JVNDB-2015-000001
Cybozu Remote Service Manager vulnerable to denial-of-service (DoS)
Remote Service Manager contains a denial-of-service (DoS) vulnerability. Remote Service Manager provided by Cybozu, Inc. is a software to access internal systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a denial-of-service (DoS) vulnerability. Note that this vulnerability was caused due to an incomplete fix of JVN#10319260. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Remote Service Manager
cpe:/a:cybozu:remote_service_manager
2.3.0 and earlier
3.1.2 and earlier
High
7.1
AV:N/AC:M/Au:N/C:N/I:N/A:C
An attacker may cause a denial-of-service (DoS) condition for a server that is running Remote Service Manager. As a result, "Cybozu Remote Service" may be disrupted.
For Remote Service Manager 3.1.2: [Change the settings] Change the settings file (server.xml), according to the instructions provided by the developer. For Remote Service Manager 3.1.1 and earlier: [Update the software and change the settings] Apply the update and change the settings file (server.xml), according to the instructions provided by the developer.
Cybozu
Cybozu, Inc. website
https://cs.cybozu.co.jp/2015/001245.html
Common Vulnerabilities and Exposures (CVE)
CVE-2014-7266
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7266
JVN
JVN#13566542
https://jvn.jp/en/jp/JVN13566542/index.html
JVN
JVN#10319260
https://jvn.jp/en/jp/JVN10319260/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/01/30]\n Web page was published
2015-01-30T14:19:32+09:00
2015-01-30T14:19:32+09:00
2015-01-30T00:00:00+09:00
JVNDB-2015-000006
SYNCK GRAPHICA Download Log CGI vulnerable to directory traversal
Download Log CGI provided by SYNCK GRAPHICA contains an issue in processing file names, which may result in a directory traversal vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SYNCK GRAPHICA
Download Log CGI
cpe:/a:synck_graphica:download_log_cgi
3.2.1 and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
A remote attacker may obtain arbitrary files on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
SYNCK GRAPHICA
Download Log CGI vulnerable to directory traversal (2)
http://www.synck.com/blogs/news/weblog_1422532152.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0867
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0867
JVN
JVN#88559134
http://jvn.jp/en/jp/JVN88559134/index.html
National Vulnerability Database (NVD)
CVE-2015-0867
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0867
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/01/19]\n Web page was published\n[2015/01/27]\n References : Content was added\n[2015/02/13]\n Affected Products : Product version was modified\n Vendor Information : Content was modified
2015-01-19T13:54:59+09:00
2015-02-13T15:09:11+09:00
2015-01-19T00:00:00+09:00
JVNDB-2015-000007
Arbitrary files may be overwritten in multiple VMware products
Multiple products provided by VMware Inc. contain a vulnerability where arbitrary files on the host OS may be overwritten. Shanon Olsson reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
VMware
VMware ESXi
cpe:/o:vmware:esxi
5.0 without patch ESXi500-201405101-SG
5.1 without patch ESXi510-201404101-SG
5.5 without patch ESXi550-201403102-SG
VMware
VMware Fusion
cpe:/a:vmware:fusion
versions prior 6.0.5
VMware
VMware Player
cpe:/a:vmware:player
versions prior to 6.0.5
VMware
VMware Workstation
cpe:/a:vmware:workstation
versions prior to 10.0.5
Medium
6
AV:N/AC:M/Au:S/C:P/I:P/A:P
A user that can modify the configuration file for the virtual machine may overwrite arbitrary files on the host OS. As a result, privileges may be escalated in the host OS.
[Update the software] Apply the appropriate update according to the information provided by the developer.
VMware
VMSA-2015-0001 - VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
http://www.vmware.com/security/advisories/VMSA-2015-0001.html
Common Vulnerabilities and Exposures (CVE)
CVE-2014-8370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8370
JVN
JVN#88252465
http://jvn.jp/en/jp/JVN88252465/index.html
National Vulnerability Database (NVD)
CVE-2014-8370
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8370
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/01/29]\n Web page was published\n[2015/02/16]\n References : Content was added
2015-01-29T13:52:00+09:00
2015-02-16T15:34:11+09:00
2015-01-29T00:00:00+09:00
JVNDB-2015-000008
shiromuku(bu2)BBS vulnerable to arbitrary file creation
shiromuku(bu2)BBS from Perl CGI's By Mrs. Shiromuku is a bulletin board software. shiromuku(bu2)BBS contains a vulnerability that may allow a remote attacker to create arbitrary files. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Perl CGI's By Mrs.Shiromuku
shiromuku(bu2)BBS
cpe:/a:shiromuku:bu2_bbs
version2.90 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
A remote attacker creating arbitrary files may result in arbitrary code execution on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
Perl CGI's By Mrs.Shiromuku
shiromuku(bu2)BBS version up
http://www.t-okada.com/cgi-bin/sb2_data/sb2_data_news.cgi?action=data_list&cat=16#495
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0868
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0868
JVN
JVN#94502417
http://jvn.jp/en/jp/JVN94502417/index.html
National Vulnerability Database (NVD)
CVE-2015-0868
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0868
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/01/23]\n Web page was published\n[2015/02/13]\n References : Content was added
2015-01-23T14:22:02+09:00
2015-02-13T09:51:50+09:00
2015-01-23T00:00:00+09:00
JVNDB-2015-000009
NP-BBRM vulnerable in UPnP functionality
NP-BBRM provided by I-O DATA DEVICE, INC. is a LAN router. NP-BBRM contains a vulnerability in the UPnP functionality.
I-O DATA DEVICE, INC.
NP-BBRM
cpe:/h:i-o_data_device:np-bbrm
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
The device may be used in a DDoS attack, as a SSDP reflector.
[Disable UPnP] Disable UPnP functionality from the management configuration in the settings screen.
Security Infomation
Notice about the security vulnerability in NP-BBRM router
http://www.iodata.jp/support/information/2015/np-bbrm/
@Police
Alert regarding SSDP reflection attacks abusing UPnP-enabled network devices (PDF)
//www.npa.go.jp/cyberpolice/detect/pdf/20141017.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0869
//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0869
JVN
JVN#27142693
http://jvn.jp/en/jp/JVN27142693/index.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/01/26]\n Web page was published\n[2015/08/18]\n CVSS Severity was modified
2015-01-26T13:42:40+09:00
2015-08-18T14:36:00+09:00
2015-01-26T00:00:00+09:00
JVNDB-2015-000010
Fumy News Clipper vulnerable to cross-site scripting
Fumy News Clipper provided by Nishishi Factory contains a cross-site scripting vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Nishishi Factory
Fumy News Clipper
cpe:/a:nishishi:fumy_news_clipper
Ver 2.4.0 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer.
Nishishi Factory
Nishishi Factory announcement page
http://www.nishishi.com/cgi/newsclip/20150130.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0870
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0870
JVN
JVN#33735535
http://jvn.jp/en/jp/JVN33735535/index.html
National Vulnerability Database (NVD)
CVE-2015-0870
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0870
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/01/30]\n Web page was published\n[2015/02/16]\n References : Content was added
2015-01-30T13:52:52+09:00
2015-02-16T15:55:14+09:00
2015-01-30T00:00:00+09:00
JVNDB-2015-000011
Multiple ASUS wireless LAN routers vulnerable to OS command injection
Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain an OS command injection vulnerability. Masashi Sakai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ASUS JAPAN Inc.
RT-AC56S
cpe:/h:misc:asus_japan_rt-ac56s
Firmware versions prior to 3.0.0.4.378.6065
ASUS JAPAN Inc.
RT-AC68U
cpe:/h:misc:asus_japan_rt-ac68u
Firmware versions prior to 3.0.0.4.378.6152
ASUS JAPAN Inc.
RT-AC87U
cpe:/h:misc:asus_japan_rt-ac87u
Firmware versions prior to 3.0.0.4.378.6065
ASUS JAPAN Inc.
RT-N56U
cpe:/h:misc:asus_japan_rt-n56u
Firmware versions prior to 3.0.0.4.378.6065
ASUS JAPAN Inc.
RT-N66U
cpe:/h:misc:asus_japan_rt-n66u
Firmware versions prior to 3.0.0.4.378.6065
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
An arbitrary OS command may be executed by an authenticated attacker. In addition, when this vulnerability is exploited along with the vulnerability stated in JVN#32631078, an arbitrary OS command may be executed if a logged in user views a malicious page.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
ASUS JAPAN Inc.
Firmware for wireless LAN routers that addressed cross-site request forgery and OS command injection vulnerabilities are available
http://www.asus.com/jp/News/PNzPd7vkXtrKWXHR
Common Vulnerabilities and Exposures (CVE)
CVE-2014-7269
//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7269
JVN
JVN#77792759
http://jvn.jp/en/jp/JVN77792759/index.html
National Vulnerability Database (NVD)
CVE-2014-7269
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7269
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/01/27]\n Web page was published\n[2015/01/29]\n Impact was modified\n[2015/02/16]\n References : Content was added\n[2015/06/17]\n Affected Products : Product's version were modified
2015-01-27T14:23:12+09:00
2015-06-17T16:42:12+09:00
2015-01-27T00:00:00+09:00
JVNDB-2015-000012
Multiple ASUS wireless LAN routers vulnerable to cross-site request forgery
Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain a cross-site request forgery vulnerability. Masashi Sakai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ASUS JAPAN Inc.
RT-AC56S
cpe:/h:misc:asus_japan_rt-ac56s
Firmware versions prior to 3.0.0.4.378.6065
ASUS JAPAN Inc.
RT-AC68U
cpe:/h:misc:asus_japan_rt-ac68u
Firmware versions prior to 3.0.0.4.378.6152
ASUS JAPAN Inc.
RT-AC87U
cpe:/h:misc:asus_japan_rt-ac87u
Firmware versions prior to 3.0.0.4.378.6065
ASUS JAPAN Inc.
RT-N56U
cpe:/h:misc:asus_japan_rt-n56u
Firmware versions prior to 3.0.0.4.378.6065
ASUS JAPAN Inc.
RT-N66U
cpe:/h:misc:asus_japan_rt-n66u
Firmware versions prior to 3.0.0.4.378.6065
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
If a user views a malicious page while logged in, unintended operations may be conducted. In addition, when this vulnerability is exploited along with the vulnerability stated in JVN#77792759, an arbitrary OS command may be executed.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
ASUS JAPAN Inc.
Firmware for wireless LAN routers that addressed cross-site request forgery and OS command injection vulnerabilities are available
http://www.asus.com/jp/News/PNzPd7vkXtrKWXHR
Common Vulnerabilities and Exposures (CVE)
CVE-2014-7270
//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7270
JVN
JVN#32631078
http://jvn.jp/en/jp/JVN32631078/index.html
National Vulnerability Database (NVD)
CVE-2014-7270
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7270
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/01/27]\n Web page was published\n[2015/01/29]\n Impact was modified\n[2015/02/16]\n References : Content was added\n[2015/06/17]\n Affected Products : Product's version were modified
2015-01-27T14:24:02+09:00
2015-06-17T16:42:59+09:00
2015-01-27T00:00:00+09:00
JVNDB-2015-000013
shiromuku(u1)GUESTBOOK vulnerable to cross-site scripting
shiromuku(u1)GUESTBOOK from Perl CGI's By Mrs. Shiromuku is a bulletin board software. shiromuku(u1)GUESTBOOK contains a cross-site scripting vulnerability. Koki Takahashi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Perl CGI's By Mrs.Shiromuku
shiromuku(u1)GUESTBOOK
cpe:/a:shiromuku:guestbook
version1.62 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Perl CGI's By Mrs.Shiromuku
Perl CGI's By Mrs. Shiromuku website
http://www.t-okada.com/cgi/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0871
JVN
JVN#17480391
http://jvn.jp/en/jp/JVN17480391/index.html
National Vulnerability Database (NVD)
CVE-2015-0871
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0871
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/13]\n Web page was published
2015-02-13T13:58:02+09:00
2015-02-13T13:58:02+09:00
2015-02-13T00:00:00+09:00
JVNDB-2015-000014
PerlTreeBBS vulnerable to cross-site scripting
PerlTreeBBS from Homepage Decorator is a tree-structured bulletin board software. PerlTreeBBS contains a persistent cross-site scripting vulnerability (CWE-79). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Homepage Decorator
PerlTreeBBS
cpe:/a:homepage_decorator:perltreebbs
2.30 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Homepage Decorator
CGI scripts - PerlTreeBBS
http://www.din.or.jp/~hideyuki/home/cgi/treebbs.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0873
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0873
JVN
JVN#96155055
http://jvn.jp/en/jp/JVN96155055/index.html
National Vulnerability Database (NVD)
CVE-2015-0873
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0873
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/13]\n Web page was published
2015-02-13T13:58:51+09:00
2015-02-13T13:58:51+09:00
2015-02-13T00:00:00+09:00
JVNDB-2015-000015
Smartphone Passbook fails to verify SSL server certificates
Smartphone Passbook provided by Ogaki Kyoritsu bank Ltd. fails to verify SSL server certificates. Hiroshi Kumagai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ogaki Kyoritsu bank Ltd.
Smartphone Passbook
cpe:/a:ogaki_kyoritsu_bank:ogaki_kyoritsu_bank_sumaho_passbook
Ver.1.0.0
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Software] Update to the latest version according to the information provided by the developer.
App Store
Smartphone Passbook - App Store
https://itunes.apple.com/jp/app/sumaho-tong-zhang/id657294398
Google Play
Smartphone Passbook - Android Apps on Google Play
https://play.google.com/store/apps/details?id=jp.co.okb.spp
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0874
JVN
JVN#14522790
http://jvn.jp/en/jp/JVN14522790/index.html
National Vulnerability Database (NVD)
CVE-2015-0874
https://nvd.nist.gov/vuln/detail/CVE-2015-0874
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/13]\n Web page was published\n[2015/05/21]\n Vendor Information : Content was modified
1
2018-03-07T11:08:22+09:00
[2018/03/07]\n References : Content was added
2015-02-13T14:32:36+09:00
2018-03-07T13:50:01+09:00
2015-02-13T00:00:00+09:00
JVNDB-2015-000016
Smartphone Passbook for Android information management vulnerability
Smartphone Passbook for Android contains an issue where user inputs are output into a log file. Hiroshi Kumagai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ogaki Kyoritsu bank Ltd.
Smartphone Passbook for Android
cpe:/a:ogaki_kyoritsu_bank:smartphone_passbook
Ver.1.0.0
Low
2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N
Other android applications with permissions to read system log files may obtain information entered by a user.
[Update the Software] Update to the latest version according to the information provided by the developer.
Google Play
Smartphone Passbook - Android Apps on Google Play
https://play.google.com/store/apps/details?id=jp.co.okb.spp
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0875
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0875
JVN
JVN#48659722
http://jvn.jp/en/jp/JVN48659722/index.html
National Vulnerability Database (NVD)
CVE-2015-0875
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0875
JVNDB
CWE-255
Credentials Management
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/13]\n Web page was published\n[2015/02/18]\n References : Content was added\n[2015/05/21]\n Vendor Information : Content was modified
2015-02-13T14:33:18+09:00
2015-05-21T10:05:54+09:00
2015-02-13T00:00:00+09:00
JVNDB-2015-000017
Saurus CMS Community Edition vulnerable to cross-site scripting
Saurus CMS Community Edition is open source software to manage and build websites. Saurus CMS Community Edition contains multiple cross-site scripting vulnerabilities. Yuji Tounai of NTT Com Security reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Saurused Ltd.
Saurus CMS Community Edition
cpe:/a:saurus:saurus_cms_community_edition
Versions prior to 4.7 @ 04.02.2015
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software] Apply the appropriate update according to the information provided by the developer.
GitHub
Fix stored and reflected XSS vulnerabilities [1bc2728]
https://github.com/sauruscms/Saurus-CMS-Community-Edition/commit/1bc272874a86eaab99dccd00b29177423fd83877
GitHub
Update SWFUpload to more secure version [a583106]
https://github.com/sauruscms/Saurus-CMS-Community-Edition/commit/a583106b10f4083dce7ccdd7db1bfe0db12d2d1f
GitHub
Remove outdated Flowplayer libarary and plugin [cea4417]
https://github.com/sauruscms/Saurus-CMS-Community-Edition/commit/cea44175b07d2e69acaddd37b73407b215eba465
Saurused Ltd
Download Saurus CMS
http://www.saurus.info/downloads/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0876
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0876
JVN
JVN#18387086
http://jvn.jp/en/jp/JVN18387086/index.html
National Vulnerability Database (NVD)
CVE-2015-0876
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0876
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/17]\n Web page was published\n[2015/04/08]\n References : Content was added
2015-02-17T14:20:21+09:00
2015-04-08T15:20:13+09:00
2015-02-17T00:00:00+09:00
JVNDB-2015-000018
C-BOARD Moyuku vulnerable to arbitrary file creation
C-BOARD Moyuku is a bulletin board software. C-BOARD Moyuku contains a vulnerability that may allow a remote attacker to create arbitrary files. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
C-BOARD Moyuku Project
C-BOARD Moyuku
cpe:/a:c-board_moyuku_project:c-board_moyuku
v1.03b2 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
A remote attacker creating arbitrary files may result in arbitrary code execution on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
C-BOARD Moyuku Project
C-BOARD Moyuku Project website
http://sourceforge.jp/projects/cb-moyuku
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0877
JVN
JVN#73261710
http://jvn.jp/en/jp/JVN73261710/index.html
National Vulnerability Database (NVD)
CVE-2015-0877
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0877
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/17]\n Web page was published\n[2015/04/07]\n References : Content was added
2015-02-17T14:21:41+09:00
2015-04-07T17:57:55+09:00
2015-02-17T00:00:00+09:00
JVNDB-2015-000019
Squid input validation vulnerability
Squid contains a vulnerability where inputs are not properly validated. Squid is a caching proxy server. Squid contains a vulnerability where server responses that contain invalid values in the Content-Length of the HTTP header are sent to the client. Kazuho Oku reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Squid-cache.org
Squid
cpe:/a:squid-cache:squid
versions prior to 3.1.1-STABLE
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
If a HTTP response with a specially crafted header is processed, it may result in a HTTP response splitting attack.
