Aterm WF800HP vulnerable to cross-site request forgery

Overview Aterm WF800HP provided by NEC Corporation contains a cross-site request forgery vulnerability CWE-352. Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

Aterm WG300HP vulnerable to cross-site request forgery

Overview Aterm WG300HP provided by NEC Corporation contains a cross-site request forgery vulnerability CWE-352. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

JVN#82020528: Aterm WG300HP vulnerable to cross-site request forgery

Aterm WG300HP provided by NEC Corporation contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Apply a Workaround The following workaround may mitigate the affects of this...

JVN#07818796: Aterm WF800HP vulnerable to cross-site request forgery

Aterm WF800HP provided by NEC Corporation contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Firmware Update to the latest firmware version according to the information...

WordPress plugin "WP Favorite Posts" vulnerable to cross-site scripting

Overview "WP Favorite Posts" is a plugin for WordPress. WP Favorite Posts contains a cross-site scripting vulnerability. Note that this vulnerability cannot be exploited on the default settings. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC...

JVN#86517621: WordPress plugin "WP Favorite Posts" vulnerable to cross-site scripting

"WP Favorite Posts" is a plugin for WordPress. WP Favorite Posts contains a cross-site scripting vulnerability. Note that this vulnerability cannot be exploited on the default settings. Impact An arbitrary script may be executed on the user's web browser. Solution Update the plugin Update to the...

Information Disclosure Vulnerability in Hitachi Compute Systems Manager

Overview An Information Disclosure Vulnerability was found in Hitachi Compute Systems Manager. Impact An attacker might exploit this vulnerability to obtain sensitive session information. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriat...

Multiple Corega wireless LAN routers vulnerable to cross-site request forgery

Overview Multiple wireless LAN routers provided by Corega Inc contain a cross-site request forgery vulnerability CWE-352. Yutaka Kokubu and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. and Ueki Shuya reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...

JVN#59349382: Multiple Corega wireless LAN routers vulnerable to cross-site request forgery

Multiple wireless LAN routers provided by Corega Inc contain a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged into the management screen, various administrative functions may be performed. Solution Apply a workaround The following workaround...

Remote File Inclusion Vulnerability in Hitachi Command Suite

Overview A Remote File Inclusion Vulnerability was found in Hitachi Command Suite. Impact Malicious attacker might exploit this vulnerability to load external files into a browser. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate actio...

Log-Chat vulnerable to cross-site scripting

Overview Log-Chat provided by Script contains a stored cross-site scripting vulnerability CWE-79. Masamu Asato of National Institute of Technology, Okinawa College reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

JVN#93535632: Log-Chat vulnerable to cross-site scripting

Log-Chat provided by Script contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer. Products Affected Log-Ch...

LINE for Windows and LINE for Mac OS vulnerable to denial-of-service (DoS)

Overview LINE for Windows and LINE for Mac OS contain a denial-of-service DoS vulnerability due to an issue in displaying the Timeline. Jun Kokatsu of KDDI Singapore Dubai Branch reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

EC-CUBE plugin "Help plug-in" vulnerable to SQL injection

Overview EC-CUBE plugin "Help plug-in" provided by Cuore contains an SQL injection vulnerability CWE-89. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...

Internet Explorer cross-domain policy bypass

Overview Internet Explorer contains a flaw that may allow an attacker to bypass cross-domain policies. Yosuke HASEGAWA of Secure Sky Technology Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When a...

baserCMS vulnerable to OS command injection

Overview baserCMS is an open-source Contents Management System CMS. baserCMS contains an OS command injection vulnerability CWE-78. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary OS...

JVN#31524757: EC-CUBE plugin "Help plug-in" vulnerable to SQL injection

EC-CUBE plugin "Help plug-in" provided by Cuore contains an SQL injection vulnerability CWE-89. Impact Information stored in the database may be obtained or altered by a remote attacker. Solution Update the plugin Update to the latest version according to the information provided by the developer...

JVN#69854312: baserCMS vulnerable to OS command injection

baserCMS is an open-source Contents Management System CMS. baserCMS contains an OS command injection vulnerability CWE-78. Impact An arbitrary OS command may be executed on the server by a logged in attacker. Solution Update the Software Update to the latest version according to the information...

JVN#46044093: LINE for Windows and LINE for Mac OS vulnerable to denial-of-service (DoS)

LINE for Windows and LINE for Mac OS contain a denial-of-service DoS vulnerability due to an issue in displaying the Timeline. Impact By displaying a specially crafted post in Timeline, the product may be abnormally terminated. Solution Update the software Update to the latest version according t...

JVN#78383854: Internet Explorer cross-domain policy bypass

Internet Explorer contains an information disclosure vulnerability due to a flaw in handling cross-domain policies. Impact When a specially crafted content is opened, cross-domain policies may be bypassed and then information of the URL that the user is accessing may be obtained by an attacker...

Cybozu Office vulnerable to cross-site scripting

Overview Cybozu Office contains a cross-site scripting vulnerability CWE-79 in multiple functions. Masato Kinugawa reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc...

Cybozu Office vulnerable to open redirect

Overview Cybozu Office contains an open redirect vulnerability in network functions. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update to the latest...

Cybozu Office vulnerable to cross-site request forgery

Overview Cybozu Office contains a cross-site request forgery vulnerability CWE-352 in multiple functions. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Software Update to the latest version according to the information provide...

Cybozu Office access restriction bypass vulnerability

Overview Cybozu Office contains an access restriction bypass vulnerability in multiple functions. Impact A remote unauthenticated attacker may view the information about the groupware. An authenticated attacker may obtain privileged information or may cause specific functions to become unusable...

