JVN#78136804: CN8000 vulnerable to denial-of-service (DoS)

CN8000 provided by ATEN is a remote access unit used to connect a keyboard, mouse and monitor to two or more computers in a remote location. CN8000 contains a denial-of-service DoS vulnerability. Impact A remote attacker may be able to cause a denial-of-service DoS. Solution Update the Firmware...

JVN#54650130: SOY CMS vulnerable to cross-site scripting

SOY CMS provided by Nippon Institute of Agroinformatics Ltd. is an open source content management system CMS. SOY CMS contains a cross-site scripting vulnerability. Impact If a user views a malicious page while logged in, an arbitrary script may be executed on the user's web browser. Solution App...

intra-mart vulnerable to open redirect

Overview intra-mart is a software framework for creating web applications. intra-mart contains an open redirect vulnerability. Shun Suzaki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact When accessing a...

JVN#68340046: intra-mart vulnerable to open redirect

intra-mart is a software framework for creating web applications. intra-mart contains an open redirect vulnerability. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Apply t...

Cybozu Garoon Phone Messages vulnerable to denial-of-service (DoS)

Overview Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains a denial-of-service DoS vulnerability in the Phone Messages function. Impact Processing input from a user who can log in to the system may cause denial-of-service DoS condition on the server by consuming high...

Cybozu Garoon API access restriction bypass vulnerability

Overview Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains an access restriction bypass vulnerability when using APIs. Impact Users who can log in to the system may delete schedule information that they do not have permission to edit. Solution Update the Software Updat...

JVN#31230946: Cybozu Garoon API access restriction bypass vulnerability

Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains an access restriction bypass vulnerability when using APIs. Impact Users who can log in to the system may delete schedule information that they do not have permission to edit. Solution Update the Software Update to the...

JVN#90519014: Cybozu Garoon Phone Messages vulnerable to denial-of-service (DoS)

Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains a denial-of-service DoS vulnerability in the Phone Messages function. Impact Processing input from a user who can log in to the system may cause denial-of-service DoS condition on the server by consuming high system...

Apache Struts vulnerable to ClassLoader manipulation

Overview Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated. NTT-CERT reported this vulnerability to IPA. JPCERT/CC coordinated with the developer unde...

JVN#19294237: Apache Struts vulnerable to ClassLoader manipulation

Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a vulnerability where the ClassLoader may be manipulated. Impact On a server where Apache Struts in running, a remote attacker may steal information or execu...

TOSHIBA TEC e-Studio series vulnerable to cross-site request forgery

Overview e-Studio provided by TOSHIBA TEC CORPORATION is a multi-function peripheral MFP. Multiple e-Studio series products contain a vulnerability in web-based management utility, which may result in a cross-site request forgery. Impact If the administrator views a malicious page while logged in...

Cybozu Remote Service Manager vulnerable to denial-of-service (DoS)

Overview Remote Service Manager provided by Cybozu,Inc. is a software to access on-premise systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a denial-of-service DoS vulnerability. Impact An attacker may cause a denial-of-service on a server that is...

Cybozu Remote Service Manager vulnerable to session fixation

Overview Remote Service Manager provided by Cybozu,Inc. is a software to access on-premise systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a session fixation vulnerability. Impact A remote, unauthenticated attacker may impersonate a registered user. As...

AndExplorer vulnerable to directory traversal

Overview AndExplorer provided by LYSESOFT contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...

JVN#22670349: AndExplorer vulnerable to directory traversal

AndExplorer provided by LYSESOFT contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to...

JVN#10319260: Cybozu Remote Service Manager vulnerable to denial-of-service (DoS)

Remote Service Manager provided by Cybozu,Inc. is a software to access on-premise systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a denial-of-service DoS vulnerability. Impact An attacker may cause a denial-of-service on a server that is installed Remo...