[Apply an Update] Apply the appropriate update for the version of the software being used.
Squid
Squid Versions - Getting Squid
http://www.squid-cache.org/Versions/
Squid
Squid 3.1.0.10 changes (Fri 2009-07-03 13:01:45 +1200)
http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_0_10.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0881
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0881
JVN
JVN#64455813
http://jvn.jp/en/jp/JVN64455813/index.html
National Vulnerability Database (NVD)
CVE-2015-0881
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0881
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/20]\n Web page was published\n[2015/02/24]\n References : Content was added\n[2015/03/06]\n Title was modified\n Overview was modified\n Affected Products : Product version was modified\n Solution was modified\n Vendor Information : Content was added
2015-02-20T14:55:11+09:00
2015-03-06T14:57:28+09:00
2015-02-20T00:00:00+09:00
JVNDB-2015-000020
AL-Mail32 vulnerable to directory traversal
AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a directory traversal vulnerability due to a flaw in processing attachments. Yosuka HASEGAWA of NetAgent Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CREAR Corporation
AL-Mail32
cpe:/a:almail:al-mail32
Version1.13c and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Processing an attachment with a specially crafted file name may result in creation of an arbitrary file or an overwrite of an existing file.
[Update the Software] Update to the latest version according to the information provided by the developer.
CREAR Corporation
Information from CREAR Corporation
http://www.almail.com/vulnerability.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0878
JVN
JVN#77294617
http://jvn.jp/en/jp/JVN77294617/index.html
National Vulnerability Database (NVD)
CVE-2015-0878
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0878
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/20]\n Web page was published\n[2015/02/24]\n References : Content was added
2015-02-20T14:37:21+09:00
2015-02-24T16:38:13+09:00
2015-02-20T00:00:00+09:00
JVNDB-2015-000021
AL-Mail32 vulnerable to denial-of-service (DoS)
AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a denial-of-service (DoS) vulnerability due to a flaw in processing attachments. Yosuka HASEGAWA of NetAgent Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. During the coordination process, IPA and JPCERT/CC determined that this case was not a vulnerability under the "Information Security Early Warning Partnership". However, this JVN advisory has been published coinciding with the vendor advisory.
CREAR Corporation
AL-Mail32
cpe:/a:almail:al-mail32
Version1.13c and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P
Processing an attachment with a specially crafted file name may cause the software to become unresponsive.
[Update the Software] Update to the latest version according to the information provided by the developer.
CREAR Corporation
Information from CREAR Corporation
http://www.almail.com/vulnerability.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0879
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0879
JVN
JVN#55365709
http://jvn.jp/en/jp/JVN55365709/index.html
National Vulnerability Database (NVD)
CVE-2015-0879
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0879
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/20]\n Web page was published\n[2015/02/24]\n References : Content was added
2015-02-20T14:54:13+09:00
2015-02-24T16:37:12+09:00
2015-02-20T00:00:00+09:00
JVNDB-2015-000022
AL-Mail32 vulnerable to buffer overflow
AL-Mail32 provided by CREAR Corporation is an email client for Windows. AL-Mail32 contains a buffer overflow vulnerability due to a flaw in processing attachments.
CREAR Corporation
AL-Mail32
cpe:/a:almail:al-mail32
Version1.13c and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
When an attachment with specially crafted file name is processed, arbitrary code may be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
CREAR Corporation
Information from CREAR Corporation
http://www.almail.com/vulnerability.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0880
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0880
JVN
JVN#93318392
http://jvn.jp/en/jp/JVN93318392/index.html
National Vulnerability Database (NVD)
CVE-2015-0880
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0880
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/20]\n Web page was published\n[2015/02/24]\n References : Content was added
2015-02-20T14:55:57+09:00
2015-02-24T16:36:22+09:00
2015-02-20T00:00:00+09:00
JVNDB-2015-000023
Speed Software Root Explorer and Explorer vulnerable to directory traversal
Root Explorer and Explorer provided by Speed Software contain an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Speed Software
Explorer
cpe:/a:speed_software:explorer
versions prior to 2.2
Speed Software
Root Explorer
cpe:/a:speed_software:root_explorer
versions prior to 3.2
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the applications have privileges to access.
[Update the Software] Apply the latest update for each application according to the information provided by the developer.
Google Play
Explorer - Android Apps on Google Play
https://play.google.com/store/apps/details?id=com.speedsoftware.explorer&hl=en
Google Play
Root Explorer - Android Apps on Google Play
https://play.google.com/store/apps/details?id=com.speedsoftware.rootexplorer&hl=en
Common Vulnerabilities and Exposures (CVE)
CVE-2014-9282
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9282
JVN
JVN#42768331
http://jvn.jp/en/jp/JVN42768331/index.html
National Vulnerability Database (NVD)
CVE-2014-9282
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9282
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/24]\n Web page was published\n[2015/02/26]\n References : Content was added
2015-02-24T14:35:25+09:00
2015-02-26T17:18:48+09:00
2015-02-24T00:00:00+09:00
JVNDB-2015-000024
Joyful Note vulnerability in handling files
Joyful Note from KENT-WEB is a bulletin board software that allows users to upload binary files such as image files. Joyful Note contains a vulnerability in handling files. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KENT-WEB
Joyful Note
cpe:/a:kent-web:joyful_note
Ver 5.21 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
A remote attacker may create arbitrary files or delete existing files on the server. As a result, arbitrary code may be executed.
[Apply an update] Update to the latest version according to the information provided by the developer.
WebCreate Ltd
Joyful Note
http://www.kent-web.com/bbs/joyful.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0889
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0889
JVN
JVN#88862608
http://jvn.jp/en/jp/JVN88862608/index.html
National Vulnerability Database (NVD)
CVE-2015-0889
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0889
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/27]\n Web page was published\n[2015/03/03]\n References : Content was added
2015-02-27T13:57:41+09:00
2015-03-03T15:59:53+09:00
2015-02-27T00:00:00+09:00
JVNDB-2015-000026
SYNCK GRAPHICA Mailform Pro CGI vulnerable to remote code execution
Mailform Pro CGI provided by SYNCK GRAPHICA contains a flaw in the process of sending emails, which may result in an arbitrary code execution. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SYNCK GRAPHICA
Mailform Pro CGI
cpe:/a:synck_graphica:mailform_pro_cgi
4.1.4 to 4.1.5
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Arbitrary code may be executed on the server.
[Update the Software] Update to the latest version according to the information provided by the developer. [Apply a workaround] The following workaround may mitigate the affects of this vulnerability. * Disable MailAuth module
SYNCK GRAPHICA
Information from SYNCK GRAPHICA
http://www.synck.com/blogs/news/weblog_1424791052.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0883
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0883
JVN
JVN#30135729
http://jvn.jp/en/jp/JVN30135729/index.html
National Vulnerability Database (NVD)
CVE-2015-0883
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0883
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/25]\n Web page was published\n[2015/03/02]\n References : Content was added
2015-02-25T15:00:06+09:00
2015-03-02T14:23:41+09:00
2015-02-25T00:00:00+09:00
JVNDB-2015-000027
Zen Cart Japanese version vulnerable to cross-site scripting
Zen Cart is an open source system for creating shopping websites. Zen Cart Japanese version contains a cross-site scripting vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Zen Cart
Zen Cart
cpe:/a:zen-cart:zen_cart
v1.3.0.2 jp8 and earlier
v1.5.1 ja and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the web browser of a user who is logged on as an administrator.
For Zen Cart v1.5 ja variants: [Update the software] Update to the latest version according to the information provided by the developer. For Zen Cart v1.3 jp variants: [Apply the patch] Apply the appropriate patch according to the information provided by the developer.
GitHub
zencart-ja/zc-v1-series (022949b)
https://github.com/zencart-ja/zc-v1-series/commit/022949bd09444d7e58703cc537dbbd5744c381b8
Zen Cart
Zen Cart.JP website
http://zen-cart.jp/bbs/viewtopic.php?f=1&t=6181
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0882
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0882
JVN
JVN#44544694
http://jvn.jp/en/jp/JVN44544694/index.html
National Vulnerability Database (NVD)
CVE-2015-0882
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0882
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/25]\n Web page was published\n[2015/03/02]\n Vendor Information : Content was added\n References : Content was added
2015-02-25T15:09:43+09:00
2015-03-02T14:19:13+09:00
2015-02-25T00:00:00+09:00
JVNDB-2015-000028
KENT-WEB Clip Board vulnerability where arbitary files may be deleted
Clip Board provided by KENT-WEB is a bulletin board software that allows users to upload binary files such as image files. KENT-WEB Clip Board contains a vulnerability that may allow a remote attacker to delete arbitrary files. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KENT-WEB
Clip Board
cpe:/a:kent-web:clip_board
Ver 4.02 and earlier
Medium
6.4
AV:N/AC:L/Au:N/C:N/I:P/A:P
A remote attacker may delete arbitrary files on the server.
[Apply an update] Update to the latest version according to the information provided by the developer.
WebCreate Ltd
Clip Board
http://www.kent-web.com/bbs/clipbbs.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0888
JVN
JVN#62298871
http://jvn.jp/en/jp/JVN62298871/index.html
National Vulnerability Database (NVD)
CVE-2015-0888
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0888
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/27]\n Web page was published\n[2015/03/03]\n References : Content was added
2015-02-27T14:02:40+09:00
2015-03-03T15:59:13+09:00
2015-02-27T00:00:00+09:00
JVNDB-2015-000029
BestWebSoft Captcha plugin vulnerable to CAPTCHA authentication bypass
Captcha provided by BestWebSoft is a plugin for WordPress. Captcha contains a CAPTCHA authentication bypass vulnerability (CWE-254).
BestWebSoft
Captcha
cpe:/a:bestwebsoft:captcha
V4.0.6 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
If this vulnerability is exploited, an attacker may be able to successfully login to WordPress and access an administrative interface without authentication.
[Update the Software] Update to the latest version according to the information provided by the developer.
BestWebSoft
Captcha Changelog
https://wordpress.org/plugins/captcha/changelog/
Common Vulnerabilities and Exposures (CVE)
CVE-2014-9283
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9283
JVN
JVN#93727681
http://jvn.jp/en/jp/JVN93727681/index.html
National Vulnerability Database (NVD)
CVE-2014-9283
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9283
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/03]\n Web page was published\n[2015/03/04]\n References : Content was added
2015-03-03T13:38:12+09:00
2015-03-04T15:22:23+09:00
2015-03-03T00:00:00+09:00
JVNDB-2015-000030
Google Captcha (reCAPTCHA) by BestWebSoft vulnerable to CAPTCHA authentication bypass
Google Captcha (reCAPTCHA) by BestWebSoft is a plugin for WordPress. Google Captcha (reCAPTCHA) by BestWebSoft contains a CAPTCHA authentication bypass vulnerability (CWE-254).
BestWebSoft
Google Captcha (reCAPTCHA) by BestWebSoft
cpe:/a:bestwebsoft:google_captcha
V1.12 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
If this vulnerability is exploited, an attacker may be able to successfully login to WordPress and access an administrative interface without authentication.
[Update the Software] Update to the latest version according to the information provided by the developer.
BestWebSoft
Google Captcha (reCAPTCHA) by BestWebSoft Changelog
https://wordpress.org/plugins/google-captcha/changelog/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0890
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0890
JVN
JVN#55063777
http://jvn.jp/en/jp/JVN55063777/index.html
National Vulnerability Database (NVD)
CVE-2015-0890
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0890
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/03]\n Web page was published\n[2015/03/04]\n References : Content was added
2015-03-03T13:39:27+09:00
2015-03-04T15:23:23+09:00
2015-03-03T00:00:00+09:00
JVNDB-2015-000031
SEIL Series routers vulnerable to denial-of-service (DoS)
The PPP Access Concentrator (PPPAC) in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service (DoS) vulnerability due to a flaw in processing SSTP packets.
Internet Initiative Japan Inc.
SEIL/B1
cpe:/h:iij:seil%2Fb1
3.50 to 4.70
Internet Initiative Japan Inc.
SEIL/X1
cpe:/h:iij:seil%2Fx1
3.50 to 4.70
Internet Initiative Japan Inc.
SEIL/X2
cpe:/h:iij:seil%2Fx2
3.50 to 4.70
Internet Initiative Japan Inc.
SEIL/x86 Fuji
cpe:/h:iij:seil_x86_fuji
1.00 to 3.30
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P
Receiving a specially crafted SSTP packet may result in the device becoming unresponsive.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
IIJ
Internet Initiative Japan Inc. website
http://www.seil.jp/support/security/a01541.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0887
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0887
JVN
JVN#63949115
http://jvn.jp/en/jp/JVN63949115/index.html
National Vulnerability Database (NVD)
CVE-2015-0887
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0887
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/27]\n Web page was published\n[2015/03/05]\n References : Content was added
2015-02-27T15:39:56+09:00
2015-03-05T15:42:56+09:00
2015-02-27T00:00:00+09:00
JVNDB-2015-000032
checkpw vulnerable to denial-of-service (DoS)
checkpw is a password authentication program. checkpw contains a denial-of-service (DoS) vulnerability due to a flaw in processing account names (CWE-400). Hiroya Ito of GMO Pepabo, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
OHIRA, Shinya
checkpw
cpe:/a:checkpw_project:checkpw
-1.02 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
A remote attacker may be able to cause a denial-of-service (DoS).
[Update the Software] Update to the latest version according to the information provided by the developer.
checkpw
OHIRA, Shinya website
http://checkpw.sourceforge.net/checkpw/changes.txt
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0885
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0885
JVN
JVN#34790526
http://jvn.jp/en/jp/JVN34790526/index.html
National Vulnerability Database (NVD)
CVE-2015-0885
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0885
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/27]\n Web page was published\n[2015/03/03]\n References : Content was added
2015-02-27T12:30:18+09:00
2015-03-03T15:57:46+09:00
2015-02-27T00:00:00+09:00
JVNDB-2015-000033
Vulnerability in the jBCrypt key stretching process
jBCrypt is a Java implementation to compute password hashes. jBCrypt contains an integer overflow vulnerability in the key stretching process. An integer overflow occurs when the parameter for the repetition count is set to the maximum value allowed, 31. Norito AGETSUMA reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
mindrot.org
jBCrypt
cpe:/a:mindrot:jbcrypt
-0.3 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N
When the hash value for a password is obtained by a remote attacker, a brute force attack may be used to easily recover the password.
[Update the Software] Update to the latest version according to the information provided by the developer.
jBCrypt
jBCrypt-0.4
http://www.mindrot.org/projects/jBCrypt/news/rel04.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0886
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886
JVN
JVN#77718330
http://jvn.jp/en/jp/JVN77718330/index.html
National Vulnerability Database (NVD)
CVE-2015-0886
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0886
Related document
OpenSSH: Bugs ([Bug 2097] if gensalt's log_rounds parameter is set to 31 it does 0 (ZERO) rounds!)
https://bugzilla.mindrot.org/show_bug.cgi?id=2097
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/27]\n Web page was published\n[2015/03/03]\n References : Content was added
2015-02-27T14:03:14+09:00
2015-03-03T15:58:31+09:00
2015-02-27T00:00:00+09:00
JVNDB-2015-000034
Maroyaka Simple Board vulnerable to cross-site scripting
Maroyaka Simple Board provided by Maroyaka CGI is a CGI script for posting text into a website. Maroyaka Simple Board contains a persistent cross-site scripting vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. The developer originally stated there were no plans to further maintain the product at the time of publication on 2015/3/4 14:00. However, a fixed version was later released on 2015/3/4 22:00. This advisory was revised on 2015/3/6 11:00.