Cybozu Office vulnerable to information disclosure

Overview Cybozu Office contains an information disclosure vulnerability. Note that this vulnerability is different from JVN28042424. Impact If a user views a malicious page while logged in, token used for cross-site request forgery CSRF protection may be disclosed. As a result, an attacker who...

Cybozu Office vulnerable to information disclosure

Overview Cybozu Office contains an information disclosure vulnerability in the mail function. Note that this vulnerability is different from JVN47296923. Impact When a specially crafted mail is opened, images files accessible by authenticated users may be obtained by a third-party. Solution Updat...

Cybozu Office vulnerable to denial-of-service (DoS)

Overview Cybozu Office contains a denial-of-service DoS vulnerability due to an issue in "customapp". Impact An authenticated attacker may cause a denial-of-service DoS condition which all users can not use the system. Solution Update the Software Update to the latest version according to the...

Microsoft Producer for Microsoft Office PowerPoint vulnerable to cross-site scripting

Overview Microsoft Producer for Microsoft Office PowerPoint may create a web page which contains a DOM-based cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use Microsoft Producer for Microsoft Office PowerPoint...

JVN#64209269: Cybozu Office vulnerable to cross-site request forgery

Cybozu Office contains a cross-site request forgery vulnerability CWE-352 in multiple functions. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Software Update to the latest version according to the information provided by the...

JVN#71428831: Cybozu Office vulnerable to open redirect

Cybozu Office contains an open redirect vulnerability in network functions. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the Software Update to the latest version...

JVN#20246313: Cybozu Office vulnerable to denial-of-service (DoS)

Cybozu Office contains a denial-of-service DoS vulnerability due to an issue in "customapp". Impact An authenticated attacker may cause a denial-of-service DoS condition which all users can not use the system. Solution Update the Software Update to the latest version according to the information...

JVN#47296923: Cybozu Office vulnerable to information disclosure

Cybozu Office contains an information disclosure vulnerability. Impact If a user views a malicious page while logged in, token used for cross-site request forgery CSRF protection may be disclosed. As a result, an attacker who obtains the CSRF token can perform further attacks. Solution Update the...

JVN#69278491: Cybozu Office vulnerable to cross-site scripting

Cybozu Office contains a cross-site scripting vulnerability CWE-79 in multiple functions. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected Cyboz...

JVN#48720230: Cybozu Office access restriction bypass vulnerability

Cybozu Office contains an access restriction bypass vulnerability in multiple functions. Impact A remote unauthenticated attacker may view the information about the groupware. An authenticated attacker may obtain privileged information or may cause specific functions to become unusable. Solution...

JVN#28042424: Cybozu Office vulnerable to information disclosure

Cybozu Office contains an information disclosure vulnerability in the mail function. Impact When a specially crafted mail is opened, images files accessible by authenticated users may be obtained by a third-party. Solution Update the Software Update to the latest version according to the...

Akerun - Smart Lock Robot App for iOS fails to verify SSL server certificates

Overview Akerun - Smart Lock Robot App for iOS provided by Photosynth Inc. fails to verify SSL server certificates. Kenta Suefusa, Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impa...

JVN#22578691: Akerun - Smart Lock Robot App for iOS fails to verify SSL server certificates

Akerun - Smart Lock Robot App for iOS provided by Photosynth Inc. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information...

JVN#77012922: Microsoft Producer for Microsoft Office PowerPoint vulnerable to cross-site scripting

Microsoft Producer for Microsoft Office PowerPoint may create a web page which contains a DOM-based cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use Microsoft Producer for Microsoft Office PowerPoint Microsoft...

JOB-CUBE vulnerable to cross-site scripting

Overview JOB-CUBE provided by WEBSQUARE Co.,Ltd. is software to build websites. JOB-CUBE contains a cross-site scripting vulnerability CWE-79. Masamu Asato of National institute of Technology,Okinawa College reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...

Vine MV vulnerable to cross-site scripting

Overview Vine MV contains a cross-site scripting vulnerability CWE-79. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on the user's web browser. Solution Updat...

EXPRESSCLUSTER X vulnerable to directory traversal

Overview EXPRESSCLUSTER X from NEC Corporation is software to provide high availability HA clustering. EXPRESSCLUSTER X contains an issue in WebManager, which may lead to directory traversal. Yusuke SAKAI of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated...

JVN#03050861: EXPRESSCLUSTER X vulnerable to directory traversal

EXPRESSCLUSTER X from NEC Corporation is software to provide high availability HA clustering. EXPRESSCLUSTER X contains an issue in WebManager, which may lead to directory traversal. Impact Arbitrary files on the server may be viewed by an attacker who can access to the WebManager. Solution Updat...

JVN#26921563: JOB-CUBE vulnerable to cross-site scripting

JOB-CUBE provided by WEBSQUARE Co.,Ltd. is software to build websites. JOB-CUBE contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the administrator's web browser. Solution Update the Software Update to the latest version according to the informati...

JVN#12165579: Vine MV vulnerable to cross-site scripting

Vine MV contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected Vine MV prior to commit...

HOME SPOT CUBE vulnerable to OS command injection

Overview HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE contains an OS command injection vulnerability. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

HOME SPOT CUBE vulnerable to clickjacking

Overview HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE contains a clickjacking vulnerabilitiy. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

HOME SPOT CUBE vulnerable to cross-site request forgery

Overview HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE contains a cross-site request forgery vulnerability. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warnin...

HOME SPOT CUBE vulnerable to HTTP header injection

Overview HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE contains a HTTP header injection vulnerability. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

HOME SPOT CUBE vulnerable to open redirect

Overview HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE contains an open redirect vulnerability. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnershi...

HOME SPOT CUBE vulnerable to cross-site scripting

Overview HOME SPOT CUBE provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE contains a cross-site scripting vulnerability. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...