JVNDB RSS Feed - 2015 Years Entry
https://jvndb.jvn.jp/en/
JVN iPedia Yearly Entry2024-03-17T09:10:23+09:002024-03-17T09:10:23+09:00Cybozu Remote Service Manager vulnerable to denial-of-service (DoS)
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000001.html
Remote Service Manager contains a denial-of-service (DoS) vulnerability.
Remote Service Manager provided by Cybozu, Inc. is a software to access internal systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a denial-of-service (DoS) vulnerability.
Note that this vulnerability was caused due to an incomplete fix of JVN#10319260.
Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.JVNDB-2015-000001https://jvn.jp/en/jp/JVN13566542/index.htmlhttps://jvn.jp/en/jp/JVN10319260/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7266https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:remote_service_manager2015-01-30T14:19+09:002015-01-30T14:19+09:002015-01-30T14:19+09:00SYNCK GRAPHICA Download Log CGI vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000006.html
Download Log CGI provided by SYNCK GRAPHICA contains an issue in processing file names, which may result in a directory traversal vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000006http://jvn.jp/en/jp/JVN88559134/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0867http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0867https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:synck_graphica:download_log_cgi2015-02-13T15:09+09:002015-01-19T13:54+09:002015-02-13T15:09+09:00Arbitrary files may be overwritten in multiple VMware products
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000007.html
Multiple products provided by VMware Inc. contain a vulnerability where arbitrary files on the host OS may be overwritten.
Shanon Olsson reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000007http://jvn.jp/en/jp/JVN88252465/index.htmlhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8370http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8370https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:vmware:fusioncpe:/a:vmware:playercpe:/a:vmware:workstationcpe:/o:vmware:esxi2015-02-16T15:34+09:002015-01-29T13:52+09:002015-02-16T15:34+09:00shiromuku(bu2)BBS vulnerable to arbitrary file creation
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000008.html
shiromuku(bu2)BBS from Perl CGI's By Mrs. Shiromuku is a bulletin board software. shiromuku(bu2)BBS contains a vulnerability that may allow a remote attacker to create arbitrary files.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000008http://jvn.jp/en/jp/JVN94502417/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0868http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0868https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:shiromuku:bu2_bbs2015-02-13T09:51+09:002015-01-23T14:22+09:002015-02-13T09:51+09:00NP-BBRM vulnerable in UPnP functionality
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000009.html
NP-BBRM provided by I-O DATA DEVICE, INC. is a LAN router. NP-BBRM contains a vulnerability in the UPnP functionality.JVNDB-2015-000009http://jvn.jp/en/jp/JVN27142693/index.html//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0869//www.npa.go.jp/cyberpolice/detect/pdf/20141017.pdfhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:i-o_data_device:np-bbrm2015-08-18T14:36+09:002015-01-26T13:42+09:002015-08-18T14:36+09:00Fumy News Clipper vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000010.html
Fumy News Clipper provided by Nishishi Factory contains a cross-site scripting vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000010http://jvn.jp/en/jp/JVN33735535/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0870http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0870https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:nishishi:fumy_news_clipper2015-02-16T15:55+09:002015-01-30T13:52+09:002015-02-16T15:55+09:00Multiple ASUS wireless LAN routers vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000011.html
Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain an OS command injection vulnerability.
Masashi Sakai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000011http://jvn.jp/en/jp/JVN77792759/index.html//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7269http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7269https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:misc:asus_japan_rt-ac56scpe:/h:misc:asus_japan_rt-ac68ucpe:/h:misc:asus_japan_rt-ac87ucpe:/h:misc:asus_japan_rt-n56ucpe:/h:misc:asus_japan_rt-n66u2015-06-17T16:42+09:002015-01-27T14:23+09:002015-06-17T16:42+09:00Multiple ASUS wireless LAN routers vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000012.html
Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain a cross-site request forgery vulnerability.
Masashi Sakai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000012http://jvn.jp/en/jp/JVN32631078/index.html//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7270http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7270https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:misc:asus_japan_rt-ac56scpe:/h:misc:asus_japan_rt-ac68ucpe:/h:misc:asus_japan_rt-ac87ucpe:/h:misc:asus_japan_rt-n56ucpe:/h:misc:asus_japan_rt-n66u2015-06-17T16:42+09:002015-01-27T14:24+09:002015-06-17T16:42+09:00shiromuku(u1)GUESTBOOK vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000013.html
shiromuku(u1)GUESTBOOK from Perl CGI's By Mrs. Shiromuku is a bulletin board software. shiromuku(u1)GUESTBOOK contains a cross-site scripting vulnerability.
Koki Takahashi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000013http://jvn.jp/en/jp/JVN17480391/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0871http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0871https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:shiromuku:guestbook2015-02-13T13:58+09:002015-02-13T13:58+09:002015-02-13T13:58+09:00PerlTreeBBS vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000014.html
PerlTreeBBS from Homepage Decorator is a tree-structured bulletin board software. PerlTreeBBS contains a persistent cross-site scripting vulnerability (CWE-79).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000014http://jvn.jp/en/jp/JVN96155055/index.htmlhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0873http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0873https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:homepage_decorator:perltreebbs2015-02-13T13:58+09:002015-02-13T13:58+09:002015-02-13T13:58+09:00Smartphone Passbook fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000015.html
Smartphone Passbook provided by Ogaki Kyoritsu bank Ltd. fails to verify SSL server certificates.
Hiroshi Kumagai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000015http://jvn.jp/en/jp/JVN14522790/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0874https://nvd.nist.gov/vuln/detail/CVE-2015-0874https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ogaki_kyoritsu_bank:ogaki_kyoritsu_bank_sumaho_passbook2018-03-07T13:50+09:002015-02-13T14:32+09:002018-03-07T13:50+09:00Smartphone Passbook for Android information management vulnerability
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000016.html
Smartphone Passbook for Android contains an issue where user inputs are output into a log file.
Hiroshi Kumagai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000016http://jvn.jp/en/jp/JVN48659722/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0875http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0875https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ogaki_kyoritsu_bank:smartphone_passbook2015-05-21T10:05+09:002015-02-13T14:33+09:002015-05-21T10:05+09:00Saurus CMS Community Edition vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000017.html
Saurus CMS Community Edition is open source software to manage and build websites. Saurus CMS Community Edition contains multiple cross-site scripting vulnerabilities.
Yuji Tounai of NTT Com Security reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000017http://jvn.jp/en/jp/JVN18387086/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0876https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0876https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:saurus:saurus_cms_community_edition2015-04-08T15:20+09:002015-02-17T14:20+09:002015-04-08T15:20+09:00C-BOARD Moyuku vulnerable to arbitrary file creation
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000018.html
C-BOARD Moyuku is a bulletin board software. C-BOARD Moyuku contains a vulnerability that may allow a remote attacker to create arbitrary files.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000018http://jvn.jp/en/jp/JVN73261710/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0877https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0877https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:c-board_moyuku_project:c-board_moyuku2015-04-07T17:57+09:002015-02-17T14:21+09:002015-04-07T17:57+09:00Squid input validation vulnerability
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000019.html
Squid contains a vulnerability where inputs are not properly validated.
Squid is a caching proxy server. Squid contains a vulnerability where server responses that contain invalid values in the Content-Length of the HTTP header are sent to the client.
Kazuho Oku reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000019http://jvn.jp/en/jp/JVN64455813/index.htmlhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0881http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0881https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:squid-cache:squid2015-03-06T14:57+09:002015-02-20T14:55+09:002015-03-06T14:57+09:00AL-Mail32 vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000020.html
AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a directory traversal vulnerability due to a flaw in processing attachments.
Yosuka HASEGAWA of NetAgent Co.,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000020http://jvn.jp/en/jp/JVN77294617/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0878http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0878https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:almail:al-mail322015-02-24T16:38+09:002015-02-20T14:37+09:002015-02-24T16:38+09:00AL-Mail32 vulnerable to denial-of-service (DoS)
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000021.html
AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a denial-of-service (DoS) vulnerability due to a flaw in processing attachments.
Yosuka HASEGAWA of NetAgent Co.,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
During the coordination process, IPA and JPCERT/CC determined that this case was not a vulnerability under the "Information Security Early Warning Partnership". However, this JVN advisory has been published coinciding with the vendor advisory.JVNDB-2015-000021http://jvn.jp/en/jp/JVN55365709/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0879http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0879https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:almail:al-mail322015-02-24T16:37+09:002015-02-20T14:54+09:002015-02-24T16:37+09:00AL-Mail32 vulnerable to buffer overflow
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000022.html
AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a buffer overflow vulnerability due to a flaw in processing attachments.JVNDB-2015-000022http://jvn.jp/en/jp/JVN93318392/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0880https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0880https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:almail:al-mail322015-02-24T16:36+09:002015-02-20T14:55+09:002015-02-24T16:36+09:00Speed Software Root Explorer and Explorer vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000023.html
Root Explorer and Explorer provided by Speed Software contain an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability.
Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000023http://jvn.jp/en/jp/JVN42768331/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9282http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9282https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:speed_software:explorercpe:/a:speed_software:root_explorer2015-02-26T17:18+09:002015-02-24T14:35+09:002015-02-26T17:18+09:00Joyful Note vulnerability in handling files
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000024.html
Joyful Note from KENT-WEB is a bulletin board software that allows users to upload binary files such as image files. Joyful Note contains a vulnerability in handling files.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000024http://jvn.jp/en/jp/JVN88862608/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0889https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0889https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:kent-web:joyful_note2015-03-03T15:59+09:002015-02-27T13:57+09:002015-03-03T15:59+09:00SYNCK GRAPHICA Mailform Pro CGI vulnerable to remote code execution
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000026.html
Mailform Pro CGI provided by SYNCK GRAPHICA contains a flaw in the process of sending emails, which may result in an arbitrary code execution.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000026http://jvn.jp/en/jp/JVN30135729/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0883https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0883https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:synck_graphica:mailform_pro_cgi2015-03-02T14:23+09:002015-02-25T15:00+09:002015-03-02T14:23+09:00Zen Cart Japanese version vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000027.html
Zen Cart is an open source system for creating shopping websites. Zen Cart Japanese version contains a cross-site scripting vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000027http://jvn.jp/en/jp/JVN44544694/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0882https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0882https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:zen-cart:zen_cart2015-03-02T14:19+09:002015-02-25T15:09+09:002015-03-02T14:19+09:00KENT-WEB Clip Board vulnerability where arbitary files may be deleted
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000028.html
Clip Board provided by KENT-WEB is a bulletin board software that allows users to upload binary files such as image files. KENT-WEB Clip Board contains a vulnerability that may allow a remote attacker to delete arbitrary files.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000028http://jvn.jp/en/jp/JVN62298871/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0888https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0888https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:kent-web:clip_board2015-03-03T15:59+09:002015-02-27T14:02+09:002015-03-03T15:59+09:00BestWebSoft Captcha plugin vulnerable to CAPTCHA authentication bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000029.html
Captcha provided by BestWebSoft is a plugin for WordPress. Captcha contains a CAPTCHA authentication bypass vulnerability (CWE-254).JVNDB-2015-000029http://jvn.jp/en/jp/JVN93727681/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9283http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9283https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:bestwebsoft:captcha2015-03-04T15:22+09:002015-03-03T13:38+09:002015-03-04T15:22+09:00Google Captcha (reCAPTCHA) by BestWebSoft vulnerable to CAPTCHA authentication bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000030.html
Google Captcha (reCAPTCHA) by BestWebSoft is a plugin for WordPress. Google Captcha (reCAPTCHA) by BestWebSoft contains a CAPTCHA authentication bypass vulnerability (CWE-254).