MaroyakaCGI
Maroyaka Simple Board
cpe:/a:tisa:maroyaka_simple_board
ver1.10 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
MaroyakaCGI
Maroyaka CGI website
http://www.s-ht.com/~jackal/index.php?mode=dl&cgi=mhb
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0891
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0891
JVN
JVN#63687798
http://jvn.jp/en/jp/JVN63687798/index.html
National Vulnerability Database (NVD)
CVE-2015-0891
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0891
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/04]\n Web page was published\n[2015/03/06]\n Overview was modified\n Affected Products : Product version was modified\n Solution was modified\n Vendor Information : Content was modified\n References : Content was added\n
2015-03-04T14:48:07+09:00
2015-03-06T15:07:02+09:00
2015-03-04T00:00:00+09:00
JVNDB-2015-000035
Maroyaka Image Album vulnerable to cross-site scripting
Maroyaka Image Album provided by Maroyaka CGI is a CGI script for placing image files within a website. Maroyaka Image Album contains a cross-site scripting vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. The developer originally stated there were no plans to further maintain the product at the time of publication on 2015/3/4 14:00. However, a fixed version was later released on 2015/3/4 22:00. This advisory was revised on 2015/3/6 11:00.
MaroyakaCGI
Maroyaka Image Album
cpe:/a:tisa:maroyaka_image_album
ver1.00 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
MaroyakaCGI
Maroyaka CGI website
http://www.s-ht.com/~jackal/index.php?mode=dl&cgi=mia
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0892
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0892
JVN
JVN#09871547
http://jvn.jp/en/jp/JVN09871547/index.html
National Vulnerability Database (NVD)
CVE-2015-0892
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0892
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/04]\n Web page was published\n[2015/03/06]\n Overview was modified\n Affected Products : Product version was modified\n Solution was modified\n Vendor Information : Content was modified\n References : Content was added
2015-03-04T14:49:07+09:00
2015-03-06T15:21:34+09:00
2015-03-04T00:00:00+09:00
JVNDB-2015-000036
Maroyaka Relay Novel vulnerable to cross-site scripting
Maroyaka Relay Novel provided by Maroyaka CGI is a CGI script for posting text into a website. Maroyaka Relay Novel contains a persistent cross-site scripting vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. The developer originally stated there were no plans to further maintain the product at the time of publication on 2015/3/4 14:00. However, a fixed version was later released on 2015/3/4 22:00. This advisory was revised on 2015/3/6 11:00.
MaroyakaCGI
Maroyaka Relay Novel
cpe:/a:tisa:maroyaka_relay_novel
ver1.20c and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
MaroyakaCGI
Maroyaka CGI website
http://www.s-ht.com/~jackal/index.php?mode=dl&cgi=mrn
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0893
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0893
JVN
JVN#91016415
http://jvn.jp/en/jp/JVN91016415/index.html
National Vulnerability Database (NVD)
CVE-2015-0893
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0893
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/04]\n Web page was published\n[2015/03/06]\n Overview was modified\n Affected Products : Product version was modified\n Solution was modified\n Vendor Information : Content was modified\n References : Content was added
2015-03-04T14:49:56+09:00
2015-03-06T15:30:27+09:00
2015-03-04T00:00:00+09:00
JVNDB-2015-000037
All In One WP Security & Firewall vulnerable to SQL injection
All In One WP Security & Firewall is WordPress plugin that provides security functionality. All In One WP Security & Firewall contains a SQL injection vulnerability (CWE-89). ooooooo_q reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Tips and Tricks HQ
All In One WP Security & Firewall
cpe:/a:tips_and_tricks_hq:all_in_one_wordpress_security_and_firewall
v3.8.7 and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
If an administrator views a malicious page while logged in, an arbitrary SQL command may be executed.
[Update the software] Update to the latest version according to the information provided by the developer.
Tips and Tricks HQ
All In One WP Security & Firewall - Changelog
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0894
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0894
JVN
JVN#30832515
http://jvn.jp/en/jp/JVN30832515/index.html
National Vulnerability Database (NVD)
CVE-2015-0894
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0894
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/06]\n Web page was published\n[2015/03/11]\n References : Content was added
2015-03-06T13:45:46+09:00
2015-03-11T17:55:35+09:00
2015-03-06T00:00:00+09:00
JVNDB-2015-000038
All In One WP Security & Firewall vulnerable to cross-site request forgery
All In One WP Security & Firewall is WordPress plugin that provides security functionality. All In One WP Security & Firewall contains a cross-site request forgery vulnerability (CWE-352).
Tips and Tricks HQ
All In One WP Security & Firewall
cpe:/a:tips_and_tricks_hq:all_in_one_wordpress_security_and_firewall
v3.8.9 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
If a user views a malicious page while logged in, access logs (404 events) maintained by the product may be deleted.
[Update the software] Update to the latest version according to the information provided by the developer.
Tips and Tricks HQ
All In One WP Security & Firewall - Changelog
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0895
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0895
JVN
JVN#87204433
http://jvn.jp/en/jp/JVN87204433/index.html
National Vulnerability Database (NVD)
CVE-2015-0895
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0895
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/06]\n Web page was published\n[2015/03/11]\n References : Content was added
2015-03-06T13:46:57+09:00
2015-03-11T17:42:56+09:00
2015-03-06T00:00:00+09:00
JVNDB-2015-000039
eXtplorer vulnerable to cross-site scripting
eXtplorer is a web-based file manager. eXtplorer contains multiple cross-site scripting vulnerabilities. Yuji Tounai of NTT COM Security reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
eXtplorer
eXtplorer
cpe:/a:extplorer:extplorer
versions prior to 2.1.7
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer.
eXtplorer
eXtplorer 2.1.7 released
http://extplorer.net/news/16
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0896
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0896
JVN
JVN#97099798
http://jvn.jp/en/jp/JVN97099798/index.html
National Vulnerability Database (NVD)
CVE-2015-0896
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0896
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/17]\n Web page was published\n[2015/03/20]\n References : Content was added
2015-03-17T13:41:31+09:00
2015-03-20T14:30:10+09:00
2015-03-17T00:00:00+09:00
JVNDB-2015-000040
LINE vulnerable to script injection
LINE provided by LINE Corporation is an application used to communicate with others. LINE is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker. Kenta Suefusa, Nobuaki Nakazawa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
LINE Corporation
LINE
cpe:/a:linecorp:line
for Android version 5.0.2 and earlier
for iOS version 5.0.0 and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
A script may be injected by a MITM (man-in-the-middle) attacker. As a result, any API can be invoked through the injected script.
[Update the software] Update to the latest version according to the information provided by the developer. According to the developer, a part of this vulnerability is fixed on the server side. The developer recommends users to update the application to the latest version, which enforces all communications to be encrypted and removes any unnecessary APIs.
LINE Corporation
<Security Notice> Fixed Vulnerability in LINE
http://official-blog.line.me/ja/archives/24809761.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0897
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0897
JVN
JVN#41281927
http://jvn.jp/en/jp/JVN41281927/index.html
JVNDB
CWE-DesignError
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/20]\n Web page was published
2015-03-20T16:16:17+09:00
2015-03-20T16:16:17+09:00
2015-03-20T00:00:00+09:00
JVNDB-2015-000041
MP Form Mail CGI eCommerce edition vulnerable to code injection
MP Form Mail CGI eCommerce edition provided by futomi Co., Ltd. is a CGI used to send mail from a web form. MP Form Mail CGI eCommerce edition contains a code injection vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
futomi Co.,Ltd.
MP Form Mail CGI eCommerce Edition
cpe:/a:futomis_cgi_cafe:mp_form_mail_cgi_ecommerce
Ver 2.0.11 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Arbitrary Perl code may be executed on the server where it resides.
[Update the software] Update to the latest version according to the information provided by the developer.
futomi Co., Ltd.
futomi Co., Ltd. website
http://www.futomi.com/library/info/2015/20150319.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0898
JVN
JVN#39175666
http://jvn.jp/en/jp/JVN39175666/index.html
National Vulnerability Database (NVD)
CVE-2015-0898
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0898
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/20]\n Web page was published\n[2015/03/24]\n References : Content was added
2015-03-20T12:30:07+09:00
2015-03-24T15:11:31+09:00
2015-03-20T00:00:00+09:00
JVNDB-2015-000042
The Validator in TERASOLUNA Server Framework for Java(WEB) vulnerable to input validation bypass
The TERASOLUNA Server Framework for Java(WEB) provided by NTT Data Corporation is a software framework for creating web applications. The TERASOLUNA Server Framework for Java(WEB) is vulnerable to an issue contained in the Apache Struts 1 Validator, since it uses Apache Struts 1.2.9. The Validator in Apache Struts 1.1 and later contains a function (MPV -- Multi Page Validator) to efficiently define rules for input validation across multiple pages during screen transitions. The MPV contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validator is used, the web application may be vulnerable even when the MPV is not used explicitly.
NTT DATA
TERASOLUNA Server Framework for Java(Web)
cpe:/a:nttdata:terasoluna_server_framework_for_java_web
versions 2.0.0.1 through 2.0.5.2
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Input validation being bypassed may result in invalid data being entered into the database. Affects of the vulnerability depend on the application.
[Apply an Update] Update to the latest version according to the information provided by the developer. On March 24, 2015, TERASOLUNA Server Framework for Java(Web) 2.0.5.3 which includes Apache Struts 1.2.9 with SP2 by TERASOLUNA was released to address this vulnerability. According to NTT Data Corporation, they have also released Apache Struts 1.2.9 with SP2 by TERASOLUNA separately to address this vulnerability.
NTT DATA Corporation
TERASOLUNA Framework
https://sourceforge.jp/projects/terasoluna/
NTT DATA Corporation
Apache Struts 1.2.9 with SP2 by TERASOLUNA
https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0899
JVN
JVN#86448949
http://jvn.jp/en/jp/JVN86448949/index.html
National Vulnerability Database (NVD)
CVE-2015-0899
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0899
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/24]\n Web page was published\n[2015/04/10]\n Overview was modified\n[2016/08/26]\n References : Content was added
2015-03-24T14:10:53+09:00
2016-08-26T16:37:14+09:00
2015-03-24T00:00:00+09:00
JVNDB-2015-000043
Fumy Teacher's Schedule Board vulnerable to cross-site scripting
Fumy Teacher's Schedule Board provided by Nishishi Factory is a CGI program that displays schedules. Fumy Teacher's Schedule Board contains a cross-site scripting vulnerability. OHTA, Yoshinori of Business Architects Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Nishishi Factory
Fumy Teacher's Schedule Board
cpe:/a:nishishi:fumy_teachers_schedule_board
Ver 1.10 through Ver 2.21
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer.
Nishishi Factory
Information from Nishishi Factory
http://www.nishishi.com/cgi/ftsb/20150321.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0900
JVN
JVN#74547976
http://jvn.jp/en/jp/JVN74547976/index.html
National Vulnerability Database (NVD)
CVE-2015-0900
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0900
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/26]\n Web page was published\n[2015/04/07]\n References : Content was added
2015-03-26T14:00:18+09:00
2015-04-07T17:25:33+09:00
2015-03-26T00:00:00+09:00
JVNDB-2015-000044
WordPress theme flashy vulnerable to cross-site scripting
flashy is a theme for WordPress. flashy contains a cross-site scripting vulnerability. Koki Takahashi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
flashy
flashy
cpe:/a:flashy_project:flashy
version 1.3 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Do not use flashy] flashy is no longer being developed or maintained. It is recommended to stop using flashy.
flashy
WordPress Themes - flashy
https://wordpress.org/themes/flashy
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0901
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0901
JVN
JVN#97281747
http://jvn.jp/en/jp/JVN97281747/index.html
National Vulnerability Database (NVD)
CVE-2015-0901
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0901
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/26]\n Web page was published\n[2015/04/07]\n References : Content was added
2015-03-26T14:04:06+09:00
2015-04-07T17:25:47+09:00
2015-03-26T00:00:00+09:00
JVNDB-2015-000045
Android OS may behave as an open resolver
A device that runs as a DNS cache server, which responds to any recursive DNS queries that are received is referred to as an open resolver. Android OS contains an issue where it may behave as an open resolver when the tethering function is enabled. Yasuhiro Orange Morishita of Japan Registry Services Co., Ltd. (JPRS) reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Google
Android
cpe:/o:google:android
OS versions prior to 4.3
Low
2.6
AV:N/AC:H/Au:N/C:N/I:N/A:P
The Android device may be used in a DNS amplification attack and unknowingly become a part of a DDoS attack. A device is not affected by this issue depending on the network it is connected to. For details, refer to the information provided under "Vendor Status".
[Apply an Update] Apply the update according to the information provided by the provider or developer. [Apply a Workaround] The following workaround may mitigate the affects of this vulnerability. * Do not connect to an untrusted network or Wi-Fi access point with the tethering function on
Google
Bug: 7530468 - Change-Id: I102fad738aff717e6ac40d4ac5a8d39a6fe2d2ca
https://android.googlesource.com/platform/system/netd/+/3d4c7585e35a93d9608fce8cc056b7eee9123a53
Google
Bug: 7530468 - Change-Id: Ic94cd66e66371de4fcc54f53b9f267f6611804b8
https://android.googlesource.com/platform/external/dnsmasq/+/41cd7ed80eb5e97ef9893633d05f0877da7d6d0c
JVN
Information from SoftBank
http://jvn.jp/en/jp/JVN81094176/397327/index.html
JVN
Information from Y!mobile
http://jvn.jp/en/jp/JVN81094176/995293/index.html
JVN
Information from Disney Mobile on SoftBank
http://jvn.jp/en/jp/JVN81094176/995417/index.html
JVN
Information from KDDI CORPORATION
http://jvn.jp/en/jp/JVN81094176/113349/index.html
JVN
Information from NTT DOCOMO, INC.
http://jvn.jp/en/jp/JVN81094176/995312/index.html
JVN
JVN#81094176
http://jvn.jp/en/jp/JVN81094176/index.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/27]\n Web page was published
2015-03-27T14:12:38+09:00
2015-03-27T14:12:38+09:00
2015-03-27T00:00:00+09:00
JVNDB-2015-000046
All in One SEO Pack information management vulnerability
All in One SEO Pack is a WordPress plugin. All in One SEO Pack automatically adds a meta tag ("Meta Description") to a page using some part of its contents, and this behavior is enabled in the initial configuration. Meta Description can be added even when a page is password-protected, therefore some part of its contents are not protected. Fumito MIZUNO of rescuework.inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Semper Fi Web Design
All in One SEO Pack
cpe:/a:semperfiwebdesign:all_in_one_seo_pack
Version 2.2.5.1 and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Some part of the contents are disclosed even when the contents are password-protected.
[Update the software] Update to the latest version according to the information provided by the developer. [Apply a workaround] The following workaround may mitigate the affects of this vulnerability. * Disable "Autogenerate Descriptions" in the settings screen
Semper Fi Web Design
All In One SEO Pack Release History
http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
Semper Fi Web Design
Advanced Settings - Autogenerate Descriptions
http://semperplugins.com/documentation/advanced-settings/#autogenerate-descriptions
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0902
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0902
JVN
JVN#75615300
http://jvn.jp/en/jp/JVN75615300/index.html
National Vulnerability Database (NVD)
CVE-2015-0902
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0902
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/03/31]\n Web page was published\n[2015/04/07]\n References : Content was added
2015-03-31T13:48:38+09:00
2015-04-07T17:27:09+09:00
2015-03-31T00:00:00+09:00
JVNDB-2015-000047
bBlog vulnerable to cross-site request forgery
bBlog is weblog software. bBlog contains a cross-site request forgery vulnerability (CWE-352).
Eaden McKee
bBlog
cpe:/a:bblog_project:bblog
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
If a user views a malicious page while logged in, unintended operations may be performed.
[Do not use bBlog] bBlog is no longer being developed or maintained. It is recommended to stop using bBlog. The developer states that "DO NOT use this software in production. It is years out of date. It is here simply for historical purposes. There are known security issues."
Eaden McKee
Legacy PHP Blogging system ( Don't Use )
http://sourceforge.net/projects/bblog/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0905
JVN
JVN#71903938
http://jvn.jp/en/jp/JVN71903938/index.html
National Vulnerability Database (NVD)
CVE-2015-0905
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0905
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/04/07]\n Web page was published\n[2015/04/09]\n References : Content was added
2015-04-07T12:12:24+09:00
2015-04-09T14:05:42+09:00
2015-04-07T00:00:00+09:00
JVNDB-2015-000048
Maruo Editor vulnerable to buffer overflow
Maruo Editor provided by Saitoh Kikaku contains a buffer overflow vulnerability due to a flaw in processing a specially crafted .hmbook file (CWE-119). Masato Kinugawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Saitoh Kikaku
Maruo Editor
cpe:/a:hidemaru:editor
Ver8.51 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
By processing a specially crafted .hmbook file, arbitrary code may be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
Saitoh Kikaku
Saitoh Kikaku website
http://hide.maruo.co.jp/software/hidemaru.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0903
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0903
JVN
JVN#58784309
http://jvn.jp/en/jp/JVN58784309/index.html
National Vulnerability Database (NVD)
CVE-2015-0903
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0903
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/04/02]\n Web page was published\n[2015/04/07]\n References : Content was added
2015-04-02T12:30:56+09:00
2015-04-07T17:28:03+09:00
2015-04-02T00:00:00+09:00
JVNDB-2015-000049
"Restaurant Karaoke SHIDAX" App for Android fails to verify SSL server certificates
"Restaurant Karaoke SHIDAX" App for Android fails to verify SSL server certificates. Yasuyuki KOBAYASHI reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
LocationValue Inc.