JVN#13313061: TOSHIBA TEC e-Studio series vulnerable to cross-site request forgery

e-Studio provided by TOSHIBA TEC CORPORATION is a multi-function peripheral MFP. Multiple e-Studio series products contain a vulnerability in web-based management utility, which may result in a cross-site request forgery. Impact If the administrator views a malicious page while logged into the...

JVN#00058727: Cybozu Remote Service Manager vulnerable to session fixation

Remote Service Manager provided by Cybozu,Inc. is a software to access on-premise systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a session fixation vulnerability. Impact A remote, unauthenticated attacker may impersonate a registered user. As a result...

Redmine vulnerable to open redirect

Overview Redmine is a project management software. Redmine contains an open redirect vulnerability due to insufficient checking of the URL parameter. Minoru Sakai of SCSK Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...

JVN#93004610: Redmine vulnerable to open redirect

Redmine is a project management software. Redmine contains an open redirect vulnerability due to insufficient checking of the URL parameter. Impact A user who logs into Redmine may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Upda...

Content Provider in CamiApp for Android fails to restrict access permissions

Overview The Content Provider in CamiApp for Android provided by KOKUYO S Co.,Ltd. contains an issue where access permissions are not restricted. Hiroshi Kumagai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impa...

JVN#55438786: Content Provider in CamiApp for Android fails to restrict access permissions

The Content Provider in CamiApp for Android provided by KOKUYO S&T Co.,Ltd. contains an issue where access permissions are not restricted. Impact If a user of the affected product uses another malicious Android application, information stored in the database may be obtained or altered. Solution...

SD Card Manager vulnerable to directory traversal

Overview SD Card Manager provided by apps4u@android contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...

JVN#47386847: SD Card Manager vulnerable to directory traversal

SD Card Manager provided by apps4u@android contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has...

ES File Explorer vulnerable to directory traversal

Overview ES File Explorer provided by ES APP Group contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under...

Silex vulnerable to cross-site scripting

Overview Silex is a software to build websites. Silex contains a cross-site scripting vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary script may be execute...

JVN#14282890: Silex vulnerable to cross-site scripting

Silex is a software to build websites. Silex contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed in the user's web browser. Solution Apply an Update Update to the latest version according to the information provided by the developer. Products Affected Silex...

JVN#70029459: ES File Explorer vulnerable to directory traversal

ES File Explorer provided by ES APP Group contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has...

sp mode mail vulnerability where Java methods may be executed

Overview sp mode mail provided by NTT DOCOMO contains an issue in the processing Deco-mail emoticon POP, which may lead to the execution of arbitrary Java methods that can be executed with the privileges of sp mode mail. Hironori Tokuta reported this vulnerability to IPA. JPCERT/CC coordinated wi...

sp mode mail issue where emails in the process of creation may be accessed

Overview sp mode mail provided by NTT DOCOMO contains an application link interface so that mail data can be exchanged with external application during email creation. When the application to be linked is selected, the email contents and attachment are saved to the SD card, therefore other Androi...

sp mode mail issue when accessing attachments in incoming mail

Overview sp mode mail provided by NTT DOCOMO contains a function that allows other Android applications to access attachments for incoming emails. This function contains an issue in the restriction of access permissions. Satoru Takekoshi reported this vulnerability to IPA. JPCERT/CC coordinated...

JVN#89260331: sp mode mail vulnerability where Java methods may be executed

sp mode mail provided by NTT DOCOMO contains an issue in the processing Deco-mail emoticon POP, which may lead to the execution of arbitrary Java methods that can be executed with the privileges of sp mode mail. Impact When a specially crafted email is opened, an arbitrary Java method that can be...

JVN#81739241: sp mode mail issue when accessing attachments in incoming mail

sp mode mail provided by NTT DOCOMO contains a function that allows other Android applications to access attachments for incoming emails. This function contains an issue in the restriction of access permissions. Impact If a malicious Android application is installed on the device, attachments for...