JVNDB-2015-000030http://jvn.jp/en/jp/JVN55063777/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0890http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0890https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:bestwebsoft:google_captcha2015-03-04T15:23+09:002015-03-03T13:39+09:002015-03-04T15:23+09:00SEIL Series routers vulnerable to denial-of-service (DoS)
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000031.html
The PPP Access Concentrator (PPPAC) in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service (DoS) vulnerability due to a flaw in processing SSTP packets.JVNDB-2015-000031http://jvn.jp/en/jp/JVN63949115/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0887http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0887https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:iij:seil%2Fb1cpe:/h:iij:seil%2Fx1cpe:/h:iij:seil%2Fx2cpe:/h:iij:seil_x86_fuji2015-03-05T15:42+09:002015-02-27T15:39+09:002015-03-05T15:42+09:00checkpw vulnerable to denial-of-service (DoS)
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000032.html
checkpw is a password authentication program. checkpw contains a denial-of-service (DoS) vulnerability due to a flaw in processing account names (CWE-400).
Hiroya Ito of GMO Pepabo, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000032http://jvn.jp/en/jp/JVN34790526/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0885https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0885https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:checkpw_project:checkpw2015-03-03T15:57+09:002015-02-27T12:30+09:002015-03-03T15:57+09:00Vulnerability in the jBCrypt key stretching process
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000033.html
jBCrypt is a Java implementation to compute password hashes. jBCrypt contains an integer overflow vulnerability in the key stretching process. An integer overflow occurs when the parameter for the repetition count is set to the maximum value allowed, 31.
Norito AGETSUMA reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000033http://jvn.jp/en/jp/JVN77718330/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0886https://bugzilla.mindrot.org/show_bug.cgi?id=2097https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:mindrot:jbcrypt2015-03-03T15:58+09:002015-02-27T14:03+09:002015-03-03T15:58+09:00Maroyaka Simple Board vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000034.html
Maroyaka Simple Board provided by Maroyaka CGI is a CGI script for posting text into a website. Maroyaka Simple Board contains a persistent cross-site scripting vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The developer originally stated there were no plans to further maintain the product at the time of publication on 2015/3/4 14:00. However, a fixed version was later released on 2015/3/4 22:00.
This advisory was revised on 2015/3/6 11:00.JVNDB-2015-000034http://jvn.jp/en/jp/JVN63687798/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0891https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0891https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:tisa:maroyaka_simple_board2015-03-06T15:07+09:002015-03-04T14:48+09:002015-03-06T15:07+09:00Maroyaka Image Album vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000035.html
Maroyaka Image Album provided by Maroyaka CGI is a CGI script for placing image files within a website. Maroyaka Image Album contains a cross-site scripting vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The developer originally stated there were no plans to further maintain the product at the time of publication on 2015/3/4 14:00. However, a fixed version was later released on 2015/3/4 22:00.
This advisory was revised on 2015/3/6 11:00.JVNDB-2015-000035http://jvn.jp/en/jp/JVN09871547/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0892https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0892https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:tisa:maroyaka_image_album2015-03-06T15:21+09:002015-03-04T14:49+09:002015-03-06T15:21+09:00Maroyaka Relay Novel vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000036.html
Maroyaka Relay Novel provided by Maroyaka CGI is a CGI script for posting text into a website. Maroyaka Relay Novel contains a persistent cross-site scripting vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The developer originally stated there were no plans to further maintain the product at the time of publication on 2015/3/4 14:00. However, a fixed version was later released on 2015/3/4 22:00.
This advisory was revised on 2015/3/6 11:00.JVNDB-2015-000036http://jvn.jp/en/jp/JVN91016415/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0893https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0893https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:tisa:maroyaka_relay_novel2015-03-06T15:30+09:002015-03-04T14:49+09:002015-03-06T15:30+09:00All In One WP Security & Firewall vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000037.html
All In One WP Security & Firewall is WordPress plugin that provides security functionality. All In One WP Security & Firewall contains a SQL injection vulnerability (CWE-89).
ooooooo_q reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000037http://jvn.jp/en/jp/JVN30832515/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0894https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0894https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:tips_and_tricks_hq:all_in_one_wordpress_security_and_firewall2015-03-11T17:55+09:002015-03-06T13:45+09:002015-03-11T17:55+09:00All In One WP Security & Firewall vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000038.html
All In One WP Security & Firewall is WordPress plugin that provides security functionality. All In One WP Security & Firewall contains a cross-site request forgery vulnerability (CWE-352).
JVNDB-2015-000038http://jvn.jp/en/jp/JVN87204433/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0895https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0895https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:tips_and_tricks_hq:all_in_one_wordpress_security_and_firewall2015-03-11T17:42+09:002015-03-06T13:46+09:002015-03-11T17:42+09:00eXtplorer vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000039.html
eXtplorer is a web-based file manager. eXtplorer contains multiple cross-site scripting vulnerabilities.
Yuji Tounai of NTT COM Security reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000039http://jvn.jp/en/jp/JVN97099798/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0896https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0896https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:extplorer:extplorer2015-03-20T14:30+09:002015-03-17T13:41+09:002015-03-20T14:30+09:00LINE vulnerable to script injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000040.html
LINE provided by LINE Corporation is an application used to communicate with others. LINE is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
Kenta Suefusa, Nobuaki Nakazawa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000040http://jvn.jp/en/jp/JVN41281927/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0897https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:linecorp:line2015-03-20T16:16+09:002015-03-20T16:16+09:002015-03-20T16:16+09:00MP Form Mail CGI eCommerce edition vulnerable to code injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000041.html
MP Form Mail CGI eCommerce edition provided by futomi Co., Ltd. is a CGI used to send mail from a web form. MP Form Mail CGI eCommerce edition contains a code injection vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000041http://jvn.jp/en/jp/JVN39175666/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0898https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0898https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:futomis_cgi_cafe:mp_form_mail_cgi_ecommerce2015-03-24T15:11+09:002015-03-20T12:30+09:002015-03-24T15:11+09:00The Validator in TERASOLUNA Server Framework for Java(WEB) vulnerable to input validation bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000042.html
The TERASOLUNA Server Framework for Java(WEB) provided by NTT Data Corporation is a software framework for creating web applications. The TERASOLUNA Server Framework for Java(WEB) is vulnerable to an issue contained in the Apache Struts 1 Validator, since it uses Apache Struts 1.2.9.
The Validator in Apache Struts 1.1 and later contains a function (MPV -- Multi Page Validator) to efficiently define rules for input validation across multiple pages during screen transitions.
The MPV contains a vulnerability where input validation may be bypassed.
When the Apache Struts 1 Validator is used, the web application may be vulnerable even when the MPV is not used explicitly.JVNDB-2015-000042http://jvn.jp/en/jp/JVN86448949/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0899https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0899https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:nttdata:terasoluna_server_framework_for_java_web2016-08-26T16:37+09:002015-03-24T14:10+09:002016-08-26T16:37+09:00Fumy Teacher's Schedule Board vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000043.html
Fumy Teacher's Schedule Board provided by Nishishi Factory is a CGI program that displays schedules. Fumy Teacher's Schedule Board contains a cross-site scripting vulnerability.
OHTA, Yoshinori of Business Architects Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000043http://jvn.jp/en/jp/JVN74547976/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0900https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0900https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:nishishi:fumy_teachers_schedule_board2015-04-07T17:25+09:002015-03-26T14:00+09:002015-04-07T17:25+09:00WordPress theme flashy vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000044.html
flashy is a theme for WordPress. flashy contains a cross-site scripting vulnerability.
Koki Takahashi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000044http://jvn.jp/en/jp/JVN97281747/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0901https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0901https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:flashy_project:flashy2015-04-07T17:25+09:002015-03-26T14:04+09:002015-04-07T17:25+09:00Android OS may behave as an open resolver
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000045.html
A device that runs as a DNS cache server, which responds to any recursive DNS queries that are received is referred to as an open resolver.
Android OS contains an issue where it may behave as an open resolver when the tethering function is enabled.
Yasuhiro Orange Morishita of Japan Registry Services Co., Ltd. (JPRS) reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000045http://jvn.jp/en/jp/JVN81094176/index.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:google:android2015-03-27T14:12+09:002015-03-27T14:12+09:002015-03-27T14:12+09:00All in One SEO Pack information management vulnerability
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000046.html
All in One SEO Pack is a WordPress plugin. All in One SEO Pack automatically adds a meta tag ("Meta Description") to a page using some part of its contents, and this behavior is enabled in the initial configuration. Meta Description can be added even when a page is password-protected, therefore some part of its contents are not protected.
Fumito MIZUNO of rescuework.inc reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000046http://jvn.jp/en/jp/JVN75615300/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0902https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0902https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:semperfiwebdesign:all_in_one_seo_pack2015-04-07T17:27+09:002015-03-31T13:48+09:002015-04-07T17:27+09:00bBlog vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000047.html
bBlog is weblog software. bBlog contains a cross-site request forgery vulnerability (CWE-352).JVNDB-2015-000047http://jvn.jp/en/jp/JVN71903938/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0905https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0905https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:bblog_project:bblog2015-04-09T14:05+09:002015-04-07T12:12+09:002015-04-09T14:05+09:00Maruo Editor vulnerable to buffer overflow
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000048.html
Maruo Editor provided by Saitoh Kikaku contains a buffer overflow vulnerability due to a flaw in processing a specially crafted .hmbook file (CWE-119).
Masato Kinugawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000048http://jvn.jp/en/jp/JVN58784309/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0903https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0903https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hidemaru:editor2015-04-07T17:28+09:002015-04-02T12:30+09:002015-04-07T17:28+09:00"Restaurant Karaoke SHIDAX" App for Android fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000049.html
"Restaurant Karaoke SHIDAX" App for Android fails to verify SSL server certificates.
Yasuyuki KOBAYASHI reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000049https://jvn.jp/en/jp/JVN68819526/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0904https://nvd.nist.gov/vuln/detail/CVE-2015-0904https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:locationvalue_restaurantkaraoke_shidax_for_android2018-01-24T14:03+09:002015-04-03T13:36+09:002018-01-24T14:03+09:00Lhaplus vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000050.html
Lhaplus is a file compression/decompression software. Lhaplus contains an issue in processing file names, which may result in a directory traversal vulnerability.
akira_you of Nico-TECH reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000050https://jvn.jp/en/jp/JVN02527990/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0906https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0906https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:lhaplus:lhaplus2015-04-16T18:00+09:002015-04-09T13:57+09:002015-04-16T18:00+09:00Lhaplus vulnerable to remote code execution
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000051.html
Lhaplus is a file compression/decompression software. Lhaplus contains a remote code execution vulnerability.
Masato Kinugawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000051https://jvn.jp/en/jp/JVN12329472/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0907https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0907https://www.ipa.go.jp/security/ciadr/vul/20150409-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:lhaplus:lhaplus2015-04-16T18:00+09:002015-04-09T13:59+09:002015-04-16T18:00+09:00Seasar S2Struts vulnerable to input validation bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000052.html
Seasar S2Struts provided by The Seasar Foundation is a software framework for developing Java web applications. Seasar S2Struts is vulnerable to an issue contained in the Apache Struts 1 Validator, because S2Struts 1.2.x uses Apache Struts 1.2.x, and S2Struts 1.3.x uses Apache Struts 1.3.x.