"Restaurant Karaoke SHIDAX" App for Android
cpe:/a:misc:locationvalue_restaurantkaraoke_shidax_for_android
versions 1.3.3 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Software] Update to the latest version according to the information provided by the developer.
Google Play
"Restaurant Karaoke SHIDAX" - Android Apps on Google Play
https://play.google.com/store/apps/details?id=jp.shidax&hl=ja
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0904
JVN
JVN#68819526
https://jvn.jp/en/jp/JVN68819526/index.html
National Vulnerability Database (NVD)
CVE-2015-0904
https://nvd.nist.gov/vuln/detail/CVE-2015-0904
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/04/03]\n Web page was published\n[2018/01/24]\n References : Content was added
2015-04-03T13:36:28+09:00
2018-01-24T14:03:16+09:00
2015-04-03T00:00:00+09:00
JVNDB-2015-000050
Lhaplus vulnerable to directory traversal
Lhaplus is a file compression/decompression software. Lhaplus contains an issue in processing file names, which may result in a directory traversal vulnerability. akira_you of Nico-TECH reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Schezo
Lhaplus
cpe:/a:lhaplus:lhaplus
Version 1.59 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Decompressing a file with a specially crafted file name may result in a creation of an arbitrary file or an overwrite of an existing file.
[Update the Software] Update to the latest version according to the information provided by the developer.
Schezo
Lhaplus
http://www7a.biglobe.ne.jp/~schezo/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0906
JVN
JVN#02527990
https://jvn.jp/en/jp/JVN02527990/index.html
National Vulnerability Database (NVD)
CVE-2015-0906
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0906
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/04/09]\n Web page was published\n[2015/04/16]\n References : Content was added\n
2015-04-09T13:57:24+09:00
2015-04-16T18:00:04+09:00
2015-04-09T00:00:00+09:00
JVNDB-2015-000051
Lhaplus vulnerable to remote code execution
Lhaplus is a file compression/decompression software. Lhaplus contains a remote code execution vulnerability. Masato Kinugawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Schezo
Lhaplus
cpe:/a:lhaplus:lhaplus
Version 1.59 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Decompressing a specially crafted file name may result in an arbitrary code execution.
[Update the Software] Update to the latest version according to the information provided by the developer.
Schezo
Lhaplus
http://www7a.biglobe.ne.jp/~schezo/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0907
IPA SECURITY ALERTS
Security Alert for Vulnerability in Lhaplus (JVN#12329472)
https://www.ipa.go.jp/security/ciadr/vul/20150409-jvn.html
JVN
JVN#12329472
https://jvn.jp/en/jp/JVN12329472/index.html
National Vulnerability Database (NVD)
CVE-2015-0907
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0907
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/04/09]\n Web page was published\n[2015/04/16]\n References : Content was added
2015-04-09T13:59:07+09:00
2015-04-16T18:00:40+09:00
2015-04-09T00:00:00+09:00
JVNDB-2015-000052
Seasar S2Struts vulnerable to input validation bypass
Seasar S2Struts provided by The Seasar Foundation is a software framework for developing Java web applications. Seasar S2Struts is vulnerable to an issue contained in the Apache Struts 1 Validator, because S2Struts 1.2.x uses Apache Struts 1.2.x, and S2Struts 1.3.x uses Apache Struts 1.3.x. The Validator in Apache Struts 1.1 and later contains a function (MPV -- Multi Page Validator) to efficiently define rules for input validation across multiple pages during screen transitions. The MPV contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validator is used, the web application may be vulnerable even when the MPV is not used explicitly.
The Seasar Foundation
S2Struts
cpe:/a:the_seasar_foundation:s2struts
1.2.13 and earlier
1.3.2 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Input validation being bypassed may result in invalid data being entered into the database. Affects of the vulnerability depend on the application.
[Apply an Update] Update to the latest version according to the information provided by the developer.
Seasar Project
The Seasar Project
http://www.seasar.org/en/
The Seasar Foundation
Seasar - DI Container with AOP
http://s2struts.seasar.org/en/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0899
JVN
JVN#91383083
https://jvn.jp/en/jp/JVN91383083/index.html
National Vulnerability Database (NVD)
CVE-2015-0899
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0899
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/04/10]\n Web page was published\n[2016/08/26]\n References : Content was added
2015-04-10T14:38:23+09:00
2016-08-26T16:39:06+09:00
2015-04-10T00:00:00+09:00
JVNDB-2015-000054
TransmitMail vulnerable to cross-site scripting
TransmitMail is a PHP based mail form. TransmitMail contains a cross-site scripting (CWE-79) vulnerability due to the processing of file names. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TAGAWA Takao
TransmitMail
cpe:/a:dounokouno:transmitmail
1.0.11 to 1.5.8
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
TransmitMail
TAGAWA Takao website
http://dounokouno.com/2015/04/20/transmitmail-%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0910
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0910
JVN
JVN#26860747
http://jvn.jp/en/jp/JVN26860747/index.html
National Vulnerability Database (NVD)
CVE-2015-0910
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0910
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/04/23]\n Web page was published\n[2015/04/27]\n References : Content was added
2015-04-23T13:47:43+09:00
2015-04-27T16:13:12+09:00
2015-04-23T00:00:00+09:00
JVNDB-2015-000055
TransmitMail vulnerable to directory traversal
TransmitMail is a PHP based mail form. TransmitMail contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TAGAWA Takao
TransmitMail
cpe:/a:dounokouno:transmitmail
1.0.11 to 1.5.8
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
A remote attacker may view arbitrary files on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
TransmitMail
TAGAWA Takao website
http://dounokouno.com/2015/04/20/transmitmail-%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0911
JVN
JVN#41653647
http://jvn.jp/en/jp/JVN41653647/index.html
National Vulnerability Database (NVD)
CVE-2015-0911
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0911
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/04/23]\n Web page was published\n[2015/04/27]\n References : Content was added
2015-04-23T14:12:16+09:00
2015-04-27T16:12:44+09:00
2015-04-23T00:00:00+09:00
JVNDB-2015-000060
EasyCTF vulnerable to arbitrary file creation
EasyCTF is a server side CGI used to score CTF (Capture The Flag). EasyCTF contains a vulnerability that may allow a remote attacker to create arbitrary files (CWE-22). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hiroaki Sakai
EasyCTF
cpe:/a:kozos:easyctf
-1.3 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
An arbitrary file created by an attacker may result in arbitrary code being executed on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
EasyCTF
Hiroaki Sakai website
http://kozos.jp/software/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0912
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0912
JVN
JVN#67520407
https://jvn.jp/en/jp/JVN67520407/index.html
National Vulnerability Database (NVD)
CVE-2015-0912
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0912
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/01]\n Web page was published\n[2015/05/07]\n References : Content was added
2015-05-01T13:37:22+09:00
2015-05-07T16:00:31+09:00
2015-05-01T00:00:00+09:00
JVNDB-2015-000061
EasyCTF vulnerable to cross-site scripting
EasyCTF is a server side CGI used to score CTF (Capture The Flag). EasyCTF contains a cross-site scripting vulnerability (CWE-79) that can be leveraged by an attacker created account. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hiroaki Sakai
EasyCTF
cpe:/a:kozos:easyctf
-1.3 and earlier
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
EasyCTF
Hiroaki Sakai website
http://kozos.jp/software/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0913
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0913
JVN
JVN#07538357
http://jvn.jp/en/jp/JVN07538357/index.html
National Vulnerability Database (NVD)
CVE-2015-0913
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0913
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/01]\n Web page was published\n[2015/05/07]\n References : Content was added
2015-05-01T13:49:32+09:00
2015-05-07T16:02:28+09:00
2015-05-01T00:00:00+09:00
JVNDB-2015-000062
EasyCTF vulnerable to session management
EasyCTF is a server side CGI used to score CTF (Capture The Flag). EasyCTF contains a vulnerability in session management (CWE-639). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hiroaki Sakai
EasyCTF
cpe:/a:kozos:easyctf
-1.3 and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
A remote attacker without login credentials may log in. As a result, information may be disclosed.
[Update the Software] Update to the latest version according to the information provided by the developer.
EasyCTF
Hiroaki Sakai website
http://kozos.jp/software/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0914
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0914
JVN
JVN#96439865
http://jvn.jp/en/jp/JVN96439865/index.html
National Vulnerability Database (NVD)
CVE-2015-0914
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0914
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/01]\n Web page was published\n[2015/05/07]\n References : Content was added
2015-05-01T14:00:44+09:00
2015-05-07T16:03:13+09:00
2015-05-01T00:00:00+09:00
JVNDB-2015-000063
MailDealer vulnerable to cross-site scripting
MailDealer provided by RAKUS Co.,Ltd. contains a persistent cross-site scripting (CWE-79) vulnerability due to a flaw in processing file names of attachments. Keigo YAMAZAKI of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
RAKUS Co, Ltd.
Mail Dealer
cpe:/a:rakus:maildealer
11.2.1 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
RAKUS Co, Ltd.
For MailDealer's Vulnerability
http://support.maildealer.jp/announce/150511.php
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0915
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0915
JVN
JVN#20133698
http://jvn.jp/en/jp/JVN20133698/index.html
National Vulnerability Database (NVD)
CVE-2015-0915
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0915
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/12]\n Web page was published\n[2015/05/25]\n References : Content was added
2015-05-12T14:07:07+09:00
2015-05-12T14:07:07+09:00
2015-05-12T00:00:00+09:00
JVNDB-2015-000064
Cacti vulnerable to SQL injection
Cacti is a web application that graphs stored data collected from network devices. Cacti contains a SQL injection vulnerability due to a flaw in processing user input values for 'local_graph_id' in graph.php. Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The Cacti Group
Cacti
cpe:/a:cacti:cacti
0.8.6e and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Arbitrary SQL queries may be injected in the back-end database by a remote authenticated attacker.
[Update the software] Update to the latest version according to the information provided by the developer. According to the developer, this issue was addressed in 0.8.6f released in 2005.
Cacti
Donate to the Cacti project
http://www.cacti.net/donate.php
Cacti
Release Notes - 0.8.6f
http://www.cacti.net/release_notes_0_8_6f.php
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0916
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0916
JVN
JVN#18957556
http://jvn.jp/en/jp/JVN18957556/index.html
National Vulnerability Database (NVD)
CVE-2015-0916
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0916
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/14]\n Web page was published\n[2015/05/25]\n Vendor Information : Content was added\n References : Content was added
2015-05-14T13:39:32+09:00
2015-05-25T15:29:04+09:00
2015-05-14T00:00:00+09:00
JVNDB-2015-000065
"Honda Moto LINC" App for Android fails to verify SSL server certificates
"Honda Moto LINC" App for Android fails to verify SSL server certificates. Yasuyuki KOBAYASHI reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Honda Motor Co.,Ltd.
"Honda Moto LINC" App for Android
cpe:/a:honda:moto_linc
versions 1.6.1 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Software] Update to the latest version according to the information provided by the developer.
Google Play
Honda Motor Co., Ltd.
https://play.google.com/store/apps/details?id=jp.ne.internavi.motolinc
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2943
JVN
JVN#75851252
http://jvn.jp/en/jp/JVN75851252/index.html
National Vulnerability Database (NVD)
CVE-2015-2943
https://nvd.nist.gov/vuln/detail/CVE-2015-2943
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-28T14:08:01+09:00
[2015/05/15]\n Web page was published
1
2018-02-28T14:08:12+09:00
[2018/02/28]\n References : Content was added
2015-05-15T12:23:29+09:00
2018-02-28T14:36:04+09:00
2015-05-15T00:00:00+09:00
JVNDB-2015-000066
BGA32.DLL and QBga32.DLL contain multiple vulnerabilities
BGA32.DLL is a compression/decompression library for gza and bza-format files. BGA32.DLL contains multiple vulnerabilities (including a buffer overflow) because it utilizes vulnerable zlib and bzip2 libraries. QBga32.DLL, which is a wrapper of BGA32.DLL, is also affected. KONDOU, Kazuhiro reported this vulnerability to IPA. JPCERT/CC coordinated with the developers under Information Security Early Warning Partnership.
Kazuhiro Inaba
QBga32.DLL
cpe:/a:misc:kazuhiro_inaba_qbga32.dll
version 0.04 and earlier
Toshinobu Kimura
BGA32.DLL
cpe:/a:misc:toshinobu_kimura_bga32.dll
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Decompressing a specially crafted file may result in denial-of-service (DoS) or arbitrary code execution.
[Use the latest version of QBga32.DLL] These vulnerabilities have been addressed in QBga32.DLL version 0.05. [Do not use BGA32.DLL] BGA32.DLL is no longer being developed or maintained. It is recommended to stop using BGA32.DLL.
Kazuhiro Inaba
QBga32.DLL
http://www.kmonos.net/lib/qbga32.ja.html
Toshinobu Kimura
Common Archivers Library: BGA32.DLL
http://www.madobe.net/archiver/lib/bga32.html
Common Vulnerabilities and Exposures (CVE)
CVE-2003-0107
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0107
Common Vulnerabilities and Exposures (CVE)
CVE-2005-0953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0953
Common Vulnerabilities and Exposures (CVE)
CVE-2005-1260
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1260
Common Vulnerabilities and Exposures (CVE)
CVE-2005-1849
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849
Common Vulnerabilities and Exposures (CVE)
CVE-2005-2096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096
JVN
JVN#78689801
http://jvn.jp/en/jp/JVN78689801/index.html
National Vulnerability Database (NVD)
CVE-2003-0107
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0107
National Vulnerability Database (NVD)
CVE-2005-0953
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0953
National Vulnerability Database (NVD)
CVE-2005-1260
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1260
National Vulnerability Database (NVD)
CVE-2005-1849
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1849
National Vulnerability Database (NVD)
CVE-2005-2096
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2096
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/19]\n Web page was published\n[2015/05/22]\n CVE : CVE-IDs were added\n References : Contents were added
2015-05-19T13:40:22+09:00
2015-05-22T14:26:24+09:00
2015-05-19T00:00:00+09:00
JVNDB-2015-000067
mt-phpincgi vulnerable to PHP object injection
mt-phpincgi is script that runs Movable Type templates as PHP. mt-phpincgi contains a PHP object Injection vulnerability. According to the reporter, attacks that attempt to exploit this vulnerability have been confirmed.
Ichi Fujimoto
mt-phpincgi
cpe:/a:h-fj:mt-phpincgi
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Arbitrary PHP code may be executed on the server by an unauthenticated attacker.
[Apply the update] The developer has released an update at mt-phpincgi.php security update. Apply the update according to the information provided by the developer.
The blog of H.Fujimoto
Hajime Fujimoto website
http://www.h-fj.com/blog/
The blog of H.Fujimoto
mt-phpincgi.php security update
http://www.h-fj.com/blog/archives/2015/05/15-112843.php
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2945
IPA SECURITY ALERTS
Security Alert for Vulnerability in mt-phpincgi (JVN#64459670)
https://www.ipa.go.jp/security/ciadr/vul/20150520-jvn.html
JVN
JVN#64459670
http://jvn.jp/en/jp/JVN64459670/index.html
National Vulnerability Database (NVD)
CVE-2015-2945
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2945
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/20]\n Web page was published\n[2015/05/25]\n Solution was modified\n[2015/05/28]\n References : Content was added
2015-05-20T14:34:49+09:00
2015-05-28T18:05:57+09:00
2015-05-20T00:00:00+09:00
JVNDB-2015-000068
SXF Common Library vulnerable to buffer overflow
SXF Common Library contains a buffer overflow vulnerability. akira_you of Nico-TECH reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Open CAD Format Council
SXF common library
cpe:/a:ocf:sxf_common_library
Ver.3.21 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
By processing a specially crafted CAD file, arbitrary code may be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
Open CAD Format Council
Open CAD Format Council website
http://www.ocf.or.jp/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2946
IPA SECURITY ALERTS
Security Alert for Vulnerability in SXF Common Library (JVN#93976566)
https://www.ipa.go.jp/security/ciadr/vul/20150522-jvn.html
JVN
JVN#93976566
https://jvn.jp/en/jp/JVN93976566/index.html
National Vulnerability Database (NVD)
CVE-2015-2946
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2946
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/22]\n Web page was published\n[2015/05/28]\n References : Content was added
2015-05-22T14:15:51+09:00
2015-05-28T18:14:00+09:00
2015-05-22T00:00:00+09:00
JVNDB-2015-000069
Apache Sling API and Servlets Post components vulnerable to cross-site scripting
Apache Sling is an open source web application framework provided by The Apache Software Foundation. Sling API and Servlet Post components included in Apache Sling contain a cross-site scripting vulnerability (CWE-79) in the error page and the generation of the job completion. MORI Shingo and Toshiharu Sugiyama of DeNA Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apache Software Foundation
Apache Sling API
cpe:/a:apache:sling_api
2.2.0 and earlier
Apache Software Foundation
Apache Sling Servlets Post
cpe:/a:apache:sling_servlets_post
2.1.0 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the respective components to the appropriate versions] Update the components to the appropriate versions according to the information provided by the developer. The developer released the following versions to fix the vulnerability. Apache Sling API 2.2.2 Apache Sling Servlets Post 2.1.2
Apache Software Foundation
[SLING-2082] XSS vulnerability: HtmlResponse output does not escape URLs in HTML
https://issues.apache.org/jira/browse/SLING-2082
Apache Software Foundation
Downloads
https://sling.apache.org/downloads.cgi
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2944
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2944
JVN
JVN#61328139
http://jvn.jp/en/jp/JVN61328139/index.html
National Vulnerability Database (NVD)
CVE-2015-2944
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2944
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/27]\n Web page was published\n[2015/06/04]\n References : Content was added
2015-05-27T14:43:42+09:00
2015-06-04T15:39:39+09:00
2015-05-27T00:00:00+09:00
JVNDB-2015-000070
Zenphoto vulnerable to cross-site scripting
Zenphoto is a content management system (CMS). Zenphoto contains a cross-site scripting vulnerability (CWE-79) due to a flaw in processing encoded user-supplied input. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Zenphoto
Zenphoto
cpe:/a:zenphoto:zenphoto
1.4.7 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer.
