: Photopt App fails to verify SSL server certificates
Photopt App provided by NTT Communications Corporation fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by th...
Tokyo Star bank App fails to verify SSL server certificates
Overview Tokyo Star bank App provided by The Tokyo Star Bank, Limited fails to verify SSL server certificates. Yuji Tounai of NTT Com Security Japan KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
JVN#00272277: Tokyo Star bank App fails to verify SSL server certificates
Tokyo Star bank App provided by The Tokyo Star Bank, Limited fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided...
EC-CUBE plugin "Social-button Plugin Premium" and "Social-button Plugin" vulnerable to cross-site scripting
Overview EC-CUBE plugin "Social-button Plugin Premium" and "Social-button Plugin" provided by Cyber-Will Inc. contain a cross-site scripting vulnerability CWE-79. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...