The Validator in Apache Struts 1.1 and later contains a function (MPV -- Multi Page Validator) to efficiently define rules for input validation across multiple pages during screen transitions.
The MPV contains a vulnerability where input validation may be bypassed.
When the Apache Struts 1 Validator is used, the web application may be vulnerable even when the MPV is not used explicitly.JVNDB-2015-000052https://jvn.jp/en/jp/JVN91383083/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0899https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0899https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:the_seasar_foundation:s2struts2016-08-26T16:39+09:002015-04-10T14:38+09:002016-08-26T16:39+09:00TransmitMail vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000054.html
TransmitMail is a PHP based mail form. TransmitMail contains a cross-site scripting (CWE-79) vulnerability due to the processing of file names.
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000054http://jvn.jp/en/jp/JVN26860747/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0910https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0910https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:dounokouno:transmitmail2015-04-27T16:13+09:002015-04-23T13:47+09:002015-04-27T16:13+09:00TransmitMail vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000055.html
TransmitMail is a PHP based mail form. TransmitMail contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability.
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000055http://jvn.jp/en/jp/JVN41653647/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0911https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0911https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:dounokouno:transmitmail2015-04-27T16:12+09:002015-04-23T14:12+09:002015-04-27T16:12+09:00EasyCTF vulnerable to arbitrary file creation
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000060.html
EasyCTF is a server side CGI used to score CTF (Capture The Flag). EasyCTF contains a vulnerability that may allow a remote attacker to create arbitrary files (CWE-22).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000060https://jvn.jp/en/jp/JVN67520407/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0912https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0912https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:kozos:easyctf2015-05-07T16:00+09:002015-05-01T13:37+09:002015-05-07T16:00+09:00EasyCTF vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000061.html
EasyCTF is a server side CGI used to score CTF (Capture The Flag). EasyCTF contains a cross-site scripting vulnerability (CWE-79) that can be leveraged by an attacker created account.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000061http://jvn.jp/en/jp/JVN07538357/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0913https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0913https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:kozos:easyctf2015-05-07T16:02+09:002015-05-01T13:49+09:002015-05-07T16:02+09:00EasyCTF vulnerable to session management
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000062.html
EasyCTF is a server side CGI used to score CTF (Capture The Flag). EasyCTF contains a vulnerability in session management (CWE-639).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000062http://jvn.jp/en/jp/JVN96439865/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0914https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0914https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:kozos:easyctf2015-05-07T16:03+09:002015-05-01T14:00+09:002015-05-07T16:03+09:00MailDealer vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000063.html
MailDealer provided by RAKUS Co.,Ltd. contains a persistent cross-site scripting (CWE-79) vulnerability due to a flaw in processing file names of attachments.
Keigo YAMAZAKI of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000063http://jvn.jp/en/jp/JVN20133698/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0915https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0915https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:rakus:maildealer2015-05-12T14:07+09:002015-05-12T14:07+09:002015-05-12T14:07+09:00Cacti vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000064.html
Cacti is a web application that graphs stored data collected from network devices. Cacti contains a SQL injection vulnerability due to a flaw in processing user input values for 'local_graph_id' in graph.php.
Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000064http://jvn.jp/en/jp/JVN18957556/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0916https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0916https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cacti:cacti2015-05-25T15:29+09:002015-05-14T13:39+09:002015-05-25T15:29+09:00"Honda Moto LINC" App for Android fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000065.html
"Honda Moto LINC" App for Android fails to verify SSL server certificates.
Yasuyuki KOBAYASHI reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000065http://jvn.jp/en/jp/JVN75851252/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2943https://nvd.nist.gov/vuln/detail/CVE-2015-2943https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:honda:moto_linc2018-02-28T14:36+09:002015-05-15T12:23+09:002018-02-28T14:36+09:00BGA32.DLL and QBga32.DLL contain multiple vulnerabilities
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000066.html
BGA32.DLL is a compression/decompression library for gza and bza-format files. BGA32.DLL contains multiple vulnerabilities (including a buffer overflow) because it utilizes vulnerable zlib and bzip2 libraries.
QBga32.DLL, which is a wrapper of BGA32.DLL, is also affected.
KONDOU, Kazuhiro reported this vulnerability to IPA.
JPCERT/CC coordinated with the developers under Information Security Early Warning Partnership.
JVNDB-2015-000066http://jvn.jp/en/jp/JVN78689801/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0107https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0953https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1260https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0107https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0953https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1260https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1849https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2096https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:kazuhiro_inaba_qbga32.dllcpe:/a:misc:toshinobu_kimura_bga32.dll2015-05-22T14:26+09:002015-05-19T13:40+09:002015-05-22T14:26+09:00mt-phpincgi vulnerable to PHP object injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000067.html
mt-phpincgi is script that runs Movable Type templates as PHP. mt-phpincgi contains a PHP object Injection vulnerability.
According to the reporter, attacks that attempt to exploit this vulnerability have been confirmed.JVNDB-2015-000067http://jvn.jp/en/jp/JVN64459670/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2945https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2945https://www.ipa.go.jp/security/ciadr/vul/20150520-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:h-fj:mt-phpincgi2015-05-28T18:05+09:002015-05-20T14:34+09:002015-05-28T18:05+09:00SXF Common Library vulnerable to buffer overflow
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000068.html
SXF Common Library contains a buffer overflow vulnerability.
akira_you of Nico-TECH reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000068https://jvn.jp/en/jp/JVN93976566/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2946https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2946https://www.ipa.go.jp/security/ciadr/vul/20150522-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ocf:sxf_common_library2015-05-28T18:14+09:002015-05-22T14:15+09:002015-05-28T18:14+09:00Apache Sling API and Servlets Post components vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000069.html
Apache Sling is an open source web application framework provided by The Apache Software Foundation.
Sling API and Servlet Post components included in Apache Sling contain a cross-site scripting vulnerability (CWE-79) in the error page and the generation of the job completion.
MORI Shingo and Toshiharu Sugiyama of DeNA Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000069http://jvn.jp/en/jp/JVN61328139/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2944https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2944https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:apache:sling_apicpe:/a:apache:sling_servlets_post2015-06-04T15:39+09:002015-05-27T14:43+09:002015-06-04T15:39+09:00Zenphoto vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000070.html
Zenphoto is a content management system (CMS). Zenphoto contains a cross-site scripting vulnerability (CWE-79) due to a flaw in processing encoded user-supplied input.
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000070https://jvn.jp/en/jp/JVN68452022/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2948https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2948https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:zenphoto:zenphoto2015-06-03T18:06+09:002015-05-28T13:42+09:002015-06-03T18:06+09:00ZenPhoto20 vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000071.html
ZenPhoto20 is a content management system (CMS). ZenPhoto20 contains a cross-site scripting vulnerability (CWE-79) due to a flaw in processing encoded user-supplied input.
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000071http://jvn.jp/en/jp/JVN51176150/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2949https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2949https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:zenphoto20_zenphoto202015-06-03T18:06+09:002015-05-28T13:42+09:002015-06-03T18:06+09:00"Open Explorer Beta" App for Android vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000072.html
"Open Explorer Beta" App for Android provided by brandroid.org contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability.
Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000072http://jvn.jp/en/jp/JVN95246510/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2950https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2950https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:open_explorer_beta_project:open_explorer_beta2015-06-08T12:25+09:002015-06-03T14:59+09:002015-06-08T12:25+09:00F21 JWT fails to verify token signatures
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000073.html
JWT provided by F21 is a PHP library for handling JSON Web Tokens. php-jwt contains a vulnerability where it fails to verify token signatures.
Toshiharu Sugiyama of DeNA Co., Ltd. and Shuntaro Maeda reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000073http://jvn.jp/en/jp/JVN06120222/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2951https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2951https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:f21:jwt2015-06-08T12:04+09:002015-06-03T15:01+09:002015-06-08T12:04+09:00NetFlow Analyzer vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000074.html
NetFlow Analyzer provided by Zoho Corporation contains a cross-site scripting vulnerability.
Tomoshige Hasegawa, Akihito Mukai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000074http://jvn.jp/en/jp/JVN98447310/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2960https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2960https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:zohocorp:netflow_analyzer2015-06-10T16:06+09:002015-06-05T13:59+09:002015-06-10T16:06+09:00NetFlow Analyzer fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000075.html
NetFlow Analyzer provided by Zoho Corporation fails to restrict access permissions.
Tomoshige Hasegawa, Akihito Mukai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000075http://jvn.jp/en/jp/JVN25598413/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2959https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2959https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:zohocorp:netflow_analyzer2015-06-10T16:10+09:002015-06-05T14:02+09:002015-06-10T16:10+09:00NetFlow Analyzer vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000076.html
NetFlow Analyzer provided by Zoho Corporation contains a cross-site request forgery vulnerability.
JVNDB-2015-000076http://jvn.jp/en/jp/JVN79284156/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2961https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2961https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:zohocorp:netflow_analyzer2015-06-10T16:14+09:002015-06-05T14:14+09:002015-06-10T16:14+09:00MilkyStep fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000077.html
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions against the management function for user information (CWE-284).
Note that this vulnerability is different from JVN#16409640 or JVN#74280258.
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000077https://jvn.jp/en/jp/JVN19732015/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2952https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2952https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:igreks:milkystep_lightcpe:/a:igreks:milkystep_professionalcpe:/a:igreks:milkystep_professional_oem2015-06-16T16:52+09:002015-06-12T14:13+09:002015-06-16T16:52+09:00MilkyStep fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000078.html
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions (CWE-264).
Note that this vulnerability is different from JVN#74280258.
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000078http://jvn.jp/en/jp/JVN16409640/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2953https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2953https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:igreks:milkystep_lightcpe:/a:igreks:milkystep_professionalcpe:/a:igreks:milkystep_professional_oem2015-06-16T16:52+09:002015-06-09T13:43+09:002015-06-16T16:52+09:00MilkyStep vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000079.html
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep contains a cross-site request forgery vulnerability (CWE-352).
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000079http://jvn.jp/en/jp/JVN12241436/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2954https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2954https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:igreks:milkystep_lightcpe:/a:igreks:milkystep_professionalcpe:/a:igreks:milkystep_professional_oem2015-06-16T16:52+09:002015-06-09T13:45+09:002015-06-16T16:52+09:00MilkyStep vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000080.html
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep contains an OS command injection vulnerability (CWE-78).
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000080http://jvn.jp/en/jp/JVN05559185/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2955https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2955https://www.ipa.go.jp/security/ciadr/vul/20150609-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:igreks:milkystep_lightcpe:/a:igreks:milkystep_professionalcpe:/a:igreks:milkystep_professional_oem2015-06-16T16:52+09:002015-06-09T14:02+09:002015-06-16T16:52+09:00MilkyStep vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000081.html
MilkyStep provided by Igreks Inc. contains a SQL injection vulnerability.
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep contains a SQL injection vulnerability (CWE-89).