Zenphoto
Zenphoto 1.4.8
http://www.zenphoto.org/news/zenphoto-1.4.8
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2948
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2948
JVN
JVN#68452022
https://jvn.jp/en/jp/JVN68452022/index.html
National Vulnerability Database (NVD)
CVE-2015-2948
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2948
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/28]\n Web page was published\n[2015/06/03]\n References : Content was added
2015-05-28T13:42:01+09:00
2015-06-03T18:06:38+09:00
2015-05-28T00:00:00+09:00
JVNDB-2015-000071
ZenPhoto20 vulnerable to cross-site scripting
ZenPhoto20 is a content management system (CMS). ZenPhoto20 contains a cross-site scripting vulnerability (CWE-79) due to a flaw in processing encoded user-supplied input. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ZenPhoto20
ZenPhoto20
cpe:/a:misc:zenphoto20_zenphoto20
1.1.3 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer.
GitHub
ZenPhoto20/ZenPhoto20
https://github.com/ZenPhoto20/ZenPhoto20
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2949
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2949
JVN
JVN#51176150
http://jvn.jp/en/jp/JVN51176150/index.html
National Vulnerability Database (NVD)
CVE-2015-2949
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2949
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/28]\n Web page was published\n[2015/06/03]\n References : Content was added
2015-05-28T13:42:47+09:00
2015-06-03T18:06:37+09:00
2015-05-28T00:00:00+09:00
JVNDB-2015-000072
"Open Explorer Beta" App for Android vulnerable to directory traversal
"Open Explorer Beta" App for Android provided by brandroid.org contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
brandroid.org
"Open Explorer Beta" App for Android
cpe:/a:open_explorer_beta_project:open_explorer_beta
versions prior to 0.254
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to access.
[Update the Software] Update to the latest version according to the information provided by the developer.
Google Play
"Open Explorer Beta" - Android Apps on Google Play
https://play.google.com/store/apps/details?id=org.brandroid.openmanager
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2950
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2950
JVN
JVN#95246510
http://jvn.jp/en/jp/JVN95246510/index.html
National Vulnerability Database (NVD)
CVE-2015-2950
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2950
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/03]\n Web page was published\n[2015/06/08]\n References : Content was added
2015-06-03T14:59:42+09:00
2015-06-08T12:25:47+09:00
2015-06-03T00:00:00+09:00
JVNDB-2015-000073
F21 JWT fails to verify token signatures
JWT provided by F21 is a PHP library for handling JSON Web Tokens. php-jwt contains a vulnerability where it fails to verify token signatures. Toshiharu Sugiyama of DeNA Co., Ltd. and Shuntaro Maeda reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
F21
JWT
cpe:/a:f21:jwt
versions prior to 2.0
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Specially crafted tokens may be validated as token data with valid signatures.
[Update the Software] Update to the latest version according to the information provided by the developer.
GitHub
F21/jwt
https://github.com/F21/jwt
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2951
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2951
JVN
JVN#06120222
http://jvn.jp/en/jp/JVN06120222/index.html
National Vulnerability Database (NVD)
CVE-2015-2951
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2951
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/03]\n Web page was published\n[2015/06/08]\n References : Content was added
2015-06-03T15:01:59+09:00
2015-06-08T12:04:09+09:00
2015-06-03T00:00:00+09:00
JVNDB-2015-000074
NetFlow Analyzer vulnerable to cross-site scripting
NetFlow Analyzer provided by Zoho Corporation contains a cross-site scripting vulnerability. Tomoshige Hasegawa, Akihito Mukai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Zoho Corporation
NetFlow Analyzer
cpe:/a:zohocorp:netflow_analyzer
build 10250 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software build and apply the patch] Update the software to build 10250 and then apply the patch according to the information provided by the developer.
ManageEngine
Download Service Packs
https://www.manageengine.com/products/netflow/service-packs.html
ZOHO Corp.
Vulnerability fix for (fails to restrict access permissions, cross-site scripting, cross-site request forgery) over build 10250
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2960
JVN
JVN#98447310
http://jvn.jp/en/jp/JVN98447310/index.html
National Vulnerability Database (NVD)
CVE-2015-2960
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2960
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/05]\n Web page was published\n[2015/06/10]\n References : Content was added
2015-06-05T13:59:10+09:00
2015-06-10T16:06:08+09:00
2015-06-05T00:00:00+09:00
JVNDB-2015-000075
NetFlow Analyzer fails to restrict access permissions
NetFlow Analyzer provided by Zoho Corporation fails to restrict access permissions. Tomoshige Hasegawa, Akihito Mukai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Zoho Corporation
NetFlow Analyzer
cpe:/a:zohocorp:netflow_analyzer
build 10250 and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Administrative operations, for example, changing passwords or user account deletion may be performed by a user with guest privileges. In addition, information intended only for administrative users may be obtained by a third-party.
[Update the software build and apply the patch] Update the software to build 10250 and then apply the patch according to the information provided by the developer.
ManageEngine
Download Service Packs
https://www.manageengine.com/products/netflow/service-packs.html
ZOHO Corp.
Vulnerability fix for (fails to restrict access permissions, cross-site scripting, cross-site request forgery) over build 10250
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2959
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2959
JVN
JVN#25598413
http://jvn.jp/en/jp/JVN25598413/index.html
National Vulnerability Database (NVD)
CVE-2015-2959
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2959
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[201/06/05]\n Web page was published\n[2015/06/10]\n References : Content was added
2015-06-05T14:02:27+09:00
2015-06-10T16:10:48+09:00
2015-06-05T00:00:00+09:00
JVNDB-2015-000076
NetFlow Analyzer vulnerable to cross-site request forgery
NetFlow Analyzer provided by Zoho Corporation contains a cross-site request forgery vulnerability.
Zoho Corporation
NetFlow Analyzer
cpe:/a:zohocorp:netflow_analyzer
build 10250 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
If a user views a malicious page while logged in, various administrative functions may be performed.
[Update the software build and apply the patch] Update the software to build 10250 and then apply the patch according to the information provided by the developer.
ManageEngine
Download Service Packs
https://www.manageengine.com/products/netflow/service-packs.html
ZOHO Corp.
Vulnerability fix for (fails to restrict access permissions, cross-site scripting, cross-site request forgery) over build 10250
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerability-fix-for-fails-to-restrict-access-permissions-cross-site-scripting-cross-site-request-forgery-over-build-10250
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2961
JVN
JVN#79284156
http://jvn.jp/en/jp/JVN79284156/index.html
National Vulnerability Database (NVD)
CVE-2015-2961
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2961
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/05]\n Web page was published\n[2015/06/10]\n References : Content was added
2015-06-05T14:14:40+09:00
2015-06-10T16:14:02+09:00
2015-06-05T00:00:00+09:00
JVNDB-2015-000077
MilkyStep fails to restrict access permissions
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions against the management function for user information (CWE-284). Note that this vulnerability is different from JVN#16409640 or JVN#74280258. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Igreks Inc.
MilkyStep Light
cpe:/a:igreks:milkystep_light
Ver0.94 and earlier
Igreks Inc.
MilkyStep Professional
cpe:/a:igreks:milkystep_professional
Ver1.82 and earlier
Igreks Inc.
MilkyStep Professional OEM
cpe:/a:igreks:milkystep_professional_oem
Ver1.82 and earlier
Medium
5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N
A non-administrative user may be able to change administrative user credentials.
[Update the Software] Update to the latest version according to the information provided by the developer.
Igreks
Igreks Inc. website
http://milkystep.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2952
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2952
JVN
JVN#19732015
https://jvn.jp/en/jp/JVN19732015/index.html
National Vulnerability Database (NVD)
CVE-2015-2952
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2952
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/12]\n Web page was published\n[2015/06/16]\n References : Content was added
2015-06-12T14:13:22+09:00
2015-06-16T16:52:08+09:00
2015-06-12T00:00:00+09:00
JVNDB-2015-000078
MilkyStep fails to restrict access permissions
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions (CWE-264). Note that this vulnerability is different from JVN#74280258. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Igreks Inc.
MilkyStep Light
cpe:/a:igreks:milkystep_light
Ver0.94 and earlier
Igreks Inc.
MilkyStep Professional
cpe:/a:igreks:milkystep_professional
Ver1.82 and earlier
Igreks Inc.
MilkyStep Professional OEM
cpe:/a:igreks:milkystep_professional_oem
Ver1.82 and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
A remote attacker may obtain files managed by the product.
[Update the Software] Update to the latest version according to the information provided by the developer.
Igreks
Igreks Inc. website
http://milkystep.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2953
JVN
JVN#16409640
http://jvn.jp/en/jp/JVN16409640/index.html
National Vulnerability Database (NVD)
CVE-2015-2953
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2953
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/09]\n Web page was published\n[2015/06/16]\n References : Content was added
2015-06-09T13:43:09+09:00
2015-06-16T16:52:06+09:00
2015-06-09T00:00:00+09:00
JVNDB-2015-000079
MilkyStep vulnerable to cross-site request forgery
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep contains a cross-site request forgery vulnerability (CWE-352). Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Igreks Inc.
MilkyStep Light
cpe:/a:igreks:milkystep_light
Ver0.94 and earlier
Igreks Inc.
MilkyStep Professional
cpe:/a:igreks:milkystep_professional
Ver1.82 and earlier
Igreks Inc.
MilkyStep Professional OEM
cpe:/a:igreks:milkystep_professional_oem
Ver1.82 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
If a user views a malicious page while logged in, unintended operations may be performed.
[Update the Software] Update to the latest version according to the information provided by the developer.
Igreks
Igreks Inc. website
http://milkystep.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2954
JVN
JVN#12241436
http://jvn.jp/en/jp/JVN12241436/index.html
National Vulnerability Database (NVD)
CVE-2015-2954
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2954
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/09]\n Web page was published\n[2015/06/16]\n References : Content was added
2015-06-09T13:45:53+09:00
2015-06-16T16:52:05+09:00
2015-06-09T00:00:00+09:00
JVNDB-2015-000080
MilkyStep vulnerable to OS command injection
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep contains an OS command injection vulnerability (CWE-78). Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Igreks Inc.
MilkyStep Light
cpe:/a:igreks:milkystep_light
Ver0.94 and earlier
Igreks Inc.
MilkyStep Professional
cpe:/a:igreks:milkystep_professional
Ver1.82 and earlier
Igreks Inc.
MilkyStep Professional OEM
cpe:/a:igreks:milkystep_professional_oem
Ver1.82 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
An arbitrary OS command may be executed by an attacker.
[Update the Software] Update to the latest version according to the information provided by the developer.
Igreks
Igreks Inc. website
http://milkystep.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2955
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2955
IPA SECURITY ALERTS
Security Alert for Vulnerability in MilkyStep (JVN#05559185)(JVN#52478686)
https://www.ipa.go.jp/security/ciadr/vul/20150609-jvn.html
JVN
JVN#05559185
http://jvn.jp/en/jp/JVN05559185/index.html
National Vulnerability Database (NVD)
CVE-2015-2955
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2955
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/09]\n Web page was published\n[2015/06/16]\n References : Content was added
2015-06-09T14:02:10+09:00
2015-06-16T16:52:03+09:00
2015-06-09T00:00:00+09:00
JVNDB-2015-000081
MilkyStep vulnerable to SQL injection
MilkyStep provided by Igreks Inc. contains a SQL injection vulnerability. MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep contains a SQL injection vulnerability (CWE-89). Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Igreks Inc.
MilkyStep Light
cpe:/a:igreks:milkystep_light
Ver0.94 and earlier
Igreks Inc.
MilkyStep Professional
cpe:/a:igreks:milkystep_professional
Ver1.82 and earlier
Igreks Inc.
MilkyStep Professional OEM
cpe:/a:igreks:milkystep_professional_oem
Ver1.82 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
An attacker who can access the product may execute an arbitrary SQL command.
[Update the Software] Update to the latest version according to the information provided by the developer.
Igreks
Igreks Inc. website
http://milkystep.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2956
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2956
IPA SECURITY ALERTS
Security Alert for Vulnerability in MilkyStep (JVN#05559185)(JVN#52478686)
https://www.ipa.go.jp/security/ciadr/vul/20150609-jvn.html
JVN
JVN#52478686
http://jvn.jp/en/jp/JVN52478686/index.html
National Vulnerability Database (NVD)
CVE-2015-2956
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2956
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/09]\n Web page was published\n[2015/06/16]\n References : Content was added
2015-06-09T14:15:01+09:00
2015-06-16T16:52:02+09:00
2015-06-09T00:00:00+09:00
JVNDB-2015-000082
MilkyStep vulnerable to cross-site scripting
MilkyStep provided by Igreks Inc. contains a cross-site scripting vulnerability. MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep contains a cross-site scripting vulnerability (CWE-79). Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Igreks Inc.
MilkyStep Light
cpe:/a:igreks:milkystep_light
Ver0.94 and earlier
Igreks Inc.
MilkyStep Professional
cpe:/a:igreks:milkystep_professional
Ver1.82 and earlier
Igreks Inc.
MilkyStep Professional OEM
cpe:/a:igreks:milkystep_professional_oem
Ver1.82 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Igreks
Igreks Inc. website
http://milkystep.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2957
JVN
JVN#20879350
http://jvn.jp/en/jp/JVN20879350/index.html
National Vulnerability Database (NVD)
CVE-2015-2957
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2957
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/09]\n Web page was published\n[2015/06/16]\n References : Content was added
2015-06-09T14:15:46+09:00
2015-06-16T16:52:00+09:00
2015-06-09T00:00:00+09:00
JVNDB-2015-000083
MilkyStep fails to restrict access permissions
MilkyStep provided by Igreks Inc. fails to restrict access permissions. Note that this vulnerability is different from JVN#16409640. MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep fails to restrict access permissions (CWE-264). Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Igreks Inc.
MilkyStep Light
cpe:/a:igreks:milkystep_light
Ver0.94 and earlier
Igreks Inc.
MilkyStep Professional
cpe:/a:igreks:milkystep_professional
Ver1.82 and earlier
Igreks Inc.
MilkyStep Professional OEM
cpe:/a:igreks:milkystep_professional_oem
Ver1.82 and earlier
Medium
6.4
AV:N/AC:L/Au:N/C:N/I:P/A:P
A remote attacker may alter product settings.
[Update the Software] Update to the latest version according to the information provided by the developer.
Igreks
Igreks Inc. website
http://milkystep.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2958
JVN
JVN#74280258
http://jvn.jp/en/jp/JVN74280258/index.html
National Vulnerability Database (NVD)
CVE-2015-2958
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2958
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/09]\n Web page was published\n[2015/06/16]\n References : Content was added
2015-06-09T14:16:14+09:00
2015-06-16T16:51:59+09:00
2015-06-09T00:00:00+09:00
JVNDB-2015-000085
Multiple Buffalo wireless LAN routers vulnerable to OS command injection
Multiple wireless LAN routers provided by BUFFALO INC. contain an OS command injection vulnerability. Masashi Sakai, Satoshi Ogawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BUFFALO INC.
BHR-4GRV2
cpe:/h:buffalo_inc:bhr-4grv2
Ver.1.04 and earlier
BUFFALO INC.
WEX-300
cpe:/h:buffalo_inc:wex-300
Ver.1.60 and earlier
BUFFALO INC.
WHR-1166DHP
cpe:/h:buffalo_inc:whr-1166dhp
Ver.1.60 and earlier
BUFFALO INC.
WHR-300HP2
cpe:/h:buffalo_inc:whr-300hp2
Ver.1.60 and earlier
BUFFALO INC.
