Ichitaro series vulnerable to arbitrary code execution

Overview The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. This vulnerability differs from other issues that were previously published on JVN. For more information, please refer to the developer's website...

JVN#16318793: Ichitaro series vulnerable to arbitrary code execution

The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. For more information, please refer to the developer's website. Impact When a user opens a specially crafted file, arbitrary code may be executed. Solution...

Vulnerability in JP1/NETM/DM and Job Management Partner 1/Software Distribution data reproduction functionality

Overview JP1/NETM/DM and Job Management Partner 1/Software Distribution contain a vulnerability that prevents them from disabling writing to built-in USB storage devices. Impact An attacker can exploit this vulnerability to prevent the affected products from disabling writing to built-in type USB...

Multiple Cybozu products vulnerable to buffer overflow

Overview Multiple products provided by Cybozu, Inc. contain a buffer overflow vulnerability CWE-119. Masaaki Chida of GREE, Inc. reported this vulnerability to the developer. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A remote attacker ma...

JVN#14691234: Multiple Cybozu products vulnerable to buffer overflow

Multiple products provided by Cybozu, Inc. contain a buffer overflow vulnerability CWE-119. Impact A remote attacker may cause a denial-of-service DoS or execute arbitrary code. Solution Update the Software Update to the latest version according to the information provided by the developer...

OpenAM vulnerable to denial-of-service (DoS)

Overview OpenAM provided by ForgeRock is an open source access management software. OpenAM contains a denial-of-service DoS vulnerability due to a flaw in processing Cookies CWE-400. Yasushi IWAKATA of Open Source Solution Technology Corporation reported this vulnerability to IPA. JPCERT/CC...

JVN#65559247: OpenAM vulnerable to denial-of-service (DoS)

OpenAM provided by ForgeRock is an open source access management software. OpenAM contains a denial-of-service DoS vulnerability due to a flaw in processing Cookies CWE-400. Impact When an OpenAM system is running "site" configuration with multiple instances, an authenticated attacker may be able...

QNAP QTS vulnerable to OS command injection

Overview QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a flaw in the GNU Bash shell, which may result in an OS command injection vulnerability CWE-78. Yuuki Wakisaka of University of Electro-Communications reported this vulnerability to IPA. JPCERT/CC coordinated with the...

JVN#55667175: QNAP QTS vulnerable to OS command injection

QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a flaw in the GNU Bash shell, which may result in an OS command injection vulnerability CWE-78. Impact A malicious attacker may be able to execute arbitrary command at the privilege level of the calling application. Solution Update...

SumaHo for Android fails to verify SSL/TLS server certificates

Overview SumaHo for Android fails to verify SSL/TLS server certificates. Hiroshi Kumagai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an...

JVN#27388160: SumaHo for Android fails to verify SSL/TLS server certificates

SumaHo for Android fails to verify SSL/TLS server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Apply the appropriate update according to the information provided by the developer. Products Affected...

GIGAPOD vulnerable to denial-of-service (DoS)

Overview GIGAPOD provided by TripodWorks CO.,LTD. contains a denial-of-service DoS vulnerability. GIGAPOD file servers Appliance model and Software model from TripodWorks CO.,LTD. provide two web interfaces. First, a user web interface via ports 80/443, and a second, an administrative web interfa...

Aflax vulnerable to cross-site scripting

Overview Aflax is a JavaScript library that enables developers to use JavaScript to fully utilize all of the features of the Adobe Flash runtime. Aflax contains a cross-site scripting vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the...

BirdBlog vulnerable to cross-site scripting

Overview BirdBlog is a weblog software. BirdBlog contains a cross-site scripting vulnerability. Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...

JVN#23809730: GIGAPOD vulnerable to denial-of-service (DoS)

GIGAPOD file servers Appliance model and Software model from TripodWorks CO.,LTD. provide two web interfaces. First, a user web interface via ports 80/443, and a second, an administrative web interface via port 8001. The administrative web interface uses a version of the Apache HTTP server which...

JVN#66285408: Aflax vulnerable to cross-site scripting

Aflax is a JavaScript library that enables developers to use JavaScript to fully utilize all of the features of the Adobe Flash runtime. Aflax contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use Aflax According t...