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000081http://jvn.jp/en/jp/JVN52478686/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2956https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2956https://www.ipa.go.jp/security/ciadr/vul/20150609-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:igreks:milkystep_lightcpe:/a:igreks:milkystep_professionalcpe:/a:igreks:milkystep_professional_oem2015-06-16T16:52+09:002015-06-09T14:15+09:002015-06-16T16:52+09:00MilkyStep vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000082.html
MilkyStep provided by Igreks Inc. contains a cross-site scripting vulnerability.
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep contains a cross-site scripting vulnerability (CWE-79).
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000082http://jvn.jp/en/jp/JVN20879350/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2957https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2957https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:igreks:milkystep_lightcpe:/a:igreks:milkystep_professionalcpe:/a:igreks:milkystep_professional_oem2015-06-16T16:52+09:002015-06-09T14:15+09:002015-06-16T16:52+09:00MilkyStep fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000083.html
MilkyStep provided by Igreks Inc. fails to restrict access permissions.
Note that this vulnerability is different from JVN#16409640.
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions (CWE-264).
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000083http://jvn.jp/en/jp/JVN74280258/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2958https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2958https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:igreks:milkystep_lightcpe:/a:igreks:milkystep_professionalcpe:/a:igreks:milkystep_professional_oem2015-06-16T16:51+09:002015-06-09T14:16+09:002015-06-16T16:51+09:00Multiple Buffalo wireless LAN routers vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000085.html
Multiple wireless LAN routers provided by BUFFALO INC. contain an OS command injection vulnerability.
Masashi Sakai, Satoshi Ogawa reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000085http://jvn.jp/en/jp/JVN50447904/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9284https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9284https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:buffalo_inc:bhr-4grv2cpe:/h:buffalo_inc:wex-300cpe:/h:buffalo_inc:whr-1166dhpcpe:/h:buffalo_inc:whr-300hp2cpe:/h:buffalo_inc:whr-600dcpe:/h:buffalo_inc:wmr-300cpe:/h:buffalo_inc:wsr-600dhp2015-06-10T17:54+09:002015-06-05T14:16+09:002015-06-10T17:54+09:00LoadLibrary function in Microsoft Windows fails to validate input properly
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000086.html
The LoadLibrary function in Microsoft Windows fails to validate input properly. As a result, it may load a specially crafted DLL file (CWE-114).
Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000086http://jvn.jp/en/jp/JVN18146081/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1758http://www.ipa.go.jp/security/ciadr/vul/20150610-ms.htmlhttps://www.jpcert.or.jp/english/at/2015/at150016.htmlhttp://www.npa.go.jp/cyberpolice/topics/?seq=16442https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:microsoft:windows2015-06-12T14:11+09:002015-06-12T14:11+09:002015-06-12T14:11+09:00BloBee vulnerable to arbitrary file creation
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000087.html
BloBee provided by CGI RESCUE is a bulletin board software. BloBee contains a vulnerability that may allow a remote attacker to create arbitrary files (CWE-20).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000087http://jvn.jp/en/jp/JVN24336273/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2962https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2962https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cgi_rescue:blobee2015-06-16T16:51+09:002015-06-12T14:12+09:002015-06-16T16:51+09:00Ruby on Rails library Paperclip vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000088.html
Paperclip provided by thoughtbot is a library to upload files in Ruby on Rails. Paperclip contains a persistent cross-site scripting vulnerability (CWE-79).
MORI Shingo of DeNA Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000088http://jvn.jp/en/jp/JVN83881261/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2963https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2963https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:thoughtbot:paperclip2015-07-14T18:15+09:002015-06-18T14:14+09:002015-07-14T18:15+09:00Symfony vulnerable to code injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000089.html
Symfony is an open source web application framework provided by SensioLabs. Symfony contains a code injection vulnerability. Applications with ESI support enabled and using the Symfony built-in reverse proxy (the HttpCache class) are affected.
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000089http://jvn.jp/en/jp/JVN19578958/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2308https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2308http://www.ipa.go.jp/security/ciadr/vul/20150623-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:sensiolabs:symfony2015-06-25T17:34+09:002015-06-23T12:29+09:002015-06-25T17:34+09:00namshi/jose fails to verify token signatures
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000090.html
namshi/jose is a PHP library for handling JSON Web Tokens (JWT). namshi/jose contains a vulnerability in processing JWT headers where it fails to verify token signatures.
Toshiharu Sugiyama of DeNA Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000090https://jvn.jp/en/jp/JVN25336719/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2964https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2964https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:namshi:namshi%2Fjose2015-07-14T17:18+09:002015-06-25T15:00+09:002015-07-14T17:18+09:00osCommerce Japanese version vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000091.html
osCommerce is an open source system for creating shopping websites. osCommerce Japanese version contains a directory traversal vulnerability.
Masako Ohno reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000091https://jvn.jp/en/jp/JVN96312698/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2965https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2965https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:oscommerce:oscommerce2015-06-30T11:53+09:002015-06-25T15:53+09:002015-06-30T11:53+09:00OpenEMR vulnerable to authentication bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000092.html
OpenEMR is an electronic health records and medical practice management application. OpenEMR contains an authentication bypass vulnerability (CWE-302).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000092https://jvn.jp/en/jp/JVN22677713/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4453https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4453https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:open-emr:openemr2015-07-14T17:16+09:002015-06-30T13:55+09:002015-07-14T17:16+09:00Explorer+ File Manager vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000093.html
Explorer+ File Manager provided by Droidware UK contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability.
Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000093https://jvn.jp/en/jp/JVN77386811/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2966https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2966https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:droidwareuk:explorer%2B_file_manager2015-07-02T15:04+09:002015-06-30T13:56+09:002015-07-02T15:04+09:00Cacti vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000094.html
Cacti is a web application that graphs stored data collected from network devices. Cacti contains a cross-site scripting vulnerability (CWE-79) due to a flaw in processing parameters in settings.php.
Daiki Fukumori of Cyber Defense Institute, Inc. and Masako Ohno reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000094http://jvn.jp/en/jp/JVN78187936/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2967https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2967https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cacti:cacti2015-07-14T18:03+09:002015-07-09T14:41+09:002015-07-14T18:03+09:00LINE@ vulnerable to script injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000095.html
LINE@ provided by LINE Corporation is an application used to communicate with others. LINE@ is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
Kenta Suefusa, Nobuaki Nakazawa, Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000095http://jvn.jp/en/jp/JVN22546110/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2968https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:linecorp:line%402015-07-10T14:50+09:002015-07-10T14:50+09:002015-07-10T14:50+09:00Simple Oekaki BBS vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000096.html
Simple Oekaki BBS provided by LEMON-S PHP contains a persistent cross-site scripting (CWE-79) vulnerability due to the processing of oekakis parameter in index.php.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000096http://jvn.jp/en/jp/JVN67540183/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2969https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2969https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:lemon-s_php:simple_oekaki2015-07-14T18:09+09:002015-07-10T13:57+09:002015-07-14T18:09+09:00Simple Oekaki BBS vulnerability where arbitrary files may be deleted
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000097.html
Simple Oekaki BBS provided by LEMON-S PHP contains a flaw in parsing the oekakis parameter in index.php, which may allow a remote attacker to delete arbitrary files.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000097http://jvn.jp/en/jp/JVN61935381/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2970https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2970https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:lemon-s_php:simple_oekaki2015-07-14T18:11+09:002015-07-10T13:57+09:002015-07-14T18:11+09:00acmailer vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000098.html
acmailer provided by Seeds Co.,Ltd. contains a directory traversal (CWE-22) vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000098https://jvn.jp/en/jp/JVN64051989/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2971https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2971https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:seeds:acmailer2015-07-27T15:12+09:002015-07-15T15:53+09:002015-07-27T15:12+09:00Thetis vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000099.html
Thetis provided by Sysphonic Co., Ltd. is an open source groupware and SNS. Thetis contains a SQL injection (CWE-89) vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000099http://jvn.jp/en/jp/JVN19011483/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2972https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2972https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:sysphonic:thetis2015-07-27T15:07+09:002015-07-15T15:54+09:002015-07-27T15:07+09:00PHP for Windows vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000101.html
PHP for Windows contains an OS command injection due to a processing flaw in the escapeshellarg function.
Masahiro Yamada reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000101https://jvn.jp/en/jp/JVN73568461/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4642https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4642http://www.ipa.go.jp/security/ciadr/vul/20150717-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:php:php2016-05-19T17:43+09:002015-07-17T14:44+09:002016-05-19T17:43+09:00Welcart vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000103.html
Welcart provided by Collne Inc. is a WordPress plugin for creating shopping websites. Welcart contains a cross-site scripting (CWE-79) vulnerability due to the processing of usces_referer parameter in admin.php.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000103http://jvn.jp/en/jp/JVN97971874/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2973https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2973https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:collne:welcart_plugin2015-07-28T17:51+09:002015-07-24T14:33+09:002015-07-28T17:51+09:00Research Artisan Lite vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000104.html
Research Artisan Lite provided by Research Artisan Project is an access analysis tool. Research Artisan Lite contains multiple cross-site scripting vulnerabilities (CWE-79).
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000104https://jvn.jp/en/jp/JVN58020495/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2976https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2976https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:research-artisan:research_artisan_lite2015-07-28T17:29+09:002015-07-24T14:36+09:002015-07-28T17:29+09:00Research Artisan Lite does not properly perform authentication
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000105.html
Research Artisan Lite provided by Research Artisan Project is an access analysis tool. Research Artisan Lite does not properly perform authentication (CWE-592).
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000105https://jvn.jp/en/jp/JVN10559378/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2975https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2975https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:research-artisan:research_artisan_lite2015-07-28T17:22+09:002015-07-24T14:46+09:002015-07-28T17:22+09:00Gazou BBS plus vulnerability in file upload processing
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000106.html
Gazou BBS plus provided by LEMON-S PHP contains a vulnerability in the processing of file uploads.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000106https://jvn.jp/en/jp/JVN86680970/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2974https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2974https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:lemon-s_php:gazou_bbs_plus2015-07-30T15:14+09:002015-07-28T13:47+09:002015-07-30T15:14+09:00yoyaku_v41 vulnerable to arbitrary file creation
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000107.html
yoyaku_v41 provided by Webservice-DIC is a software to manage conference room reservations. yoyaku_v41 contains a vulnerability that may allow a remote attacker to create arbitrary files (CWE-20).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000107http://jvn.jp/en/jp/JVN46674982/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2977https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2977https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:d-ic:yoyaku_v412015-07-30T15:14+09:002015-07-29T14:58+09:002015-07-30T15:14+09:00yoyaku_v41 vulnerable to authentication bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000108.html
yoyaku_v41 provided by Webservice-DIC is a software to manage conference room reservations. yoyaku_v41 contains an authentication bypass vulnerability (CWE-592).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000108http://jvn.jp/en/jp/JVN52248864/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2978https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2978https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:d-ic:yoyaku_v412015-07-30T15:14+09:002015-07-29T14:58+09:002015-07-30T15:14+09:00yoyaku_v41 vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000109.html
yoyaku_v41 provided by Webservice-DIC is a software to manage conference room reservations. yoyaku_v41 contains an OS command injection vulnerability (CWE-78).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000109http://jvn.jp/en/jp/JVN17522792/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2979https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2979https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:d-ic:yoyaku_v412015-07-30T15:14+09:002015-07-29T14:58+09:002015-07-30T15:14+09:00Yodobashi App for Android vulnerable to arbitrary Java method execution
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000110.html
Yodobashi App for Android provided by Yodobashi Camera Co.,Ltd. contains a vulnerability where an arbitrary Java method may be executed.