WHR-600D
cpe:/h:buffalo_inc:whr-600d
Ver.1.60 and earlier
BUFFALO INC.
WMR-300
cpe:/h:buffalo_inc:wmr-300
Ver.1.60 and earlier
BUFFALO INC.
WSR-600DHP
cpe:/h:buffalo_inc:wsr-600dhp
Ver.1.60 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
An authenticated attacker may be able to execute arbitrary OS commands.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
BUFFALO
BUFFALO INC. website
http://www.buffalotech.com/select-your-region#
Common Vulnerabilities and Exposures (CVE)
CVE-2014-9284
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9284
JVN
JVN#50447904
http://jvn.jp/en/jp/JVN50447904/index.html
National Vulnerability Database (NVD)
CVE-2014-9284
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9284
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/05]\n Web page was published\n[2015/06/10]\n References : Content was added
2015-06-05T14:16:12+09:00
2015-06-10T17:54:35+09:00
2015-06-05T00:00:00+09:00
JVNDB-2015-000086
LoadLibrary function in Microsoft Windows fails to validate input properly
The LoadLibrary function in Microsoft Windows fails to validate input properly. As a result, it may load a specially crafted DLL file (CWE-114). Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Microsoft Corporation
Microsoft Windows
cpe:/o:microsoft:windows
High
7.6
AV:N/AC:H/Au:N/C:C/I:C/A:C
An arbitrary code may be executed as a result of an application loads a specially crafted DLL file.
[Update the Software] This issue was addressed in MS15-063, released on June 10. 2015. Apply the update according to the information provided by Microsoft.
Microsoft Security Bulletin
MS15-063
https://technet.microsoft.com/en-us/library/security/ms15-063.aspx
@Police
For Microsoft security fix (MS15-056,057,059,060,061,062,063,064)(2015/06/10)
http://www.npa.go.jp/cyberpolice/topics/?seq=16442
Common Vulnerabilities and Exposures (CVE)
CVE-2015-1758
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1758
IPA SECURITY ALERTS
Security Alert for Vulnerability in Microsoft Windows (June 2015)(JVN#18146081)
http://www.ipa.go.jp/security/ciadr/vul/20150610-ms.html
JPCERT REPORT
JPCERT-AT-2015-0016
https://www.jpcert.or.jp/english/at/2015/at150016.html
JVN
JVN#18146081
http://jvn.jp/en/jp/JVN18146081/index.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/12]\n Web page was published
2015-06-12T14:11:50+09:00
2015-06-12T14:11:50+09:00
2015-06-12T00:00:00+09:00
JVNDB-2015-000087
BloBee vulnerable to arbitrary file creation
BloBee provided by CGI RESCUE is a bulletin board software. BloBee contains a vulnerability that may allow a remote attacker to create arbitrary files (CWE-20). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CGI RESCUE
BloBee
cpe:/a:cgi_rescue:blobee
v1.20 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
An arbitrary file created by an attacker may result in arbitrary code being executed on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
BloBee
BloBee
http://www.rescue.ne.jp/cgi/blobee/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2962
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2962
JVN
JVN#24336273
http://jvn.jp/en/jp/JVN24336273/index.html
National Vulnerability Database (NVD)
CVE-2015-2962
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2962
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/12]\n Web page was published\n[2015/06/16]\n References : Content was added
2015-06-12T14:12:38+09:00
2015-06-16T16:51:57+09:00
2015-06-12T00:00:00+09:00
JVNDB-2015-000088
Ruby on Rails library Paperclip vulnerable to cross-site scripting
Paperclip provided by thoughtbot is a library to upload files in Ruby on Rails. Paperclip contains a persistent cross-site scripting vulnerability (CWE-79). MORI Shingo of DeNA Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
thoughtbot, inc.
Paperclip
cpe:/a:thoughtbot:paperclip
4.2.1 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
GitHub
thoughtbot/paperclip
https://github.com/thoughtbot/paperclip
thoughtbot
Paperclip Security Release
https://robots.thoughtbot.com/paperclip-security-release
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2963
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2963
JVN
JVN#83881261
http://jvn.jp/en/jp/JVN83881261/index.html
National Vulnerability Database (NVD)
CVE-2015-2963
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2963
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/18]\n Web page was published\n[2015/07/14]\n References : Content was added
2015-06-18T14:14:20+09:00
2015-07-14T18:15:44+09:00
2015-06-18T00:00:00+09:00
JVNDB-2015-000089
Symfony vulnerable to code injection
Symfony is an open source web application framework provided by SensioLabs. Symfony contains a code injection vulnerability. Applications with ESI support enabled and using the Symfony built-in reverse proxy (the HttpCache class) are affected. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sensio Labs
Symfony
cpe:/a:sensiolabs:symfony
2.0.x, 2.1.x, 2.2.x, 2.3.x, 2.4.x, 2.5.x, 2.6.x
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Arbitrary PHP code may be executed on the server where an application using Symfony resides.
[Update the software] Update to the appropriate version according to the information provided by the developer. This vulnerability has been addressed in Symfony 2.3.27, 2.5.11 and 2.6.6. Note that Symfony 2.0, 2.1, 2.2 and 2.4 are no longer being developed or supported therefore this issue has not been fixed in these versions.
Sensio Labs
CVE-2015-2308: Esi Code Injection
https://symfony.com/blog/cve-2015-2308-esi-code-injection
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2308
IPA SECURITY ALERTS
Security Alert for Vulnerability in Symfony (JVN#19578958)
http://www.ipa.go.jp/security/ciadr/vul/20150623-jvn.html
JVN
JVN#19578958
http://jvn.jp/en/jp/JVN19578958/index.html
National Vulnerability Database (NVD)
CVE-2015-2308
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2308
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/23]\n Web page was published\n[2015/06/25]\n References : Content was added
2015-06-23T12:29:19+09:00
2015-06-25T17:34:35+09:00
2015-06-23T00:00:00+09:00
JVNDB-2015-000090
namshi/jose fails to verify token signatures
namshi/jose is a PHP library for handling JSON Web Tokens (JWT). namshi/jose contains a vulnerability in processing JWT headers where it fails to verify token signatures. Toshiharu Sugiyama of DeNA Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Namshi
namshi/jose
cpe:/a:namshi:namshi%2Fjose
2.2.1 and earlier
3.0.0 and earlier
4.0.0 and earlier
5.0.0 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Specially crafted tokens may be validated as token data with valid signatures.
[Update the Software] Update to the appropriate version according to the information provided by the developer.
Namshi
namshi/jose
https://github.com/namshi/jose
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2964
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2964
JVN
JVN#25336719
https://jvn.jp/en/jp/JVN25336719/index.html
National Vulnerability Database (NVD)
CVE-2015-2964
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2964
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/25]\n Web page was published\n[2015/07/14]\n References : Content was added
2015-06-25T15:00:25+09:00
2015-07-14T17:18:39+09:00
2015-06-25T00:00:00+09:00
JVNDB-2015-000091
osCommerce Japanese version vulnerable to directory traversal
osCommerce is an open source system for creating shopping websites. osCommerce Japanese version contains a directory traversal vulnerability. Masako Ohno reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
osCommerce
osCommerce
cpe:/a:oscommerce:oscommerce
2.2ms1j-R8 and earlier
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
A user who can log in to the system as an administrator may obtain arbitrary files on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
osCommerce Japanese Localization Project
osCommerce for creating shopping websites - Support Documents
http://www.bitscope.co.jp/tep/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2965
JVN
JVN#96312698
https://jvn.jp/en/jp/JVN96312698/index.html
National Vulnerability Database (NVD)
CVE-2015-2965
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2965
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/25]\n Web page was published\n[2015/06/30]\n References : Content was added
2015-06-25T15:53:59+09:00
2015-06-30T11:53:03+09:00
2015-06-25T00:00:00+09:00
JVNDB-2015-000092
OpenEMR vulnerable to authentication bypass
OpenEMR is an electronic health records and medical practice management application. OpenEMR contains an authentication bypass vulnerability (CWE-302). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
OpenEMR
OpenEMR
cpe:/a:open-emr:openemr
2.8.3 to 4.2.0 patch 1
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Sensitive information may be obtained by a remote attacker who can access the web interface of the product.
[Update the software and apply the patch] This vulnerability has been addressed in OpenEMR 4.2.0 patch 2. Update the software and then apply the patch according to the information provided by the developer.
OpenEMR
Stable Production Release (Version 4.2.0)
http://www.open-emr.org/wiki/index.php/OpenEMR_Downloads
OpenEMR
OpenEMR Patches
http://www.open-emr.org/wiki/index.php/OpenEMR_Patches
Common Vulnerabilities and Exposures (CVE)
CVE-2015-4453
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4453
JVN
JVN#22677713
https://jvn.jp/en/jp/JVN22677713/index.html
National Vulnerability Database (NVD)
CVE-2015-4453
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4453
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/30]\n Web page was published\n[2015/07/14]\n References : Content was added
2015-06-30T13:55:47+09:00
2015-07-14T17:16:04+09:00
2015-06-30T00:00:00+09:00
JVNDB-2015-000093
Explorer+ File Manager vulnerable to directory traversal
Explorer+ File Manager provided by Droidware UK contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Droidware UK
Explorer+ File Manager
cpe:/a:droidwareuk:explorer%2B_file_manager
Pro versions prior to 2.3.3
versions prior to 2.3.3
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to access.
[Apply an Update] Apply the appropriate update according to the information provided by the developer.
Google Play
Explorer+ File Manager - Android Apps on Google Play
https://play.google.com/store/apps/details?id=com.ftpcafe.explorer.standard
Google Play
Explorer+ File Manager Pro - Android Apps on Google Play
https://play.google.com/store/apps/details?id=com.ftpcafe.explorer
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2966
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2966
JVN
JVN#77386811
https://jvn.jp/en/jp/JVN77386811/index.html
National Vulnerability Database (NVD)
CVE-2015-2966
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2966
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/06/30]\n Web page was published\n[2015/07/02]\n References : Content was added\n
2015-06-30T13:56:21+09:00
2015-07-02T15:04:48+09:00
2015-06-30T00:00:00+09:00
JVNDB-2015-000094
Cacti vulnerable to cross-site scripting
Cacti is a web application that graphs stored data collected from network devices. Cacti contains a cross-site scripting vulnerability (CWE-79) due to a flaw in processing parameters in settings.php. Daiki Fukumori of Cyber Defense Institute, Inc. and Masako Ohno reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The Cacti Group
Cacti
cpe:/a:cacti:cacti
0.8.8c and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
If a user views a malicious page while logged in, an arbitrary script may be executed on the user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer.
Cacti
Release Notes - 0.8.8d
http://www.cacti.net/release_notes_0_8_8d.php
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2967
JVN
JVN#78187936
http://jvn.jp/en/jp/JVN78187936/index.html
National Vulnerability Database (NVD)
CVE-2015-2967
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2967
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/09]\n Web page was published\n[2015/07/14]\n References : Content was added
2015-07-09T14:41:17+09:00
2015-07-14T18:03:35+09:00
2015-07-09T00:00:00+09:00
JVNDB-2015-000095
LINE@ vulnerable to script injection
LINE@ provided by LINE Corporation is an application used to communicate with others. LINE@ is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker. Kenta Suefusa, Nobuaki Nakazawa, Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
LINE Corporation
LINE@
cpe:/a:linecorp:line%40
for Android version 1.0.0
for iOS version 1.0.0
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
A script may be injected by a MITM (man-in-the-middle) attacker. As a result, any API can be invoked through the injected script.
[Update the software] Update to the latest version according to the information provided by the developer. According to the developer, this vulnerability was addressed on the server side. However, the developer recommends updating the application for security purposes.
LINE Corporation
<Security Notice> Fixed Vulnerability in LINE related apps
http://official-blog.line.me/ja/archives/36495925.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2968
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2968
JVN
JVN#22546110
http://jvn.jp/en/jp/JVN22546110/index.html
JVNDB
CWE-DesignError
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/10]\n Web page was published
2015-07-10T14:50:48+09:00
2015-07-10T14:50:48+09:00
2015-07-10T00:00:00+09:00
JVNDB-2015-000096
Simple Oekaki BBS vulnerable to cross-site scripting
Simple Oekaki BBS provided by LEMON-S PHP contains a persistent cross-site scripting (CWE-79) vulnerability due to the processing of oekakis parameter in index.php. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
LEMON-S PHP
Simple Oekaki BBS
cpe:/a:lemon-s_php:simple_oekaki
versions prior to v1.21
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
LEMON-S PHP
Information from LEMON-S PHP
http://php.lemon-s.com/simpleoekaki.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2969
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2969
JVN
JVN#67540183
http://jvn.jp/en/jp/JVN67540183/index.html
National Vulnerability Database (NVD)
CVE-2015-2969
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2969
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/10]\n Web page was published\n[2015/07/14]\n References : Content was added
2015-07-10T13:57:09+09:00
2015-07-14T18:09:20+09:00
2015-07-10T00:00:00+09:00
JVNDB-2015-000097
Simple Oekaki BBS vulnerability where arbitrary files may be deleted
Simple Oekaki BBS provided by LEMON-S PHP contains a flaw in parsing the oekakis parameter in index.php, which may allow a remote attacker to delete arbitrary files. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
LEMON-S PHP
Simple Oekaki BBS
cpe:/a:lemon-s_php:simple_oekaki
versions prior to v1.21
Medium
6.4
AV:N/AC:L/Au:N/C:N/I:P/A:P
A remote attacker may delete arbitrary files on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
LEMON-S PHP
Information from LEMON-S PHP
http://php.lemon-s.com/simpleoekaki.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2970
JVN
JVN#61935381
http://jvn.jp/en/jp/JVN61935381/index.html
National Vulnerability Database (NVD)
CVE-2015-2970
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2970
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/10]\n Web page was published\n[2015/07/14]\n References : Content was added
2015-07-10T13:57:08+09:00
2015-07-14T18:11:00+09:00
2015-07-10T00:00:00+09:00
JVNDB-2015-000098
acmailer vulnerable to directory traversal
acmailer provided by Seeds Co.,Ltd. contains a directory traversal (CWE-22) vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Seeds Co.,Ltd.
acmailer
cpe:/a:seeds:acmailer
versions prior to 3.8.18
versions prior to 3.9.12 Beta
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
An authenticated attacker may delete files on the server.
[Update the software] Update to the latest version according to the information provided by the developer.
Seeds Co.,Ltd.
acmailer Updates
http://www.acmailer.jp/info/de.cgi?id=58
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2971
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2971
JVN
JVN#64051989
https://jvn.jp/en/jp/JVN64051989/index.html
National Vulnerability Database (NVD)
CVE-2015-2971
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2971
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/15]\n Web page was published\n[2015/07/27]\n References : Content was added
2015-07-15T15:53:58+09:00
2015-07-27T15:12:03+09:00
2015-07-15T00:00:00+09:00
JVNDB-2015-000099
Thetis vulnerable to SQL injection
Thetis provided by Sysphonic Co., Ltd. is an open source groupware and SNS. Thetis contains a SQL injection (CWE-89) vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sysphonic Co., Ltd.
Thetis
cpe:/a:sysphonic:thetis
ver.2.2.0 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
An attacker may obtain or alter information stored in the database.
[Apply an Update] Apply the update according to the information provided by the provider.
GitHub
x ApplicationHelper.get_sql_like() -> o SqlHelper.get_sql_like()
https://github.com/sysphonic/thetis/commit/a61dc72035c7ae0b06f6d7dc8b2a848ffc7db277
GitHub
Reinforcement of security. (1b82347)
https://github.com/sysphonic/thetis/commit/1b8234706e1294f41df42f3d1ccb71b983ffbe23
GitHub
Reinforcement of security. (4ca3f5f)
https://github.com/sysphonic/thetis/commit/4ca3f5f486759660b87d7c146f1fdc11264f56eb
GitHub
Reinforcement of security. (8004ee0)
https://github.com/sysphonic/thetis/commit/8004ee0c384daae0b28478ff8193d1990c397f57
GitHub
Reinforcement of security. (842e44f)
https://github.com/sysphonic/thetis/commit/842e44f0c2bd7d680430bb89a3bb78fd744961f9
GitHub
Reinforcement of security. (ce535a3)
https://github.com/sysphonic/thetis/commit/ce535a38ec92ff0f98af11ab41a425d1529a31ef
GitHub
Some trivial bug-fixes.
https://github.com/sysphonic/thetis/commit/d9ed965075634ca1a095b480b459c68445ce951d
GitHub
Thetis ver.2.3.0: Reinforcement of security.
https://github.com/sysphonic/thetis/commit/c07e255d2296d50a0bffafaf66a76f8f1b53621f
Sysphonic Co., Ltd.