JVN#87373393: BirdBlog vulnerable to cross-site scripting

BirdBlog is a weblog software. BirdBlog contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use BirdBlog BirdBlog is no longer being developed or maintained, therefore it is recommended to stop using BirdBlog. Produc...

Huawei E5332 vulnerable to denial-of-service (DoS)

Overview Huawei E5332 contains a denial-of-service DoS vulnerability. Huawei E5332 provided by Huawei Technologies is a mobile router. Huawei E5332 contain an issue when processing a URL that is extremely long, which may lead to the device to terminate abnormally. Shuto Imai of Chukyo Univ...

Huawei E5332 vulnerable to denial-of-service (DoS)

Overview Huawei E5332 contains a denial-of-service DoS vulnerability. Huawei E5332 provided by Huawei Technologies is a mobile router. Huawei E5332 contains an issue when processing a GET request that contains an extremely long parameter, which lead to the device rebooting. Shuto Imai of Chukyo...

JVN#58417930: Huawei E5332 vulnerable to denial-of-service (DoS)

Huawei E5332 provided by Huawei Technologies is a mobile router. Huawei E5332 contain an issue when processing a URL that is extremely long, which may lead to the device to terminate abnormally. Impact An attacker that can send requests to the device may cause the device to become unresponsive...

JVN#63587560: Huawei E5332 vulnerable to denial-of-service (DoS)

Huawei E5332 provided by Huawei Technologies is a mobile router. Huawei E5332 contains an issue when processing a GET request that contains an extremely long parameter, which lead to the device rebooting. Impact An attacker that can send requests to the device may cause the device to become...

Safari issue in handling application cache

Overview Safari contains an issue in the handling of application cache where contents that were cached when the private browsing function is turned off may be used after the private browsing function is turned on. Yosuke HASEGAWA of NetAgent Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC...

Yahoo! Japan Box for Android issue where it fails to verify SSL server certificates

Overview Yahoo! Japan Box for Android provided by Yahoo Japan Corporation contains an issue where it fails to verify SSL server certificates. Yahoo Japan Corporation reported this vulnerability to JPCERT/CC to notify users of this issue through JVN. JPCERT/CC coordinated with Yahoo Japan...

N-Media file uploader vulnerability in handling uploaded files

Overview N-Media file uploader is a plugin for WordPress. N-Media file uploader contains a vulnerability CWE-264 in the way it handles uploaded files. As a result, an arbitrary PHP script which is uploaded may be executed. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC...

jigbrowser+ for iOS same origin policy bypass

Overview jigbrowser+ for iOS contains a flaw in loading web pages, which may allow an attacker to bypass the same origin policy. Toshiharu Sugiyama of DeNA Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

SLFileManager for Android vulnerable to directory traversal

Overview SLFileManager provided by S-Link, Inc. contains a flaw in processing file names, which may result in a directory traversal CWE-22 vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...

JVN#16485017: SLFileManager for Android vulnerable to directory traversal

SLFileManager provided by S-Link, Inc. contains a flaw in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges ...

JVN#87863382: N-Media file uploader vulnerability in handling uploaded files

N-Media file uploader is a plugin for WordPress. N-Media file uploader contains a vulnerability CWE-264 in the way it handles uploaded files. As a result, an arbitrary PHP script which is uploaded may be executed. Impact A user with "Author" privileges and above may execute an arbitrary command o...

JVN#48270605: Yahoo! Japan Box for Android issue where it fails to verify SSL server certificates

Yahoo! Japan Box for Android provided by Yahoo Japan Corporation contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version...

JVN#80531230: jigbrowser+ for iOS same origin policy bypass

jigbrowser+ for iOS contains a flaw in loading web pages, which may allow an attacker to bypass the same origin policy. Impact By using JavaScript, an attacker may obtain sensitive data from a different domain in violation of the same origin policy. Solution Update the Software Update to the late...

JVN#45442753: Safari issue in handling application cache

Safari contains an issue in the handling of application cache where contents that were cached when the private browsing function is turned off may be used after the private browsing function is turned on. Impact After a website is visited when the private browsing function is turned off and the...

Yuko Yuko App for Android fails to verify SSL server certificates

Overview Yuko Yuko App for Android provided by Yuko Yuko Corporation fails to verify SSL server certificates. Shunsuke Taniguchi of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...