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000110http://jvn.jp/en/jp/JVN70465405/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2980https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2980https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:yodobashi:yodobashi2015-08-11T12:22+09:002015-08-07T13:50+09:002015-08-11T12:22+09:00Yodobashi App for Android fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000111.html
Yodobashi App for Android provided by Yodobashi Camera Co.,Ltd. fails to verify SSL server certificates.
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000111http://jvn.jp/en/jp/JVN29053368/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2981https://nvd.nist.gov/vuln/detail/CVE-2015-2981https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:yodobashi:yodobashi2018-04-04T12:28+09:002015-08-07T13:50+09:002018-04-04T12:28+09:00Microsoft Office discloses a file path of a local file
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000112.html
When a file such as a clipart or an image is inserted in Office documents, the absolute path of the local file is stored in "alternative text".
Yosuke HASEGAWA of SecureSky Technology Inc. and Miyuki Chikara of MARUS JAPAN Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000112http://jvn.jp/en/jp/JVN20459920/index.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:microsoft:office2015-08-12T15:13+09:002015-08-12T15:13+09:002015-08-12T15:13+09:00Photo Gallery CMS for PC, smartphone and feature phone (Free) vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000113.html
Photo Gallery CMS for PC, smartphone and feature phone (Free) provided by PHP Kobo contains a cross-site scripting (CWE-79) vulnerability in admin.php.
Yuji Tounai of NTT Com Security(Japan) KK reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000113http://jvn.jp/en/jp/JVN69175956/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2982https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2982https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:php_kobo:photo_gallery_cms_free2015-08-26T17:38+09:002015-08-12T15:13+09:002015-08-26T17:38+09:00Photo Gallery CMS for PC, smartphone and feature phone (Free) vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000114.html
Photo Gallery CMS for PC, smartphone and feature phone (Free) provided by PHP Kobo contains a cross-site request forgery (CWE-352) vulnerability in admin.php.
Yuji Tounai of NTT Com Security(Japan) KK reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000114http://jvn.jp/en/jp/JVN78240242/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2983https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2983https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:php_kobo:photo_gallery_cms_free2015-08-26T17:28+09:002015-08-12T15:13+09:002015-08-26T17:28+09:00Japan Connected-free Wi-Fi vulnerable to allow URL whitelist bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000115.html
Japan Connected-free Wi-Fi provided by NTT Broadband Platform, Inc. contains an issue where an arbitrary page may be loaded if the application is launched with the URL-scheme.
Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000115http://jvn.jp/en/jp/JVN04644117/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5629https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5629https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ntt-bp:japan_connected-free_wi-fi2016-05-27T14:32+09:002015-09-11T14:16+09:002016-05-27T14:32+09:00Japan Connected-free Wi-Fi vulnerable to script injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000116.html
Japan Connected-free Wi-Fi provided by NTT Broadband Platform, Inc. is vulnerable to script injection when displaying malformed strings contained in SSID.
Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000116http://jvn.jp/en/jp/JVN41048401/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5630https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5630https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ntt-bp:japan_connected-free_wi-fi2015-09-15T17:17+09:002015-09-11T14:17+09:002015-09-15T17:17+09:00Multiple I-O DATA LAN routers vulnerable in UPnP functionality
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000117.html
A wired LAN router NP-BBRS and a wireless LAN router WN-G54/R2 provided by I-O DATA DEVICE, INC. contain a vulnerability in the UPnP functionality.JVNDB-2015-000117https://jvn.jp/en/jp/JVN17964918/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2984https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2984https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:i-o_data_device:np-bbrscpe:/h:i-o_data_device:wn-g54%2Fr22015-08-28T17:29+09:002015-08-18T15:21+09:002015-08-28T17:29+09:00Apache Tapestry deserializes untrusted data
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000118.html
Apache Tapestry contains a vulnerability where it may deserialize untrusted data.
Apache Tapestry is a framework for creating Java web applications. Apache Tapestry contains an interface where client side serialized data sent to the server is deserialized after it is received by the server. This data serialization / deserialization process does not contain data validation. Therefore, if the serialized data is altered, the server will deserailze data without validating the data (CWE-502).
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000118https://jvn.jp/en/jp/JVN17611367/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1972https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1972https://www.jpcert.or.jp/securecoding/2014/OracleJava-AtomicReferenceArray.pdfhttps://www.securecoding.cert.org/confluence/display/java/SER02-J.+Sign+then+seal+sensitive+objects+before+sending+them+outside+a+trust+boundary;jsessionid=6418285E96FE6503CBFF59A54A87B1E7https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:apache:tapestry2015-08-26T17:51+09:002015-08-20T15:53+09:002015-08-26T17:51+09:00File Encryption Software "ED" where encrypted data may be easier to decipher when files of small size are encrypted
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000119.html
File encyption software "ED" contains an issue when files of small size are encyrpted, they may become easier to decipher in comparison to when files of a larger size are encrypted.
When encrypting small files that are smaller than the block size (128 bits), file encryption software "ED" encrypts such files with "a stream cipher combining ECB mode of the selected encryption algorithm on key generation". This results in deciphering the resulting encrypted data to become relatively easy. For more details on this specification, pelase refer to the documentation (http://type74.org/edman5-1.php) provided by the developer.
Yutaka Sawada reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000119http://jvn.jp/en/jp/JVN91474878/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2987https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2987https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:type74:ed2015-09-02T17:57+09:002015-08-27T15:03+09:002015-09-02T17:57+09:00Rakuten card App for iOS fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000120.html
Rakuten card App for iOS provided by Rakuten Card Co., Ltd. fails to verify SSL server certificates.
AOKI Keiichi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000120https://jvn.jp/en/jp/JVN81207766/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2988https://nvd.nist.gov/vuln/detail/CVE-2015-2988https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:rakuten_rakutencard_for_ios2018-03-14T12:30+09:002015-09-01T14:18+09:002018-03-14T12:30+09:00Twit BBS vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000121.html
Twit BBS provided by LEMON-S PHP contains a persistent cross-site scripting (CWE-79) vulnerability due to the processing of imagetitle parameter in index.php.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000121https://jvn.jp/en/jp/JVN77193915/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2989https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2989https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:lemon-s_php:twit_bbs2015-09-09T14:02+09:002015-09-01T14:18+09:002015-09-09T14:02+09:00desknet's NEO vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000122.html
desknet's NEO provided by NEOJAPAN Inc. contains a directory traversal (CWE-22) vulnerability where it fails to verify html parameter in zhtml.cgi.
Hiroyuki Yamashita of M&K Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000122http://jvn.jp/en/jp/JVN09283606/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2990https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2990https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:neo_japan:desknet_neo2015-09-09T14:02+09:002015-09-01T12:36+09:002015-09-09T14:02+09:00NScripter vulnerable to buffer overflow
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000123.html
NScripter is a script engine to build and execute games. NScripter contains a buffer overflow vulnerability due to a flaw in processing save data.
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000123https://jvn.jp/en/jp/JVN08494613/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2991https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2991https://www.ipa.go.jp/security/ciadr/vul/20150902-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:nscripter_project:nscripter2015-09-09T14:02+09:002015-09-02T15:46+09:002015-09-09T14:02+09:00Apache Struts vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000124.html
Apache Struts provided by the Apache Software Foundation is a software framework for creating web applications in Java. Apache Struts is vulnerable to cross-site scripting when JSP files can be accessed directly.
Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000124http://jvn.jp/en/jp/JVN88408929/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2992https://nvd.nist.gov/vuln/detail/CVE-2015-2992https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:apache:struts2015-12-25T13:45+09:002015-09-04T15:12+09:002015-12-25T13:45+09:00Apache Struts vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000125.html
Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a cross-site scripting vulnerability when devMode is left turned on.
Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000125http://jvn.jp/en/jp/JVN95989300/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5169https://nvd.nist.gov/vuln/detail/CVE-2015-5169https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:apache:struts2017-10-02T12:08+09:002015-09-04T15:12+09:002017-10-02T12:08+09:00eXtplorer vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000126.html
eXtplorer is a web-based file manager. index.php of eXtplorer contains a cross-site request forgery (CWE-352) vulnerability.
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000126http://jvn.jp/en/jp/JVN92520335/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5660https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5660https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:extplorer:extplorer2015-10-19T15:55+09:002015-10-15T12:24+09:002015-10-19T15:55+09:00ELPhoneBtnV6 ActiveX control vulnerable to buffer overflow
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000127.html
ELPhoneBtnV6 ActiveX control was used for "Click to Live" service provided by FreeBit Co., Ltd. Although "Click to Live" service has been discontinued, PCs that used the "Click to Live" service may still have the ActiveX control installed.
ELPhoneBtnV6 ActiveX control, which is provided by the file c2lv6.ocx, contains a buffer overflow vulnerability in the ExecCall() method.
Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000127https://jvn.jp/en/jp/JVN62078684/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5624https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5624https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:freebit:elphonebtnv6_activex_control2015-09-09T14:02+09:002015-09-07T13:38+09:002015-09-09T14:02+09:00OpenDocMan vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000128.html
OpenDocMan is a document management system (DMS). OpenDocMan contains a cross-site scripting vulnerability due to a processing flaw in the "redirection" parameter.
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000128http://jvn.jp/en/jp/JVN00015036/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5625https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5625https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:opendocman:opendocman2015-09-09T14:02+09:002015-09-04T18:13+09:002015-09-09T14:02+09:00PIXMA MG7500 Series vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000129.html
PIXMA MG7500 Series provided by Canon Inc. contain a cross-site request forgery vulnerability.
TOMITA Ryo of Fukuoka Junior High School attached to the Fukuoka University of Education (FUE) reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000129https://jvn.jp/en/jp/JVN07427376/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5631https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5631https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:canon:pixma_mg7500_series_inkjet_printer2015-09-15T17:17+09:002015-09-11T14:17+09:002015-09-15T17:17+09:00applican vulnerable to URL whitelist bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000130.html
applican provided by Newphoria Corporation Inc. is a platform to build hybrid applications for both iOS and Android. applican provides a whitelisting function (whitelist.xml) to limit the URLs that applications can access. However, if the application is launched using the URL-scheme, the access restriction is bypassed and URLs that are not whitelisted can be accessed. If an API of applican framework is specified in the URL, the API will be called in the context of the URL.
Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000130http://jvn.jp/en/jp/JVN73346595/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5632https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5632https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:newphoria_corporation:applican2015-10-14T16:30+09:002015-09-16T16:58+09:002015-10-14T16:30+09:00Auction Camera vulnerable to URL whitelist bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000131.html
Auction Camera provided by Newphoria Corporation Inc. is an application for both iOS or Android built using "applican". Auction Camera contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme.
Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000131http://jvn.jp/en/jp/JVN71815309/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5633https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5633https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:newphoria_corporation:auction_camera2015-09-16T16:58+09:002015-09-16T16:58+09:002015-09-16T16:58+09:00MEGAPHONE MUSIC vulnerable to URL whitelist bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000132.html
MEGAPHONE MUSIC provided by Newphoria Corporation Inc. is an application for both iOS or Android built using "applican". MEGAPHONE MUSIC contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme.
Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000132http://jvn.jp/en/jp/JVN83862346/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5634https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5634https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:newphoria_corporation:megaphone_music2015-10-02T17:22+09:002015-09-16T16:58+09:002015-10-02T17:22+09:00Koritore vulnerable to URL whitelist bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000133.html
Koritore provided by Newphoria Corporation Inc. is an application for both iOS or Android built using "applican". Koritore contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme.
Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000133https://jvn.jp/en/jp/JVN24517322/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5635https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5635https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:newphoria_corporation:koritore2015-10-02T17:22+09:002015-09-16T16:58+09:002015-10-02T17:22+09:00Reversi vulnerable to URL whitelist bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000134.html
Reversi provided by Newphoria Corporation Inc. is an application for both iOS or Android built using "applican". Reversi contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme.
Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000134https://jvn.jp/en/jp/JVN67586379/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5636https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5636https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:newphoria_corporation:reversi2015-10-02T17:18+09:002015-09-16T16:58+09:002015-10-02T17:18+09:00Photon vulnerable to URL whitelist bypass
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000135.html
Photon provided by Newphoria Corporation Inc. is an application for Android built using "applican". Photon contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme.
Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000135http://jvn.jp/en/jp/JVN19948778/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5637https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5637https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:newphoria_corporation:newphoria_photon2015-10-02T17:15+09:002015-09-16T16:58+09:002015-10-02T17:15+09:00H2O vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000136.html
H2O is an open source web server software. H2O contains an issue in processing URL, which may result in a directory traversal (CWE-22) vulnerability.
Yusuke OSUMI reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000136http://jvn.jp/en/jp/JVN65602714/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5638https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5638https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:h2o_project:h2o2015-10-05T17:32+09:002015-09-17T13:36+09:002015-10-05T17:32+09:00niconico App for iOS fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000137.html
niconico App for iOS provided by DWANGO Co., Ltd. fails to verify SSL server certificates.
AOKI Keiichi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000137http://jvn.jp/en/jp/JVN20355129/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5639https://nvd.nist.gov/vuln/detail/CVE-2015-5639https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:dwango:niconico2018-03-07T12:26+09:002015-09-29T14:05+09:002018-03-07T12:26+09:00baserCMS fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000138.html
baserCMS is an open-source Contents Management System (CMS). baserCMS contains a vulnerability where user settings may be changed when processing specially crafted request sent by an attacker logged into the system.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000138http://jvn.jp/en/jp/JVN04855224/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5640https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5640https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:basercms:basercms2015-10-07T17:38+09:002015-09-30T14:46+09:002015-10-07T17:38+09:00baserCMS vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000139.html
baserCMS contains an SQL injection vulnerability.
baserCMS is an open-source Contents Management System (CMS). baserCMS contains a vulnerability that allows an authenticated user to inject arbitrary SQL statements (CWE-89).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000139http://jvn.jp/en/jp/JVN79633796/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5641https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5641https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:basercms:basercms2015-10-07T17:38+09:002015-09-30T14:46+09:002015-10-07T17:38+09:00Canary Labs Trend Web Server vulnerable to buffer overflow
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000140.html
Trend Web Server provided by Canary Labs is a solution used for data visualization. Trend Web Server contains a buffer overflow (CWE-119) vulnerability.
Kuang-Chun Hung reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000140http://jvn.jp/en/jp/JVN07676450/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5653https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5653https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:canarylabs:trendweb2015-10-06T18:00+09:002015-10-01T14:11+09:002015-10-06T18:00+09:00Python for Windows may insecurely load dynamic libraries
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000141.html
Python for Windows contains an issue with the DLL search path, which may lead to insecurely loading a DLL called readline.pyd.
Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000141http://jvn.jp/en/jp/JVN49503705/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5652https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5652https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:python:python2015-10-08T15:25+09:002015-10-01T14:11+09:002015-10-08T15:25+09:00Apache Cordova plugin cordova-plugin-file-transfer vulnerable to HTTP header injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000142.html
cordova-plugin-file-transfer, a plugin for Apache Cordova provided by the Apache Software Foundation, provides functionality to upload and download files in applications created by Apache Cordova. It also provides functionality to add HTTP headers.
Android applications that use cordova-plugin-file-transfer contain a HTTP header injection vulnerability due to a flaw in processing file names.
Muneaki Nishimura of Sony Digital Network Applications, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000142http://jvn.jp/en/jp/JVN21612597/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5204http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5204https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:apache:cordova_file_transfer2015-12-21T17:45+09:002015-09-29T14:04+09:002015-12-21T17:45+09:00MATCHA INVOICE vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000143.html
MATCHA INVOICE provided by ICZ Corporation is a web-based billing management software. MATCHA INVOICE contains multiple SQL injection (CWE-89) vulnerabilities.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000143http://jvn.jp/en/jp/JVN18232032/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5642https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5642https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:icz:matcha_bill2015-10-08T15:25+09:002015-09-30T15:04+09:002015-10-08T15:25+09:00MATCHA INVOICE vulnerable to code injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000144.html
MATCHA INVOICE provided by ICZ Corporation is a web-based billing management software. MATCHA INVOICE contains a code injection (CWE-94) vulnerability due to a flaw when configuring the database during installation.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000144http://jvn.jp/en/jp/JVN66984217/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5643https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5643https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:icz:matcha_bill2015-10-08T15:25+09:002015-09-30T15:04+09:002015-10-08T15:25+09:00MATCHA SNS vulnerable to code injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000145.html
MATCHA SNS provided by ICZ Corporation is an SNS software. MATCHA SNS contains a code injection (CWE-94) vulnerability due to a flaw when configuring the database during installation.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000145http://jvn.jp/en/jp/JVN08535069/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5644https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5644https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:icz:matchasns2015-10-08T15:25+09:002015-09-30T15:05+09:002015-10-08T15:25+09:00MATCHA SNS access restriction bypass vulnerability
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000146.html
MATCHA SNS provided by ICZ Corporation is an SNS software.
MATCHA SNS contains an access restriction bypass vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000146http://jvn.jp/en/jp/JVN85118545/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5645https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5645https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:icz:matchasns2015-10-08T15:25+09:002015-09-30T15:05+09:002015-10-08T15:25+09:00AjaXplorer vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000147.html
AjaXplorer contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability.
Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000147http://jvn.jp/en/jp/JVN27462572/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5650https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5650https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:pydio:ajaxplorer2015-10-07T17:38+09:002015-10-01T14:11+09:002015-10-07T17:38+09:00Dotclear vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000148.html
Dotclear is a weblog software. Dotclear contains a cross-site scripting vulnerability.
Yuji Tounai of NTT Com Security(Japan)KK reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000148http://jvn.jp/en/jp/JVN65668004/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5651http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5651https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:dotclear:dotclear2015-10-06T18:02+09:002015-10-02T13:36+09:002015-10-06T18:02+09:00gollum vulnerable to file exposure
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000149.html
gollum is a wiki system that uses git repositories. gollum contains a vulnerability which may allow an attacker to view arbitrary files on the server.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000149http://jvn.jp/en/jp/JVN27548431/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7314https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7314https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:gollum_project:gollum2015-10-08T15:26+09:002015-10-02T13:36+09:002015-10-08T15:26+09:00Multiple PHP code execution vulnerabilitles in Cybozu Garoon
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000151.html
Cybozu Garoon is a groupware. Cybozu Garoon contains multiple PHP code execution vulnerabilities.
* [CyVDB-863] Cybozu Garoon allows remote authenticated users to execute arbitrary PHP code, [CyVDB-867] Cybozu Garoon allows remote authenticated users to execute arbitrary PHP code (CVE-2015-5646)
* [CyVDB-866] Cybozu Garoon allows remote authenticated users to execute arbitrary PHP code in RSS Reader function (CVE-2015-5647)
For more details, refer to the information provided by the developer.JVNDB-2015-000151https://jvn.jp/en/jp/JVN21025396/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5646https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5647https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5646https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5647http://www.ipa.go.jp/security/ciadr/vul/20151007-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:garoon2016-05-30T15:34+09:002015-10-07T14:48+09:002016-05-30T15:34+09:00Cybozu Garoon vulnerable to LDAP injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000152.html
Cybozu Garoon is a groupware. Cybozu Garoon contains an issue in processing authentication requests, which may result in an LDAP injection vulnerability.JVNDB-2015-000152https://jvn.jp/en/jp/JVN38369032/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5649https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5649http://www.ipa.go.jp/security/ciadr/vul/20151007-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:garoon2016-06-02T19:15+09:002015-10-07T14:48+09:002016-06-02T19:15+09:00Dojo Toolkit vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000153.html
Dojo Toolkit is a software to assist in building web applications. Dojo Toolkit contains a cross-site scripting vulnerability.
Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000153https://jvn.jp/en/jp/JVN13456571/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5654https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5654https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:dojofoundation:dojo_toolkit2015-10-14T17:26+09:002015-10-09T14:12+09:002015-10-14T17:26+09:00phpRechnung vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000154.html
phpRechnung is a web-based accounting software. list.php of phpRechnung contains an SQL injection (CWE-89) vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000154https://jvn.jp/en/jp/JVN02671769/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5648https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5648https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:loenshotel:phprechnung2015-10-14T17:26+09:002015-10-09T14:12+09:002015-10-14T17:26+09:00Pref Shimane CMS vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000158.html
Pref Shimane CMS is an open-source Contents Management System (CMS). Pref Shimane CMS contains an SQL injection vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000158https://jvn.jp/en/jp/JVN84982142/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5659https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5659https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:network_applied_communication_laboratory:shimane_prefecture_cms2015-10-14T17:26+09:002015-10-09T14:12+09:002015-10-14T17:26+09:00Party Track SDK for iOS fails to verify server certificates
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000159.html
Party Track SDK for iOS provided by Adways Inc. fails to verify server certificates in encrypted HTTPS communications.
According to the developer, in addition to communications by the SDK, communications by the application using NSURLConnection also fail to verify server certificates.
ma.la of LINE Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000159http://jvn.jp/en/jp/JVN48211537/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5655https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5655https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:adways:party_track_sdk2015-11-11T17:32+09:002015-10-14T15:41+09:002015-11-11T17:32+09:00Avast vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000160.html
Avast contains an issue in processing archive files, which may result in a directory traversal (CWE-22) vulnerability.
When an archive file such as zip is detected as containing a virus and the included virus file is being moved or deleted, the operation is done to the file path inside the archive file.
Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000160http://jvn.jp/en/jp/JVN25576608/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5662https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5662https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:avast:avast_antivirus2015-10-20T17:56+09:002015-10-16T14:00+09:002015-10-20T17:56+09:00AirDroid for Android vulnerable in handling of implicit intents
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000162.html
AirDroid for Android provided by SAND STUDIO contains a vulnerability in the handling of implicit intents.
Gaku Mochizuki reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000162http://jvn.jp/en/jp/JVN37825153/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5661https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5661https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:airdroid:airdroid2015-10-20T17:56+09:002015-10-16T14:00+09:002015-10-20T17:56+09:00ANA App fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000164.html
ANA App provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates.
AOKI Keiichi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000164http://jvn.jp/en/jp/JVN25086409/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5666https://nvd.nist.gov/vuln/detail/CVE-2015-5666https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ana:all_nippon_airways2018-03-07T13:50+09:002015-10-28T14:50+09:002018-03-07T13:50+09:00EC-CUBE vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000166.html
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site request forgery vulnerability (CWE-352).
