checkpw vulnerable to denial-of-service (DoS)

Overview checkpw is a password authentication program. checkpw contains a denial-of-service DoS vulnerability due to a flaw in processing account names CWE-400. Hiroya Ito of GMO Pepabo, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...

JVN#63949115: SEIL Series routers vulnerable to denial-of-service (DoS)

The PPP Access Concentrator PPPAC in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service DoS vulnerability due to a flaw in processing SSTP packets. Impact Receiving a specially crafted SSTP packet may result in the device becoming unresponsive. Solution...

JVN#62298871: KENT-WEB Clip Board vulnerability where arbitary files may be deleted

Clip Board provided by KENT-WEB is a bulletin board software that allows users to upload binary files such as image files. KENT-WEB Clip Board contains a vulnerability that may allow a remote attacker to delete arbitrary files. Impact A remote attacker may delete arbitrary files on the server...

JVN#88862608: Joyful Note vulnerability in handling files

Joyful Note from KENT-WEB is a bulletin board software that allows users to upload binary files such as image files. Joyful Note contains a vulnerability in handling files. Impact A remote attacker may create arbitrary files or delete existing files on the server. As a result, arbitrary code may ...

JVN#34790526: checkpw vulnerable to denial-of-service (DoS)

checkpw is a password authentication program. checkpw contains a denial-of-service DoS vulnerability due to a flaw in processing account names CWE-400. Impact A remote attacker may be able to cause a denial-of-service DoS. Solution Update the Software Update to the latest version according to the...

JVN#77718330: Vulnerability in the jBCrypt key stretching process

jBCrypt is a Java implementation to compute password hashes. jBCrypt contains an integer overflow vulnerability in the key stretching process. An integer overflow occurs when the parameter for the repetition count is set to the maximum value allowed, 31. Impact When the hash value for a password ...

Zen Cart Japanese version vulnerable to cross-site scripting

Overview Zen Cart is an open source system for creating shopping websites. Zen Cart Japanese version contains a cross-site scripting vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact ...

SYNCK GRAPHICA Mailform Pro CGI vulnerable to remote code execution

Overview Mailform Pro CGI provided by SYNCK GRAPHICA contains a flaw in the process of sending emails, which may result in an arbitrary code execution. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

JVN#30135729: SYNCK GRAPHICA Mailform Pro CGI vulnerable to remote code execution

Mailform Pro CGI provided by SYNCK GRAPHICA contains a flaw in the process of sending emails, which may result in an arbitrary code execution. Impact Arbitrary code may be executed on the server. Solution Update the Software Update to the latest version according to the information provided by th...

JVN#44544694: Zen Cart Japanese version vulnerable to cross-site scripting

Zen Cart is an open source system for creating shopping websites. Zen Cart Japanese version contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the web browser of a user who is logged on as an administrator. Solution For Zen Cart v1.5 ja variants: Update t...

Speed Software Root Explorer and Explorer vulnerable to directory traversal

Overview Root Explorer and Explorer provided by Speed Software contain an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the develop...

JVN#42768331: Speed Software Root Explorer and Explorer vulnerable to directory traversal

Root Explorer and Explorer provided by Speed Software contain an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application...

AL-Mail32 vulnerable to buffer overflow

Overview AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a buffer overflow vulnerability due to a flaw in processing attachments. Impact When an attachment with specially crafted file name is processed, arbitrary code may be executed. Solution Update the...

Squid input validation vulnerability

Overview Squid contains a vulnerability where inputs are not properly validated. Squid is a caching proxy server. Squid contains a vulnerability where server responses that contain invalid values in the Content-Length of the HTTP header are sent to the client. Kazuho Oku reported this vulnerabili...

AL-Mail32 vulnerable to denial-of-service (DoS)

Overview AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a denial-of-service DoS vulnerability due to a flaw in processing attachments. Yosuka HASEGAWA of NetAgent Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer unde...

AL-Mail32 vulnerable to directory traversal

Overview AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a directory traversal vulnerability due to a flaw in processing attachments. Yosuka HASEGAWA of NetAgent Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...

JVN#93318392: AL-Mail32 vulnerable to buffer overflow

AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a buffer overflow vulnerability due to a flaw in processing attachments. Impact When an attachment with specially crafted file name is processed, arbitrary code may be executed. Solution Update the Software...