JVN#04560253: Yuko Yuko App for Android fails to verify SSL server certificates

Yuko Yuko App for Android provided by Yuko Yuko Corporation fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. As a result, an attacker may obtain information entered into web forms. Solution Update the...

Dotclear vulnerable to cross-site scripting

Overview Dotclear is a weblog software. Dotclear contains a cross-site scripting vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact If a user views a crafted page while...

Bump for Android vulnerable in handling of implicit intents

Overview Bump for Android is an application that allows users to share information and files. Bump for Android contains a vulnerability in the handling of implicit intents. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the...

JVN#61637002: Dotclear vulnerable to cross-site scripting

Dotclear is a weblog software. Dotclear contains a cross-site scripting vulnerability. Impact If a user views a crafted page while logged in, an arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the infomration...

JVN#08994136: Bump for Android vulnerable in handling of implicit intents

Bump for Android is an application that allows users to share information and files. Bump for Android contains a vulnerability in the handling of implicit intents. Impact Information such as the owner's name that was obtained from another device may be disclosed. Solution Do not use Bump for...

FileMaker Pro fails to verify SSL server certificates

Overview FileMaker Pro contains a function to encrypt communications with the FileMaker Server. FileMaker Pro fails to verify the SSL server certificate. NOTE: This vulnerability exists because of an incomplete fix for CVE-2013-2319. Impact A man-in-the-minddle attack may allow an attacker to...

FileMaker Pro vulnerable to cross-site scripting

Overview FileMaker Pro contains an "Instant Web Publishing" function. When this function is enabled, FileMaker Pro is vulnerable to cross-scripting. NOTE: This vulnerability exists because of an incomplete fix for CVE-2013-3640. Impact An arbitrary script may be executed on the user's web browser...

365 Links series vulnerable to cross-site scripting

Overview 365 Links series provided by php365.com are link directory management tools. 365 Links series contain a cross-site scripting vulnerability. Koki Takahashi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

JVN#36205251: 365 Links series vulnerable to cross-site scripting

365 Links series provided by php365.com are link directory management tools. 365 Links series contain a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version according to the information...

Help Page in multiple Adobe products vulnerable to cross-site scripting

Overview The Help page provided in multiple Adobe products contains a cross-site scripting vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be...

JVN#84376800: Help Page in multiple Adobe products vulnerable to cross-site scripting

The Help page provided in multiple Adobe products contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the software Update to the latest version of the product according to the information provided by the developer...

Movable Type vulnerable to cross-site scripting

Overview Movable Type provided by Six Apart, Ltd. contains a cross-site scripting vulnerability. Movable Type contains an issue in processing the management page, which may result in a cross-site scripting vulnerability. Saeki Tominaga reported this vulnerability to IPA. JPCERT/CC coordinated wit...

JVN#73357573: Movable Type vulnerable to cross-site scripting

Movable Type contains an issue in processing the management page, which may result in a cross-site scripting vulnerability. Impact An arbitrary script may be executed or a false form may be displayed on the administrator's web browser. Solution Update the software Update to the latest version...

WisePoint vulnerable to session fixation

Overview WisePoint provided by Falcon System Consulting, Inc. contains a session fixation vulnerability. Hiroki Ikemoto of NTT SOFT SERVICE Corp. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An attacker m...

EmFTP may insecurely load executable files

Overview EmFTP contains a flaw when loading files, where an unitended executable file may be loaded when attempting to open a file without an extension. For example, if a text file named "exmaple" without an extension and an executable "example.exe" are in the same directory, attemtping to open t...

JVN#49672671: WisePoint vulnerable to session fixation

WisePoint provided by Falcon System Consulting, Inc. contains a session fixation vulnerability. Impact An attacker may impersonate a registered user. As a result, information may be disclosed or altered. Solution Update the Software Update to the latest version according to the information provid...

JVN#50367052: EmFTP may insecurely load executable files

EmFTP contains a flaw when loading files, where an unitended executable file may be loaded when attempting to open a file without an extension. For example, if a text file named "exmaple" without an extension and an executable "example.exe" are in the same directory, attemtping to open the file...

Kindle App for Android fails to verify SSL server certificates

Overview Kindle App for Android fails to verify SSL server certificates. Hiroshi Tokumaru of HASH Consulting Corp. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-middle attack may allow an...