Sysphonic Co., Ltd. website
http://sysphonic.com/en/thetis/THETIS-SEC-001.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2972
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2972
JVN
JVN#19011483
http://jvn.jp/en/jp/JVN19011483/index.html
National Vulnerability Database (NVD)
CVE-2015-2972
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2972
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/15]\n Web page was published\n[2015/07/27]\n References : Content was added\n Vendor Information : Contents were added
2015-07-15T15:54:33+09:00
2015-07-27T15:07:49+09:00
2015-07-15T00:00:00+09:00
JVNDB-2015-000101
PHP for Windows vulnerable to OS command injection
PHP for Windows contains an OS command injection due to a processing flaw in the escapeshellarg function. Masahiro Yamada reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The PHP Group
PHP
cpe:/a:php:php
for Windows versions prior to 5.4.42
for Windows versions prior to 5.5.26
for Windows versions prior to 5.6.10
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Specifying a specially crafted parameter in the escapeshellarg function may result in an arbitrary OS command being executed.
[Apply the patch] Apply the patch according to the infomration provided by the developer.
PHP
Sec Bug #69646 OS command injection vulnerability in escapeshellarg
https://bugs.php.net/bug.php?id=69646
PHP
PHP ChangeLog 5.6.10
http://www.php.net/ChangeLog-5.php#5.6.10
PHP
PHP ChangeLog 5.5.26
http://www.php.net/ChangeLog-5.php#5.5.26
PHP
PHP ChangeLog 5.4.42
http://www.php.net/ChangeLog-5.php#5.4.42
The PHP Group
Fix bug #69646 OS command injection vulnerability in escapeshellarg
http://git.php.net/?p=php-src.git;a=commit;h=d2ac264ffea5ca2e85640b6736e0c7cd4ee9a4a9
Turbolinux Security Advisory
TLSA-2015-15
http://www.turbolinux.co.jp/security/2015/TLSA-2015-15j.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-4642
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4642
IPA SECURITY ALERTS
Security Alert for Vulnerability in PHP for Windows (JVN#73568461)
http://www.ipa.go.jp/security/ciadr/vul/20150717-jvn.html
JVN
JVN#73568461
https://jvn.jp/en/jp/JVN73568461/index.html
National Vulnerability Database (NVD)
CVE-2015-4642
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4642
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/17]\n Web page was published\n[2015/07/22]\n References : Content was added\n[2015/07/30]\n Vendor Information : Content was added\n[2016/05/19]\n References : Content was added\n Vendor Information : Content was added
2015-07-17T14:44:12+09:00
2016-05-19T17:43:40+09:00
2015-07-17T00:00:00+09:00
JVNDB-2015-000103
Welcart vulnerable to cross-site scripting
Welcart provided by Collne Inc. is a WordPress plugin for creating shopping websites. Welcart contains a cross-site scripting (CWE-79) vulnerability due to the processing of usces_referer parameter in admin.php. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Collne Inc.
Welcart
cpe:/a:collne:welcart_plugin
1.4.17 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
If a user views a malicious page while logged into WordPress with this plugin enabled, an arbitrary script may be executed on the user's web browser.
[Apply an Update] Apply the update according to the information provided by the developer.
Collne Inc.
Changes in usc-e-shop [1199108:1199120]
https://goo.gl/5iLFBV
Collne Inc.
Changeset 1199120
https://plugins.trac.wordpress.org/changeset/1199120
Welcart
Community Top
http://www.welcart.com/community/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2973
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2973
JVN
JVN#97971874
http://jvn.jp/en/jp/JVN97971874/index.html
National Vulnerability Database (NVD)
CVE-2015-2973
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2973
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/24]\n Web page was published\n[2015/07/28]\n References : Content was added\n Vendor Information : Content was added
2015-07-24T14:33:40+09:00
2015-07-28T17:51:21+09:00
2015-07-24T00:00:00+09:00
JVNDB-2015-000104
Research Artisan Lite vulnerable to cross-site scripting
Research Artisan Lite provided by Research Artisan Project is an access analysis tool. Research Artisan Lite contains multiple cross-site scripting vulnerabilities (CWE-79). Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Research Artisan Project
Research Artisan Lite
cpe:/a:research-artisan:research_artisan_lite
prior to ver.1.18
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
There are two attack scenarios. 1. If a user views a malicious web page, an arbitrary script may be executed on the user's web browser. 2. An attacker accesses a specially crafted URL which may include javascript code. The server then stores the access logs for analysis. When an administrator views the analysis results, a script is executed on the administrator's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Research Artisan Project
Research Artisan Project website
http://lite.research-artisan.net/main/download
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2976
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2976
JVN
JVN#58020495
https://jvn.jp/en/jp/JVN58020495/index.html
National Vulnerability Database (NVD)
CVE-2015-2976
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2976
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/24]\n Web page was published\n[2015/07/28]\n References : Content was added
2015-07-24T14:36:47+09:00
2015-07-28T17:29:35+09:00
2015-07-24T00:00:00+09:00
JVNDB-2015-000105
Research Artisan Lite does not properly perform authentication
Research Artisan Lite provided by Research Artisan Project is an access analysis tool. Research Artisan Lite does not properly perform authentication (CWE-592). Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Research Artisan Project
Research Artisan Lite
cpe:/a:research-artisan:research_artisan_lite
prior to ver.1.18
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An attacker may perform operations in Research Artisan Lite without logging into the system.
[Update the Software] Update to the latest version according to the information provided by the developer.
Research Artisan Project
Research Artisan Project website
http://lite.research-artisan.net/main/download
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2975
JVN
JVN#10559378
https://jvn.jp/en/jp/JVN10559378/index.html
National Vulnerability Database (NVD)
CVE-2015-2975
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2975
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/24]\n Web page was published\n[2015/07/28]\n References : Content was added
2015-07-24T14:46:47+09:00
2015-07-28T17:22:10+09:00
2015-07-24T00:00:00+09:00
JVNDB-2015-000106
Gazou BBS plus vulnerability in file upload processing
Gazou BBS plus provided by LEMON-S PHP contains a vulnerability in the processing of file uploads. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
LEMON-S PHP
Gazou BBS plus
cpe:/a:lemon-s_php:gazou_bbs_plus
versions prior to v2.36
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An image file may be specially crafted to upload arbitrary HTML files.
[Apply an Update] Apply the update according to the information provided by the provider.
LEMON-S PHP
Information from LEMON-S PHP
http://php.lemon-s.com/gazoup.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2974
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2974
JVN
JVN#86680970
https://jvn.jp/en/jp/JVN86680970/index.html
National Vulnerability Database (NVD)
CVE-2015-2974
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2974
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/28]\n Web page was published\n[2015/07/30]\n References : Content was added
2015-07-28T13:47:59+09:00
2015-07-30T15:14:52+09:00
2015-07-28T00:00:00+09:00
JVNDB-2015-000107
yoyaku_v41 vulnerable to arbitrary file creation
yoyaku_v41 provided by Webservice-DIC is a software to manage conference room reservations. yoyaku_v41 contains a vulnerability that may allow a remote attacker to create arbitrary files (CWE-20). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Webservice-DIC
yoyaku_v41
cpe:/a:d-ic:yoyaku_v41
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
An arbitrary file created by an attacker may result in arbitrary code being executed on the server.
[Do not use yoyaku_v41] yoyaku_v41 is no longer being developed or maintained. It is recommended to stop using yoyaku_v41.
JVN
Information from Webservice-DIC
http://jvn.jp/en/jp/JVN46674982/238008/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2977
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2977
JVN
JVN#46674982
http://jvn.jp/en/jp/JVN46674982/index.html
National Vulnerability Database (NVD)
CVE-2015-2977
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2977
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/29]\n Web page was published\n[2015/07/30]\n References : Content was added
2015-07-29T14:58:32+09:00
2015-07-30T15:14:53+09:00
2015-07-29T00:00:00+09:00
JVNDB-2015-000108
yoyaku_v41 vulnerable to authentication bypass
yoyaku_v41 provided by Webservice-DIC is a software to manage conference room reservations. yoyaku_v41 contains an authentication bypass vulnerability (CWE-592). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Webservice-DIC
yoyaku_v41
cpe:/a:d-ic:yoyaku_v41
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
A remote attacker could bypass yoyaku_v41's authentication, and make an unintentional reservation.
[Do not use yoyaku_v41] yoyaku_v41 is no longer being developed or maintained. It is recommended to stop using yoyaku_v41.
JVN
Information from Webservice-DIC
http://jvn.jp/en/jp/JVN52248864/238008/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2978
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2978
JVN
JVN#52248864
http://jvn.jp/en/jp/JVN52248864/index.html
National Vulnerability Database (NVD)
CVE-2015-2978
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2978
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/29]\n Web page was published\n[2015/07/30]\n References : Content was added
2015-07-29T14:58:34+09:00
2015-07-30T15:14:55+09:00
2015-07-29T00:00:00+09:00
JVNDB-2015-000109
yoyaku_v41 vulnerable to OS command injection
yoyaku_v41 provided by Webservice-DIC is a software to manage conference room reservations. yoyaku_v41 contains an OS command injection vulnerability (CWE-78). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Webservice-DIC
yoyaku_v41
cpe:/a:d-ic:yoyaku_v41
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
An arbitrary OS command may be executed with the privileges of the web server on the server where yoyaku_v41 is running.
[Do not use yoyaku_v41] yoyaku_v41 is no longer being developed or maintained. It is recommended to stop using yoyaku_v41.
JVN
Information from Webservice-DIC
http://jvn.jp/en/jp/JVN17522792/238008/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2979
JVN
JVN#17522792
http://jvn.jp/en/jp/JVN17522792/index.html
National Vulnerability Database (NVD)
CVE-2015-2979
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2979
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/07/29]\n Web page was published\n[2015/07/30]\n References : Content was added
2015-07-29T14:58:36+09:00
2015-07-30T15:14:56+09:00
2015-07-29T00:00:00+09:00
JVNDB-2015-000110
Yodobashi App for Android vulnerable to arbitrary Java method execution
Yodobashi App for Android provided by Yodobashi Camera Co.,Ltd. contains a vulnerability where an arbitrary Java method may be executed. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
YODOBASHI CAMERA CO.,LTD.
Yodobashi App for Android
cpe:/a:yodobashi:yodobashi
versions 1.2.1.0 and earlier
Medium
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
When opening a specially crafted website, an attacker may be able to execute an arbitrary Java method. As a result, information stored in Android devices may be obtained or arbitrary OS commands may be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
Google Play
Yodobashi App for Android
https://play.google.com/store/apps/details?id=com.yodobashi.iShop&hl=
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2980
JVN
JVN#70465405
http://jvn.jp/en/jp/JVN70465405/index.html
National Vulnerability Database (NVD)
CVE-2015-2980
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2980
JVNDB
CWE-DesignError
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/08/07]\n Web page was published\n[2015/08/11]\n References : Content was added
2015-08-07T13:50:54+09:00
2015-08-11T12:22:21+09:00
2015-08-07T00:00:00+09:00
JVNDB-2015-000111
Yodobashi App for Android fails to verify SSL server certificates
Yodobashi App for Android provided by Yodobashi Camera Co.,Ltd. fails to verify SSL server certificates. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
YODOBASHI CAMERA CO.,LTD.
Yodobashi App for Android
cpe:/a:yodobashi:yodobashi
versions 1.2.1.0 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Software] Update to the latest version according to the information provided by the developer.
Google Play
Yodobashi App for Android
https://play.google.com/store/apps/details?id=com.yodobashi.iShop&hl=
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2981
JVN
JVN#29053368
http://jvn.jp/en/jp/JVN29053368/index.html
National Vulnerability Database (NVD)
CVE-2015-2981
https://nvd.nist.gov/vuln/detail/CVE-2015-2981
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/08/07]\n Web page was published
1
2018-04-04T09:59:36+09:00
[2018/04/04]\n References : Content was added
2015-08-07T13:50:52+09:00
2018-04-04T12:28:00+09:00
2015-08-07T00:00:00+09:00
JVNDB-2015-000112
Microsoft Office discloses a file path of a local file
When a file such as a clipart or an image is inserted in Office documents, the absolute path of the local file is stored in "alternative text". Yosuke HASEGAWA of SecureSky Technology Inc. and Miyuki Chikara of MARUS JAPAN Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Microsoft Corporation
Microsoft Office
cpe:/a:microsoft:office
2007
2010
for Mac 2011
Medium
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
An attacker may obtain information about the file system or the user name through Office documents.
[Upgrade the Software] Upgrade to the appropriate versions according to the information provided by the developer. * Microsoft Office 2013 (latest version) for Office on Windows * Microsoft Office 2016 for Mac for Office on Mac [Apply a workaround] The following workaround may mitigate the affects of this vulnerability. * Manually delete or edit "alternative text" of objects in Office documents.
JVN
Information from Microsoft Japan Co.,Ltd.
http://jvn.jp/en/jp/JVN20459920/4953/index.html
Microsoft
Add alternative text to a shape, picture, chart, table, SmartArt graphic, or other object
https://support.office.com/en-us/article/Add-alternative-text-to-a-shape-picture-chart-table-SmartArt-graphic-or-other-object-44989b2a-903c-4d9a-b742-6a75b451c669
JVN
JVN#20459920
http://jvn.jp/en/jp/JVN20459920/index.html
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/08/12]\n Web page was published
2015-08-12T15:13:55+09:00
2015-08-12T15:13:55+09:00
2015-08-12T00:00:00+09:00
JVNDB-2015-000113
Photo Gallery CMS for PC, smartphone and feature phone (Free) vulnerable to cross-site scripting
Photo Gallery CMS for PC, smartphone and feature phone (Free) provided by PHP Kobo contains a cross-site scripting (CWE-79) vulnerability in admin.php. Yuji Tounai of NTT Com Security(Japan) KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
PHP Kobo
Photo Gallery CMS for PC, smartphone and feature phone (Free)
cpe:/a:php_kobo:photo_gallery_cms_free
ver.1.0.1 and earlier
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Replace admin.php with a new version according to the information provided by the developer.
PHP Kobo
Photo Gallery CMS for PC, smartphone and feature phone (Free)
http://www.php-factory.net/trivia/16.php
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2982
JVN
JVN#69175956
http://jvn.jp/en/jp/JVN69175956/index.html
National Vulnerability Database (NVD)
CVE-2015-2982
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2982
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/08/12]\n Web page was published\n[2015/08/26]\n References : Content was added
2015-08-12T15:13:58+09:00
2015-08-26T17:38:58+09:00
2015-08-12T00:00:00+09:00
JVNDB-2015-000114
Photo Gallery CMS for PC, smartphone and feature phone (Free) vulnerable to cross-site request forgery
Photo Gallery CMS for PC, smartphone and feature phone (Free) provided by PHP Kobo contains a cross-site request forgery (CWE-352) vulnerability in admin.php. Yuji Tounai of NTT Com Security(Japan) KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
PHP Kobo
Photo Gallery CMS for PC, smartphone and feature phone (Free)
cpe:/a:php_kobo:photo_gallery_cms_free
ver.1.0.1 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
If a user views a malicious page while logged in, unintended operations may be performed.
[Update the Software] Replace admin.php with a new version according to the information provided by the developer.
PHP Kobo
Photo Gallery CMS for PC, smartphone and feature phone (Free)
http://www.php-factory.net/trivia/16.php
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2983
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2983
JVN
JVN#78240242
http://jvn.jp/en/jp/JVN78240242/index.html
National Vulnerability Database (NVD)
CVE-2015-2983
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2983
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/08/12]\n Web page was published\n[2015/08/26]\n References : Content was added
2015-08-12T15:13:59+09:00
2015-08-26T17:28:58+09:00
2015-08-12T00:00:00+09:00
JVNDB-2015-000115
Japan Connected-free Wi-Fi vulnerable to allow URL whitelist bypass
Japan Connected-free Wi-Fi provided by NTT Broadband Platform, Inc. contains an issue where an arbitrary page may be loaded if the application is launched with the URL-scheme. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NTT Broadband Platform, Inc.
Japan Connected-free Wi-Fi
cpe:/a:ntt-bp:japan_connected-free_wi-fi
for Android 1.15.1 and earlier
for iOS 1.13.0 and earlier that have not applied the contents update provided on April 26, 2016
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Android version of this app may allow an arbitrary API to be executed if permissions to execute that API are granted in the android manifest. iOS version of this app may allow an arbitrary API to be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
App Store
For iOS
https://itunes.apple.com/en/app/japan-connected-free-wi-fi/id810838196?mt=8
Google Play
For Android
https://play.google.com/store/apps/details?id=com.nttbp.jfw
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5629
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5629
JVN
JVN#04644117
http://jvn.jp/en/jp/JVN04644117/index.html
National Vulnerability Database (NVD)
CVE-2015-5629
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5629
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/11]\n Web page was published\n[2015/09/15]\n References : Content was added\n[2016/05/27]\n Affected Products : Product version and Content were modified\n Impact was modified
2015-09-11T14:16:51+09:00
2016-05-27T14:32:58+09:00
2015-09-11T00:00:00+09:00
JVNDB-2015-000116
Japan Connected-free Wi-Fi vulnerable to script injection
Japan Connected-free Wi-Fi provided by NTT Broadband Platform, Inc. is vulnerable to script injection when displaying malformed strings contained in SSID. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NTT Broadband Platform, Inc.