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000166http://jvn.jp/en/jp/JVN97278546/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5665https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5665https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ec-cube:ec-cube2015-11-13T19:36+09:002015-10-26T12:27+09:002015-11-13T19:36+09:00Enisys Gw vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000167.html
Enisys Gw provided by Techno Project Japan Co. is an open source groupware. Enisys Gw contains an SQL injection vulnerability (CWE-89).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000167http://jvn.jp/en/jp/JVN58615092/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5668https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5668https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:techno_project_japan:enisys_gw2015-11-02T18:05+09:002015-10-29T13:37+09:002015-11-02T18:05+09:00Enisys Gw vulnerable to arbitrary file creation
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000168.html
Enisys Gw provided by Techno Project Japan Co. is an open source groupware. Enisys Gw contains a vulnerability that may allow a remote attacker to create arbitrary files.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000168http://jvn.jp/en/jp/JVN33179297/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5669https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5669https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:techno_project_japan:enisys_gw2015-11-02T18:05+09:002015-10-29T13:37+09:002015-11-02T18:05+09:00Enisys Gw vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000169.html
Enisys Gw provided by Techno Project Japan Co. is an open source groupware. Enisys Gw contains a cross-site scripting vulnerability (CWE-79).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000169http://jvn.jp/en/jp/JVN13874649/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5670https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5670https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:techno_project_japan:enisys_gw2015-11-02T18:05+09:002015-10-29T13:46+09:002015-11-02T18:05+09:00Enisys Gw fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000170.html
Enisys Gw provided by Techno Project Japan Co. is an open source groupware. Enisys Gw fails to restrict access permissions.JVNDB-2015-000170http://jvn.jp/en/jp/JVN68289108/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5671https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5671https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:techno_project_japan:enisys_gw2015-11-02T18:05+09:002015-10-29T13:46+09:002015-11-02T18:05+09:00HTML::Scrubber vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000171.html
HTML::Scrubber is a Perl module for scrubbing/sanitizing html. HTML::Scrubber contains a cross-site scripting vulnerability (CWE-79).
Toshiharu Sugiyama and Ryo Murakami of DeNA Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000171http://jvn.jp/en/jp/JVN53973084/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5667https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5667https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:html-scrubber_project:html-scrubber2015-10-30T15:16+09:002015-10-30T15:16+09:002015-10-30T15:16+09:00Multiple routers contain issue in preventing clickjacking attacks
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000172.html
Multiple router products contain an issue in the protection against clickjacking attacks.
Noriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000172http://jvn.jp/en/jp/JVN48135658/index.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:multiple_vendors2016-02-12T17:16+09:002015-10-30T15:16+09:002016-02-12T17:16+09:00Multiple TYPE-MOON games vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000174.html
Multiple games provided by TYPE-MOON contain an OS command injection vulnerability (CWE-78) due to an issue in loading save data.
KUSANO Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000174https://jvn.jp/en/jp/JVN80144272/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5672https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5672https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:typemoon:fate%2Fhollow_ataraxiacpe:/a:typemoon:fate%2Fstay_nightcpe:/a:typemoon:fate%2Fstay_night_%2B_hollow_ataraxia_setcpe:/a:typemoon:witch_on_the_holy_night2015-11-09T10:39+09:002015-11-05T14:11+09:002015-11-09T10:39+09:00ISUCON5 qualifier portal web application (eventapp) vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000175.html
ISUCON5 qualifier portal web application (eventapp) provided by ISUCON organizers contains an OS command injection (CWE-78) vulnerability.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000175https://jvn.jp/en/jp/JVN04281281/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5673https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5673https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:isucon:isucon_5_qualifier_eventapp2015-11-11T15:33+09:002015-11-02T14:10+09:002015-11-11T15:33+09:00SonicWall TotalSecure TZ 100 Series vulnerable to denial-of-service (DoS)
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000176.html
SonicWall TotalSecure TZ 100 Series is a firewall product provided by Dell Inc. SonicWall TotalSecure TZ 100 Series contains a denial-of-service (DoS) vulnerability.
FFRI,Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000176https://jvn.jp/en/jp/JVN90135579/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7770https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7770https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:dell:sonicwall_totalsecure_tz_100_firmware2015-11-09T10:47+09:002015-11-06T12:30+09:002015-11-09T10:47+09:00Apple OS X authentication issue when recovering from sleep mode
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000177.html
Apple OS X contains an issue with authentication when recovering from sleep mode. This issue exists due to a flaw in the the processing of the text entered in the dialog box upon recovering from sleep mode.
Masaki Katayama of Cyber Risks Laboratory Naviplus CO,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000177https://jvn.jp/en/jp/JVN56210048/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5229https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5229https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:apple:apple_remote_desktopcpe:/o:apple:mac_os_x2015-11-17T16:15+09:002015-11-13T14:25+09:002015-11-17T16:15+09:00applican vulnerable to script injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000178.html
applican provided by Newphoria Corporation Inc. is a platform to build hybrid applications for both iOS and Android. applican is vulnerable to script injection due to an issue in processing SSID.
Note that this vulnerability is different from JVN#64625488.
Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000178http://jvn.jp/en/jp/JVN71088919/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7771https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7771https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:newphoria_corporation:applican2015-11-24T18:03+09:002015-11-17T14:20+09:002015-11-24T18:03+09:00applican vulnerable to script injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000179.html
applican provided by Newphoria Corporation Inc. is a platform to build hybrid applications for both iOS and Android. applican is vulnerable to script injection due to an issue in proccessing URL.
Note that this vulnerability is different from JVN#71088919.
Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000179http://jvn.jp/en/jp/JVN64625488/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7772https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7772https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:newphoria_corporation:applican2015-11-24T18:03+09:002015-11-17T14:20+09:002015-11-24T18:03+09:00pWebManager vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000180.html
pWebManager provided by PC-EGG Co.,Ltd. contains an OS command injection vulnerability (CWE-78).
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000180https://jvn.jp/en/jp/JVN25323093/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7774https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7774https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:pc-egg:pwebmanager2015-11-17T16:21+09:002015-11-13T14:25+09:002015-11-17T16:21+09:00Gurunavi App for iOS fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000181.html
Gurunavi App for iOS provided by Gurunavi, Inc. fails to verify SSL server certificates.
AOKI Keiichi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000181https://jvn.jp/en/jp/JVN29141986/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7778https://nvd.nist.gov/vuln/detail/CVE-2015-7778https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:gurunavi:gournavi2018-03-07T12:17+09:002015-11-17T14:21+09:002018-03-07T12:17+09:00Kirby vulnerable to arbitrary file creation
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000182.html
Kirby is a content management system (CMS). Kirby contains a vulnerability that may allow a remote attacker to create arbitrary files.
Yuji Tounai of NTT Com Security(Japan)KK reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000182https://jvn.jp/en/jp/JVN34780384/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7773https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7773https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:bastian_allgeier:kirby2015-11-24T18:03+09:002015-11-17T14:21+09:002015-11-24T18:03+09:00Void vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000184.html
Void is an open source content management system (CMS). Void contains a cross-site scripting vulnerability (CWE-79).
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA under Information Security Early Warning Partnership.JVNDB-2015-000184https://jvn.jp/en/jp/JVN20649799/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7777https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7777https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:void_project:void2015-11-24T18:02+09:002015-11-20T13:38+09:002015-11-24T18:02+09:00ManageEngine Firewall Analyzer vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000185.html
ManageEngine Firewall Analyzer provided by Zoho Corporation is a log analytics and configuration management software for network security devices. ManageEngine Firewall Analyzer contains a directory traversal vulnerability.
Mukai Akihito and Hasegawa Tomoshige reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000185https://jvn.jp/en/jp/JVN21968837/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7780https://nvd.nist.gov/vuln/detail/CVE-2015-7780https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:zohocorp:manageengine_firewall_analyzer2018-01-24T12:05+09:002015-11-27T13:28+09:002018-01-24T12:05+09:00ManageEngine Firewall Analyzer fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000186.html
ManageEngine Firewall Analyzer provided by Zoho Corporation is a log analytics and configuration management software for network security devices. ManageEngine Firewall Analyzer contains a vulnerability where access permissions are not restricted.
Mukai Akihito, Hasegawa Tomoshige reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000186https://jvn.jp/en/jp/JVN12991684/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7781https://nvd.nist.gov/vuln/detail/CVE-2015-7781https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:zohocorp:manageengine_firewall_analyzer2018-01-24T12:12+09:002015-11-27T13:29+09:002018-01-24T12:12+09:00Apache Cordova vulnerable to improper application of whitelist restrictions
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000187.html
Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms.
Android applications built using Apache Cordova contain a vulnerability where whitelist restrictions are not properly applied.
Muneaki Nishimura of Sony Digital Network Applications, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000187http://jvn.jp/en/jp/JVN18889193/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5256https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:apache:cordova2015-11-27T13:29+09:002015-11-27T13:29+09:002015-11-27T13:29+09:00Frame high-speed chat vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000188.html
Frame high-speed chat provided by Let's PHP! contains a cross-site scripting vulnerability (CWE-79).JVNDB-2015-000188http://jvn.jp/en/jp/JVN35845584/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7782https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7782https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:let%27s_php%21:frame_high-speed_chat2016-01-07T15:34+09:002015-11-30T13:44+09:002016-01-07T15:34+09:00p++BBS vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000189.html
p++BBS provided by Let's PHP! contains a stored cross-site scripting vulnerability (CWE-79).
Koki Takahashi reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000189http://jvn.jp/en/jp/JVN72891124/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7783https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7783https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:let%27s_php%21:pbbs2016-01-07T16:17+09:002015-11-30T13:44+09:002016-01-07T16:17+09:00EC-CUBE plugin BbAdminViewsControl vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000190.html
BbAdminViewsControl from BOKUBLOCK CO., LTD. is an EC-CUBE plugin. BbAdminViewsControl contains an SQL injection vulnerability (CWE-89).
Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000190http://jvn.jp/en/jp/JVN55545372/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7784https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7784https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:bokublock:bbadminviewscontrol2016-07-07T14:53+09:002015-12-03T14:26+09:002016-07-07T14:53+09:00GANMA! App for iOS fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000191.html
GANMA! App for iOS provided by COMICSMART INC. fails to verify SSL server certificates.
Yuji Tounai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000191http://jvn.jp/en/jp/JVN44541100/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7785https://nvd.nist.gov/vuln/detail/CVE-2015-7785https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:comicsmart:ganma%212018-03-07T13:50+09:002015-12-07T14:21+09:002018-03-07T13:50+09:00WL-330NUL information management vulnerability
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000192.html
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains an issue in information management.
TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000192http://jvn.jp/en/jp/JVN69462495/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7787https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7787https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:asus_japan_wl-330nul2016-01-13T17:37+09:002015-12-09T14:38+09:002016-01-13T17:37+09:00WL-330NUL vulnerable to remote command execution
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000193.html
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a remote command execution vulnerability.
TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000193http://jvn.jp/en/jp/JVN34489380/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7788https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7788https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:asus_japan_wl-330nul2016-01-13T17:37+09:002015-12-09T14:41+09:002016-01-13T17:37+09:00WL-330NUL vulnerable to denial-of-service (DoS)
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000194.html
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a denial-of-service (DoS) vulnerability.
TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000194http://jvn.jp/en/jp/JVN85359294/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7789https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7789https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:asus_japan_wl-330nul2016-01-13T17:37+09:002015-12-09T14:47+09:002016-01-13T17:37+09:00WL-330NUL vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000195.html
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a stored cross-site scripting vulnerability.
TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000195https://jvn.jp/jp/JVN89965717/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7790https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7790https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:asus_japan_wl-330nul2016-01-13T17:37+09:002015-12-09T14:51+09:002016-01-13T17:37+09:00Web Analytics Service vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000196.html
The JavaScript module for using Web Analytics Service which was provided by NTT DATA Smart Sourcing Corporation contains a cross-site scripting vulnerability (CWE-79) due to a flaw in escaping process.
According to the developer, this script was distributed from 26 November, 2003 to 9 July, 2013.JVNDB-2015-000196http://jvn.jp/en/jp/JVN70083512/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7786https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7786https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:ntt_data_smart_sourcing_access_kaiseki2016-01-07T15:13+09:002015-12-08T14:29+09:002016-01-07T15:13+09:00Zend Framework vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000197.html
Zend Framework is an open source web application framework. Zend Framework contains an SQL injection vulnerability (CWE-89) due to the argument of the ORDER BY clause.
Hiroshi Tokumaru of HASH Consulting Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000197http://jvn.jp/en/jp/JVN71730320/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914https://nvd.nist.gov/vuln/detail/CVE-2014-4914https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:zend:zend_framework2018-04-11T11:32+09:002015-12-11T13:46+09:002018-04-11T11:32+09:00WinRAR may insecurely load executable files
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000199.html
WinRAR contains a function where user specified files on the local disk can be executed. When this file does not have a file extension, a file of the same name with a file extension contained in the same folder may be executed by WinRAR instead of the user specified file.
WinRAR also contains a function where registry settings can be saved and registry settings can be recovered from files. If the folder displayed on screen contains an executable file, such as REGEDIT.BAT, when attempting to save or recover registry settings, REGEDIT.BAT is executed instead of the Windows registry editor (regedit.exe).JVNDB-2015-000199https://jvn.jp/en/jp/JVN64636058/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5663https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5663https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:rarlab:winrar2016-01-07T15:36+09:002015-12-17T15:19+09:002016-01-07T15:36+09:00Welcart vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000200.html
Welcart provided by Collne Inc. is a WordPress plugin. Welcart contains an SQL injection vulnerability (CWE-89) due to a flaw in the processing of search[column] and switch parameter in admin.php.
Shoji Baba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000200https://jvn.jp/en/jp/JVN43344629/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7791https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7791https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:collne:welcart_plugin2016-01-07T15:37+09:002015-12-17T15:19+09:002016-01-07T15:37+09:00CG-WLBARGS does not properly perform authentication
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000201.html
CG-WLBARGS provided by Corega Inc is a wireless LAN router. CG-WLBARGS does not properly perform authentication.
Kousuke Kawahira of DWANGO Co.,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000201https://jvn.jp/en/jp/JVN51349622/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7792https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7792https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:corega:cg-wlbargs2016-01-07T15:32+09:002015-12-25T14:33+09:002016-01-07T15:32+09:00CG-WLBARAGM may behave as an open proxy
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000202.html
CG-WLBARAGM provided by Corega Inc is a wireless LAN router. CG-WLBARAGM contains an issue where it may behave as an open proxy.
Akihiro Nakajima of NTT Communications reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000202https://jvn.jp/en/jp/JVN50775659/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7793https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7793https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:corega:cg-wlbaragm2016-01-07T15:32+09:002015-12-25T14:45+09:002016-01-07T15:32+09:00CG-WLNCM4G may behave as an open resolver
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000203.html
CG-WLNCM4G provided by Corega Inc is a network camera. CG-WLNCM4G contains an issue where it may behave as an open resolver.
SASABE Tetsuro of The University of Tokyo reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-000203https://jvn.jp/en/jp/JVN51250073/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7794https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7794https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:corega:cg-wlncm4g2016-01-07T15:32+09:002015-12-25T14:45+09:002016-01-07T15:32+09:00BBS X102 vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000301.html
BBS X102 provided by guide-park.com is a bulletin board software. BBS X102 contains a cross-site scripting vulnerability.
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on May 26, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriateJVNDB-2015-000301https://jvn.jp/en/jp/JVN13684924/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2985https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2985https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:guide-park:bbs_x1022015-09-09T14:02+09:002015-09-03T15:00+09:002015-09-09T14:02+09:00hitSuji (rktSNS2) vulnetable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000302.html
hitSuji (rktSNS2) provided by rakuto.net is an open source SNS software. hitSuji (rktSNS2) contains a cross-site scripting vulnerability.
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on May 26, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriate JVNDB-2015-000302https://jvn.jp/en/jp/JVN24692261/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2986https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2986https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:rakuto:rktsns22015-09-09T14:02+09:002015-09-03T14:46+09:002015-09-09T14:02+09:00Cross-site Scripting Vulnerability in Hitachi Command Suite Products
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001268.html
The online help of Hitachi Command Suite Products contains a cross-site scripting vulnerability.JVNDB-2015-001268http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1565http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1565https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:compute_systems_managercpe:/a:hitachi:device_managercpe:/a:hitachi:global_link_managercpe:/a:hitachi:replication_managercpe:/a:hitachi:tiered_storage_manager2015-03-03T16:59+09:002015-02-16T11:12+09:002015-03-03T16:59+09:00Cross-site Scripting Vulnerability in Hitachi Application Server Help
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001269.html
Hitachi Application Server Help contains a cross-site scripting vulnerability.JVNDB-2015-001269https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:hitachi_application_server2015-03-03T16:59+09:002015-02-16T11:21+09:002015-03-03T16:59+09:00Multiple Cross-site Scripting Vulnerabilities in Hitachi Compute Systems Manager
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001556.html
Multiple cross-site scripting vulnerabilities were found in Hitachi Compute Systems Manager. JVNDB-2015-001556https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:compute_systems_manager2015-02-27T15:55+09:002015-02-27T15:55+09:002015-02-27T15:55+09:00Cross-site Scripting Vulnerability in JP1/IT Desktop Management - Manager and Hitachi IT Operations Director
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001557.html
A cross-site scripting vulnerability was found in the online help of JP1/IT Desktop Management - Manager and Hitachi IT Operations Director. JVNDB-2015-001557https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:it_operations_directorcpe:/a:hitachi:job_management_partner_1%2Fit_desktop_management-managercpe:/a:hitachi:jp1%2Fit_desktop_management-managercpe:/a:hitachi:jp1_it_desktop_management2015-02-27T15:56+09:002015-02-27T15:56+09:002015-02-27T15:56+09:00 Cross-site Scripting Vulnerability in Hitachi IT Operations Analyzer
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001558.html
A cross-site scripting vulnerability was found in the online help of Hitachi IT Operations Analyzer. JVNDB-2015-001558https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:it_operations_analyzer2015-02-27T15:57+09:002015-02-27T15:57+09:002015-02-27T15:57+09:00JBoss RichFaces vulnerable to remote Java code execution
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001959.html
JBoss RichFaces contains a remote Java code execution vulnerability.
JBoss RichFaces is an Ajax-enabled component library for JavaServer Faces (JSF). JBoss RichFaces contains a flaw in parsing the do parameter, which may result in arbitrary Java code execution.
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-001959http://jvn.jp/en/jp/JVN56297719/index.htmlhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0279http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0279http://www.ipa.go.jp/security/ciadr/vul/20150414-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:redhat:richfaces2015-04-14T13:24+09:002015-04-14T13:24+09:002015-04-14T13:24+09:00Problem with directory permissions in JP1/Automatic Operation
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-002705.html
There is a problem of permissions on file transfer directory in JP1/Automatic Operation.JVNDB-2015-002705https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:jp1_automatic_operation2015-05-21T16:36+09:002015-05-21T16:36+09:002015-05-21T16:36+09:00Information Disclosure Vulnerability in JP1/Integrated Management - Universal CMDB
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-002706.html
An information disclosure vulnerability was found in JP1/Integrated Management - Universal CMDB. JVNDB-2015-002706https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:jp1_integrated_management2015-05-21T16:37+09:002015-05-21T16:37+09:002015-05-21T16:37+09:00Adobe Flash Player issue where iframe contents may be overwritten
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-005234.html
Adobe Flash Player contains an issue where the same-origin policy may be bypassed leading to iframe contents being overwritten.
Tokuji Akamine reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-005234https://jvn.jp/en/jp/JVN22533124/index.htmlhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7628http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7628http://www.ipa.go.jp/security/ciadr/vul/20151014-adobeflashplayer.htmlhttps://www.jpcert.or.jp/english/at/2015/at150036.htmlhttps://www.npa.go.jp/cyberpolice/topics/?seq=17024https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:adobe:adobe_aircpe:/a:adobe:adobe_air_sdkcpe:/a:adobe:adobe_air_sdk_and_compilercpe:/a:adobe:flash_playercpe:/a:google:chromecpe:/a:microsoft:edgecpe:/a:microsoft:internet_explorer2015-12-17T15:19+09:002015-12-17T15:19+09:002015-12-17T15:19+09:00ArcSight Management Center and ArcSight Logger vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-005909.html
ArcSight Management Center and ArcSight Logger from Hewlett-Packard Development Company L.P. contain a stored cross-site scripting vulnerability (CWE-79).
Mukai Akihito reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2015-005909https://jvn.jp/en/jp/JVN51046809/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5441https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5441https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hp:archsight_management_centercpe:/a:hp:arcsight_logger2015-11-20T13:31+09:002015-11-20T13:31+09:002015-11-20T13:31+09:00XML External Entity (XXE) Vulnerability in Hitachi Command Suite
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-006054.html
XML External Entity (XXE) Vulnerability exists in Hitachi Command Suite.
JVNDB-2015-006054https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:automation_directorcpe:/a:hitachi:compute_systems_managercpe:/a:hitachi:device_manager2015-12-22T17:43+09:002015-12-01T15:59+09:002015-12-22T17:43+09:00Multiple Cross-site Scripting Vulnerabilities in EUR
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-006129.html
Multiple cross-site scripting vulnerabilities were found in EUR.JVNDB-2015-006129https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:eur_developercpe:/a:hitachi:eur_server_enterprisecpe:/a:hitachi:ucosminexus_eur_developercpe:/a:hitachi:ucosminexus_eur_print_managercpe:/a:hitachi:ucosminexus_eur_server_enterprise2015-12-28T13:54+09:002015-12-17T16:18+09:002015-12-28T13:54+09:00Vulnerability in JP1/Automatic Job Management System 3
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-006130.html
A vulnerability to denial-of-service attacks was found in JP1/Automatic Job Management System 3.JVNDB-2015-006130https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:jp1_automatic_job_management_system_32016-09-14T18:18+09:002015-12-17T16:19+09:002016-09-14T18:18+09:00Cross-site Scripting Vulnerability in uCosminexus Portal Framework and Groupmax Collaboration
https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-006527.html
A cross-site scripting vulnerability was found in uCosminexus Portal Framework and Groupmax Collaboration.JVNDB-2015-006527https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:groupmax_collaboration_portalcpe:/a:hitachi:groupmax_collaboration_web_clientcpe:/a:hitachi:groupmax_collaboration_web_client_mail_schedulecpe:/a:hitachi:ucosminexus_collaboration_portalcpe:/a:hitachi:ucosminexus_portal_framework2016-02-10T14:36+09:002015-12-28T13:51+09:002016-02-10T14:36+09:00