JVN#77294617: AL-Mail32 vulnerable to directory traversal

AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a directory traversal vulnerability due to a flaw in processing attachments. Impact Processing an attachment with a specially crafted file name may result in creation of an arbitrary file or an overwrite of...

JVN#64455813: Squid input validation vulnerability

Squid is a caching proxy server. Squid contains a vulnerability where server responses that contain invalid values in the Content-Length of the HTTP header are sent to the client. Impact If a HTTP response with a specially crafted header is processed, it may result in a HTTP response splitting...

JVN#55365709: AL-Mail32 vulnerable to denial-of-service (DoS)

AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a denial-of-service DoS vulnerability due to a flaw in processing attachments. Impact Processing an attachment with a specially crafted file name may cause the software to become unresponsive. Solution Upda...

C-BOARD Moyuku vulnerable to arbitrary file creation

Overview C-BOARD Moyuku is a bulletin board software. C-BOARD Moyuku contains a vulnerability that may allow a remote attacker to create arbitrary files. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

Saurus CMS Community Edition vulnerable to cross-site scripting

Overview Saurus CMS Community Edition is open source software to manage and build websites. Saurus CMS Community Edition contains multiple cross-site scripting vulnerabilities. Yuji Tounai of NTT Com Security reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under...

JVN#18387086: Saurus CMS Community Edition vulnerable to cross-site scripting

Saurus CMS Community Edition is open source software to manage and build websites. Saurus CMS Community Edition contains multiple cross-site scripting vulnerabilities. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Apply the appropriate update...

JVN#73261710: C-BOARD Moyuku vulnerable to arbitrary file creation

C-BOARD Moyuku is a bulletin board software. C-BOARD Moyuku contains a vulnerability that may allow a remote attacker to create arbitrary files. Impact A remote attacker creating arbitrary files may result in arbitrary code execution on the server. Solution Update the Software Update to the lates...

Cross-site Scripting Vulnerability in Hitachi Application Server Help

Overview Hitachi Application Server Help contains a cross-site scripting vulnerability. Impact A remote attacker can exploit this vulnerability to execute malicious scripts. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action...

Cross-site Scripting Vulnerability in Hitachi Command Suite Products

Overview The online help of Hitachi Command Suite Products contains a cross-site scripting vulnerability. Impact A remote attacker can exploit this vulnerability to execute malicious scripts. Solution Please refer to the 'Vendor Information' section for the official countermeasure and take...

Smartphone Passbook for Android information management vulnerability

Overview Smartphone Passbook for Android contains an issue where user inputs are output into a log file. Hiroshi Kumagai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Other android applications with...

Smartphone Passbook fails to verify SSL server certificates

Overview Smartphone Passbook provided by Ogaki Kyoritsu bank Ltd. fails to verify SSL server certificates. Hiroshi Kumagai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow...

PerlTreeBBS vulnerable to cross-site scripting

Overview PerlTreeBBS from Homepage Decorator is a tree-structured bulletin board software. PerlTreeBBS contains a persistent cross-site scripting vulnerability CWE-79. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

shiromuku(u1)GUESTBOOK vulnerable to cross-site scripting

Overview shiromukuu1GUESTBOOK from Perl CGI's By Mrs. Shiromuku is a bulletin board software. shiromukuu1GUESTBOOK contains a cross-site scripting vulnerability. Koki Takahashi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning...

JVN#48659722: Smartphone Passbook for Android information management vulnerability

Smartphone Passbook for Android contains an issue where user inputs are output into a log file. Impact Other android applications with permissions to read system log files may obtain information entered by a user. Solution Update the Software Update to the latest version according to the...

JVN#14522790: Smartphone Passbook fails to verify SSL server certificates

Smartphone Passbook provided by Ogaki Kyoritsu bank Ltd. fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by...

JVN#96155055: PerlTreeBBS vulnerable to cross-site scripting

PerlTreeBBS from Homepage Decorator is a tree-structured bulletin board software. PerlTreeBBS contains a persistent cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according ...

JVN#17480391: shiromuku(u1)GUESTBOOK vulnerable to cross-site scripting

shiromukuu1GUESTBOOK from Perl CGI's By Mrs. Shiromuku is a bulletin board software. shiromukuu1GUESTBOOK contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the...