JVN#05951929: sp mode mail issue where emails in the process of creation may be accessed

sp mode mail provided by NTT DOCOMO contains an application link interface so that mail data can be exchanged with external application during email creation. When the application to be linked is selected, the email contents and attachment are saved to the SD card, therefore other Android...

Unzipper vulnerable to directory traversal

Overview Unzipper provided by R-Company contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...

Demaecan for Android. contains an issue where it fails to verify SSL server certificates

Overview Demaecan for Android. contains an issue where it fails to verify SSL server certificates. kurisu and matt reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-minddle attack may allow an...

JVN#16263849: Demaecan for Android. contains an issue where it fails to verify SSL server certificates

Demaecan for Android. contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...

JVN#38227002: Unzipper vulnerable to directory traversal

Unzipper provided by R-Company contains an issue in processing file names, which may result in a directory traversal CWE-22 vulnerability. Impact A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to...

JP1/File Transmission Server / FTP vulnerable to access control violation

Overview JP1/File Transmission Server/FTP has a vulnerability where an FTP client with limited access rights can bypass the access control and access arbitrary directories on the FTP server when enabling the directory access control function. Impact An attacker with login privileges to the FTP...

JP1/Integrated Management - Service Support vulnerable to cross-site scripting

Overview JP1/Integrated Management - Service Support has a cross-site scripting vulnerability, which occurs when receiving a request that contains malicious scripts when being used with JP1/Integrated Management - View. Impact An attacker can exploit this vulnerability to execute malicious script...

Cybozu Garoon vulnerable to SQL injection

Overview Cybozu Garoon contains a SQL injection vulnerability. Note that this vulnerability is different from JVN91153528. Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains an issue in the process of downloading files, which may result in SQL injection. Impact A user w...

Cybozu Garoon vulnerable to directory traversal

Overview Cybozu Garoon contains a directory traversal vulnerability. Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains a directory traversal vulnerability in the process of downloading files. Impact A user who can log in to the product may obtain files on the server...

Cybozu Garoon vulnerable to session management

Overview Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains a vulnerability in session management. Impact A user who can log in to the product may impersonate an arbitrary user. As a result, information may be altered or disclosed. Solution For Cybozu Garoon 3.7: Apply...

Denny's App for Android. contains an issue where it fails to verify SSL server certificates

Overview Denny's App for Android. contains an issue where it fails to verify SSL server certificates. kurisu and matt reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A man-in-the-minddle attack may allow an...

Norman Security Suite vulnerable to privilege escalation

Overview Norman Security Suite is an anti-virus software. Norman Security Suite contains a privilege escalation vulnerability. Satoshi Tanda reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An attacker with...

XooNIps vulnerable to cross-site scripting

Overview XooNIps provided by Neuroinformatics Japan Center, RIKEN Brain Science Institute is a module of XOOPS. XooNIps contains an issue in processing the output of input character string to the web page, which may result in a cross-site scripting vulnerability. Koki Takahashi of Keiji Takeda La...

JVN#24035499: Cybozu Garoon vulnerable to session management

Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains a vulnerability in session management. Impact A user who can log in to the product may impersonate an arbitrary user. As a result, information may be altered or disclosed. Solution For Cybozu Garoon 3.7: Apply the Patch...

JVN#48810179: Denny's App for Android. contains an issue where it fails to verify SSL server certificates

Denny's App for Android. contains an issue where it fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the...

JVN#02017463: Norman Security Suite vulnerable to privilege escalation

Norman Security Suite is an anti-virus software. Norman Security Suite contains a privilege escalation vulnerability. Impact An attacker with access to the target machine may obtain escalated privileges and execute arbitrary code. Solution Apply an Update Apply the update according to the...

JVN#87797318: XooNIps vulnerable to cross-site scripting

XooNIps provided by Neuroinformatics Japan Center, RIKEN Brain Science Institute is a module of XOOPS. XooNIps contains an issue in processing the output of input character string to the web page, which may result in a cross-site scripting vulnerability. Impact An arbitrary script may be executed...