Cybozu Remote Service Manager vulnerable to denial-of-service (DoS)

Overview Remote Service Manager contains a denial-of-service DoS vulnerability. Remote Service Manager provided by Cybozu, Inc. is a software to access internal systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a denial-of-service DoS vulnerability. Note...

Fumy News Clipper vulnerable to cross-site scripting

Overview Fumy News Clipper provided by Nishishi Factory contains a cross-site scripting vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be executed on the...

JVN#33735535: Fumy News Clipper vulnerable to cross-site scripting

Fumy News Clipper is a weblog system. Fumy News Clipper contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information provided by the developer. Products...

JVN#13566542: Cybozu Remote Service Manager vulnerable to denial-of-service (DoS)

Remote Service Manager provided by Cybozu, Inc. is a software to access internal systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a denial-of-service DoS vulnerability. Note that this vulnerability was caused due to an incomplete fix of JVN10319260...

Arbitrary files may be overwritten in multiple VMware products

Overview Multiple products provided by VMware Inc. contain a vulnerability where arbitrary files on the host OS may be overwritten. Shanon Olsson reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A user...

JVN#88252465: Arbitrary files may be overwritten in multiple VMware products

Multiple products provided by VMware Inc. contain a vulnerability where arbitrary files on the host OS may be overwritten. Impact A user that can modify the configuration file for the virtual machine may overwrite arbitrary files on the host OS. As a result, privileges may be escalated in the hos...

Multiple ASUS wireless LAN routers vulnerable to cross-site request forgery

Overview Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain a cross-site request forgery vulnerability. Masashi Sakai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user views a maliciou...

Multiple ASUS wireless LAN routers vulnerable to OS command injection

Overview Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain an OS command injection vulnerability. Masashi Sakai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary OS command may be...

JVN#77792759: Multiple ASUS wireless LAN routers vulnerable to OS command injection

Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain an OS command injection vulnerability. Impact An arbitrary OS command may be executed by an authenticated attacker. In addition, when this vulnerability is exploited along with the vulnerability stated in JVN32631078, an arbitrary ...

JVN#32631078: Multiple ASUS wireless LAN routers vulnerable to cross-site request forgery

Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in, unintended operations may be conducted. In addition, when this vulnerability is exploited along with the vulnerability stated in...

NP-BBRM vulnerable in UPnP functionality

Overview NP-BBRM provided by I-O DATA DEVICE, INC. is a LAN router. NP-BBRM contains a vulnerability in the UPnP functionality. Impact The device may be used in a DDoS attack, as a SSDP reflector. Solution Disable UPnP Disable UPnP functionality from the management configuration in the settings...

JVN#27142693: NP-BBRM vulnerable in UPnP functionality

NP-BBRM provided by I-O DATA DEVICE, INC. is a LAN router. NP-BBRM contains a vulnerability in the UPnP functionality. Impact The device may be used in a DDoS attack, as a SSDP reflector. Solution Disable UPnP Disable UPnP functionality from the management configuration in the settings screen...

shiromuku(bu2)BBS vulnerable to arbitrary file creation

Overview shiromukubu2BBS from Perl CGI's By Mrs. Shiromuku is a bulletin board software. shiromukubu2BBS contains a vulnerability that may allow a remote attacker to create arbitrary files. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...

JVN#94502417: shiromuku(bu2)BBS vulnerable to arbitrary file creation

shiromukubu2BBS from Perl CGI's By Mrs. Shiromuku is a bulletin board software. shiromukubu2BBS contains a vulnerability that may allow a remote attacker to create arbitrary files. Impact A remote attacker creating arbitrary files may result in arbitrary code execution on the server. Solution...

SYNCK GRAPHICA Download Log CGI vulnerable to directory traversal

Overview Download Log CGI provided by SYNCK GRAPHICA contains an issue in processing file names, which may result in a directory traversal vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

JVN#88559134: SYNCK GRAPHICA Download Log CGI vulnerable to directory traversal

Download Log CGI provided by SYNCK GRAPHICA contains an issue in processing file names, which may result in a directory traversal vulnerability. Impact A remote attacker may obtain arbitrary files on the server. Solution Update the Software Update to the latest version according to the informatio...