Japan Connected-free Wi-Fi
cpe:/a:ntt-bp:japan_connected-free_wi-fi
for Android 1.6.0 and earlier
for iOS 1.0.2 and earlier
Medium
5.4
AV:A/AC:M/Au:N/C:P/I:P/A:P
When the device running the app connects to an access point and its SSID contains malicious script, the script may be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
App Store
For iOS
https://itunes.apple.com/en/app/japan-connected-free-wi-fi/id810838196?mt=8
Google Play
For Android
https://play.google.com/store/apps/details?id=com.nttbp.jfw
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5630
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5630
JVN
JVN#41048401
http://jvn.jp/en/jp/JVN41048401/index.html
National Vulnerability Database (NVD)
CVE-2015-5630
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5630
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/11]\n Web page was published\n[2015/09/15]\n References : Content was added
2015-09-11T14:17:13+09:00
2015-09-15T17:17:45+09:00
2015-09-11T00:00:00+09:00
JVNDB-2015-000117
Multiple I-O DATA LAN routers vulnerable in UPnP functionality
A wired LAN router NP-BBRS and a wireless LAN router WN-G54/R2 provided by I-O DATA DEVICE, INC. contain a vulnerability in the UPnP functionality.
I-O DATA DEVICE, INC.
NP-BBRS
cpe:/h:i-o_data_device:np-bbrs
with all firmware versions
I-O DATA DEVICE, INC.
WN-G54/R2
cpe:/h:i-o_data_device:wn-g54%2Fr2
with firmware prior to Ver.1.03
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
The device may be used in a DDoS attack, as a SSDP reflector.
For NP-BBRS: [Do not use NP-BBRS] The developer has stated that the support of NP-BBRS has been discontinued thus recommends users to stop using NP-BBRS. Note that the successor to NP-BBRS, ETX2-RA, is not affected by this vulnerability. For WN-G54/R2: [Update the Firmware] I-O DATA DEVICE, INC. has released firmware Ver.1.03 to address this vulnerability. Update to the latest version of firmware according to the information provided by the developer.
Security Infomation
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2015/wn-g54r2/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2984
JVN
JVN#17964918
https://jvn.jp/en/jp/JVN17964918/index.html
National Vulnerability Database (NVD)
CVE-2015-2984
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2984
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/08/18]\n Web page was published\n[2015/08/28]\n References : Content was added
2015-08-18T15:21:36+09:00
2015-08-28T17:29:11+09:00
2015-08-18T00:00:00+09:00
JVNDB-2015-000118
Apache Tapestry deserializes untrusted data
Apache Tapestry contains a vulnerability where it may deserialize untrusted data. Apache Tapestry is a framework for creating Java web applications. Apache Tapestry contains an interface where client side serialized data sent to the server is deserialized after it is received by the server. This data serialization / deserialization process does not contain data validation. Therefore, if the serialized data is altered, the server will deserailze data without validating the data (CWE-502). Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apache Software Foundation
Apache Tapestry
cpe:/a:apache:tapestry
5.0.x (all versions)
5.1.x (all versions)
5.2.x (all versions)
5.3 to 5.3.5
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
When specially crafted input is processed, arbitrary files may be written or arbitrary code may be executed on the application server.
[Apply an Update] Update to the latest version according to the information provided by the developer.
Apache Software Foundation
Release Notes 5.3.6
https://tapestry.apache.org/release-notes-536.html
ASF JIRA
Serialized object data stored on the client should be HMAC signed and validated
https://issues.apache.org/jira/browse/TAP5-2008
Common Vulnerabilities and Exposures (CVE)
CVE-2014-1972
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1972
JPCERT
OracleJava-AtomicReferenceArray.pdf
https://www.jpcert.or.jp/securecoding/2014/OracleJava-AtomicReferenceArray.pdf
JVN
JVN#17611367
https://jvn.jp/en/jp/JVN17611367/index.html
National Vulnerability Database (NVD)
CVE-2014-1972
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1972
Related Information
SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary
https://www.securecoding.cert.org/confluence/display/java/SER02-J.+Sign+then+seal+sensitive+objects+before+sending+them+outside+a+trust+boundary;jsessionid=6418285E96FE6503CBFF59A54A87B1E7
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/08/20]\n Web page was published\n[2015/08/26]\n References : Content was added
2015-08-20T15:53:19+09:00
2015-08-26T17:51:02+09:00
2015-08-20T00:00:00+09:00
JVNDB-2015-000119
File Encryption Software "ED" where encrypted data may be easier to decipher when files of small size are encrypted
File encyption software "ED" contains an issue when files of small size are encyrpted, they may become easier to decipher in comparison to when files of a larger size are encrypted. When encrypting small files that are smaller than the block size (128 bits), file encryption software "ED" encrypts such files with "a stream cipher combining ECB mode of the selected encryption algorithm on key generation". This results in deciphering the resulting encrypted data to become relatively easy. For more details on this specification, pelase refer to the documentation (http://type74.org/edman5-1.php) provided by the developer. Yutaka Sawada reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Type74.org
File encryption software "ED"
cpe:/a:type74:ed
prior to Ver4.0
Low
2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N
When a file that is less than 16 bytes in size is encrypted, there is a possibility that it can be deciphered through differential cryptanalysis.
[Update the software] Update the software to Ver4.0 or later according to the information provided by the developer. [Apply a Workdaround] If an update to Ver4.0 or later cannot be applied, the following workaround will mitigate effects of this issue. - Do not encrypt files less than 16 bytes in size
Type74.org
ED Manual - 5-1 - About Encryption Algorithms
http://type74.org/edman5-1.php
Type74.org
File Encryption Software "ED"
http://type74.org/ed.php
Type74.org
Blog of Type74.org
http://type74org.blog14.fc2.com/blog-entry-1384.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2987
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2987
JVN
JVN#91474878
http://jvn.jp/en/jp/JVN91474878/index.html
National Vulnerability Database (NVD)
CVE-2015-2987
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2987
JVNDB
CWE-DesignError
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/08/27]\n Web page was published\n[2015/09/02]\n References : Content was added\n Vendor Information : Content was added
2015-08-27T15:03:17+09:00
2015-09-02T17:57:19+09:00
2015-08-27T00:00:00+09:00
JVNDB-2015-000120
Rakuten card App for iOS fails to verify SSL server certificates
Rakuten card App for iOS provided by Rakuten Card Co., Ltd. fails to verify SSL server certificates. AOKI Keiichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Rakuten Card Co., Ltd.
Rakuten card App for iOS
cpe:/a:misc:rakuten_rakutencard_for_ios
versions 5.2.0 to 5.2.4
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Software] Update to the latest version according to the information provided by the developer.
App Store
Rakuten Card Co., Ltd. website
https://itunes.apple.com/jp/app/le-tiankado/id570105907?mt=8
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2988
JVN
JVN#81207766
https://jvn.jp/en/jp/JVN81207766/index.html
National Vulnerability Database (NVD)
CVE-2015-2988
https://nvd.nist.gov/vuln/detail/CVE-2015-2988
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/01]\n Web page was published
1
2018-03-14T11:52:06+09:00
[2018/03/14]\n References : Content was added
2015-09-01T14:18:31+09:00
2018-03-14T12:30:49+09:00
2015-09-01T00:00:00+09:00
JVNDB-2015-000121
Twit BBS vulnerable to cross-site scripting
Twit BBS provided by LEMON-S PHP contains a persistent cross-site scripting (CWE-79) vulnerability due to the processing of imagetitle parameter in index.php. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
LEMON-S PHP
Twit BBS
cpe:/a:lemon-s_php:twit_bbs
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Do not use Twit BBS] Twit BBS is no longer being developed or maintained. It is recommended to stop using Twit BBS.
LEMON-S PHP
Information from LEMON-S PHP
http://php.lemon-s.com/twitbbs.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2989
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2989
JVN
JVN#77193915
https://jvn.jp/en/jp/JVN77193915/index.html
National Vulnerability Database (NVD)
CVE-2015-2989
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2989
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/01]\n Web page was published\n[2015/09/09]\n References : Content was added
2015-09-01T14:18:52+09:00
2015-09-09T14:02:48+09:00
2015-09-01T00:00:00+09:00
JVNDB-2015-000122
desknet's NEO vulnerable to directory traversal
desknet's NEO provided by NEOJAPAN Inc. contains a directory traversal (CWE-22) vulnerability where it fails to verify html parameter in zhtml.cgi. Hiroyuki Yamashita of M&K Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NEOJAPAN,Inc.
desknet's NEO
cpe:/a:neo_japan:desknet_neo
V2.0R1.0 to V2.5R1.4
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
An authenticated attacker may view arbitrary files on the server.
[Update the Software] Update to the latest version according to the information provided by the developer. [Apply the Patch] Apply the patch according to the information provided by the developer.
desknet's
NEOJAPAN,Inc. website
http://www.desknets.com/neo/support/mainte/2590/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2990
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2990
JVN
JVN#09283606
http://jvn.jp/en/jp/JVN09283606/index.html
National Vulnerability Database (NVD)
CVE-2015-2990
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2990
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/01]\n Web page was published\n[2015/09/09]\n References : Content was added
2015-09-01T12:36:54+09:00
2015-09-09T14:02:49+09:00
2015-09-01T00:00:00+09:00
JVNDB-2015-000123
NScripter vulnerable to buffer overflow
NScripter is a script engine to build and execute games. NScripter contains a buffer overflow vulnerability due to a flaw in processing save data. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Naoki Takahashi
NScripter
cpe:/a:nscripter_project:nscripter
prior to Ver3.00 and Games built using NScripter prior to Ver3.00
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
By processing a specially crafted save data, arbitrary code may be executed.
For developers using NScripter: [Update and Rebuild the Game] Update NScripter to the latest version according to the information provided by the developer and rebuild the games. For users of the games built using NScripter: [Update the Game] Update the game to the latest version according to the information provided by each repsective game developer.
Naoki Takahashi
Naoki Takahashi website
http://www.nscripter.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2991
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2991
IPA SECURITY ALERTS
Security Alert for Vulnerability in NScripter (JVN#08494613)
https://www.ipa.go.jp/security/ciadr/vul/20150902-jvn.html
JVN
JVN#08494613
https://jvn.jp/en/jp/JVN08494613/index.html
National Vulnerability Database (NVD)
CVE-2015-2991
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2991
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/02]\n Web page was published\n[2015/09/09]\n References : Content was added
2015-09-02T15:46:10+09:00
2015-09-09T14:02:50+09:00
2015-09-02T00:00:00+09:00
JVNDB-2015-000124
Apache Struts vulnerable to cross-site scripting
Apache Struts provided by the Apache Software Foundation is a software framework for creating web applications in Java. Apache Struts is vulnerable to cross-site scripting when JSP files can be accessed directly. Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apache Software Foundation
Apache Struts
cpe:/a:apache:struts
versions prior to 2.3.20
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's Internet Explorer when the XSS filter is turned off.
[Update the software] Update the software according to the information provided by the developer. The developer also recommends the following: - Place JSP files under the 'WEB-INF' folder to avoid direct access - Add a security constraint to the web.xml file
Apache Software Foundation
Announcements - 26 August 2015
https://struts.apache.org/announce.html#a20150826
Apache Software Foundation
S2-025 - Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files
https://struts.apache.org/docs/s2-025.html
Apache Software Foundation
Apache Struts2 Core Developers Guide / Security
https://struts.apache.org/docs/security.html#Security-NeverexposeJSPfilesdirectly
Apache Struts
Apache Struts 1 End-Of-Life (EOL) Announcement
https://struts.apache.org/struts1eol-announcement.html
NEC Security Information
NV15-020
http://jpn.nec.com/security-info/secinfo/nv15-020.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2992
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2992
JVN
JVN#88408929
http://jvn.jp/en/jp/JVN88408929/index.html
National Vulnerability Database (NVD)
CVE-2015-2992
https://nvd.nist.gov/vuln/detail/CVE-2015-2992
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/04]\n Web page was published\n[2015/09/07]\n Affected Products : Content was added\n Vendor Information : Content was added\n[2015/12/25]\n Vendor Information : Content was added
2015-09-04T15:12:38+09:00
2015-12-25T13:45:45+09:00
2015-09-04T00:00:00+09:00
JVNDB-2015-000125
Apache Struts vulnerable to cross-site scripting
Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a cross-site scripting vulnerability when devMode is left turned on. Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apache Software Foundation
Apache Struts
cpe:/a:apache:struts
versions prior to 2.3.20
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer. [Apply a Workaround] If an update cannot be applied, the following workaround can mitigate the affects of this vulnerability. -Turn off devMode
Apache Software Foundation
Announcements - 26 August 2015
https://struts.apache.org/announce.html#a20150826
Apache Software Foundation
S2-025 - Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files
https://struts.apache.org/docs/s2-025.html
Apache Software Foundation
Apache Struts2 Core Developers Guide / Security
https://struts.apache.org/docs/security.html#Security-DisabledevMode
Apache Software Foundation
devMode
https://struts.apache.org/docs/devmode.html
Apache Struts
Apache Struts 1 End-Of-Life (EOL) Announcement
https://struts.apache.org/struts1eol-announcement.html
NEC Security Information
NV17-016
http://jpn.nec.com/security-info/secinfo/nv17-016.html
Red Hat Bugzilla
Bug 1260087
https://bugzilla.redhat.com/show_bug.cgi?id=1260087
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5169
JVN
JVN#95989300
http://jvn.jp/en/jp/JVN95989300/index.html
National Vulnerability Database (NVD)
CVE-2015-5169
https://nvd.nist.gov/vuln/detail/CVE-2015-5169
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/04]\n Web page was published\n[2015/09/07]\n Affected Products : Content was added\n Vendor Information : Content was added\n[2017/07/25]\n Vendor Information : Content was added\n[2017/10/02]\n References : Content was added\n Vendor Information : Content was added
2015-09-04T15:12:59+09:00
2017-10-02T12:08:50+09:00
2015-09-04T00:00:00+09:00
JVNDB-2015-000126
eXtplorer vulnerable to cross-site request forgery
eXtplorer is a web-based file manager. index.php of eXtplorer contains a cross-site request forgery (CWE-352) vulnerability. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
eXtplorer
eXtplorer
cpe:/a:extplorer:extplorer
2.1.7 and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
If a user views a malicious page while logged in, the user may be forced to implicitly perform unintended operations such as the execution of arbitrary PHP code.
[Update the Software] Update to the latest version according to the information provided by the developer.
eXtplorer
eXtplorer 2.1.8 released
http://extplorer.net/news/18
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5660
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5660
JVN
JVN#92520335
http://jvn.jp/en/jp/JVN92520335/index.html
National Vulnerability Database (NVD)
CVE-2015-5660
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5660
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/15]\n Web page was published\n[2015/10/19]\n References : Content was added
2015-10-15T12:24:57+09:00
2015-10-19T15:55:32+09:00
2015-10-15T00:00:00+09:00
JVNDB-2015-000127
ELPhoneBtnV6 ActiveX control vulnerable to buffer overflow
ELPhoneBtnV6 ActiveX control was used for "Click to Live" service provided by FreeBit Co., Ltd. Although "Click to Live" service has been discontinued, PCs that used the "Click to Live" service may still have the ActiveX control installed. ELPhoneBtnV6 ActiveX control, which is provided by the file c2lv6.ocx, contains a buffer overflow vulnerability in the ExecCall() method. Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
FreeBit Co., Ltd.
ELPhoneBtnV6 ActiveX control
cpe:/a:freebit:elphonebtnv6_activex_control
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
By convincing a user to view a specially crafted HTML document (e.g., a web page, an HTML email message, or an HTML email attachment), an attacker may be able to execute arbitrary code with the privileges of the user.
[Delete the ELPhoneBtnV6] "Click to Live" service has been discontinued. It is recommended to delete the ELPhoneBtnV6 ActiveX Control.
FreeBit Co., Ltd.
Information from FreeBit Co., Ltd.
https://jvn.jp/en/jp/JVN62078684/476863/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5624
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5624
JVN
JVN#62078684
https://jvn.jp/en/jp/JVN62078684/index.html
National Vulnerability Database (NVD)
CVE-2015-5624
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5624
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/07]\n Web page was published\n[2015/09/09]\n References : Content was added
2015-09-07T13:38:46+09:00
2015-09-09T14:02:50+09:00
2015-09-07T00:00:00+09:00
JVNDB-2015-000128
OpenDocMan vulnerable to cross-site scripting
OpenDocMan is a document management system (DMS). OpenDocMan contains a cross-site scripting vulnerability due to a processing flaw in the "redirection" parameter. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Free Document Management Software
OpenDocMan
cpe:/a:opendocman:opendocman
versions prior to 1.3.4
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's Mozilla Firefox.
[Update the software] Update to the latest version according to information provided by the developer.
OpenDocMan
Free Download
http://www.opendocman.com/free-download/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5625
JVN
JVN#00015036
http://jvn.jp/en/jp/JVN00015036/index.html
National Vulnerability Database (NVD)
CVE-2015-5625
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5625
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/04]\n Web page was published\n[2015/09/09]\n References : Content was added
2015-09-04T18:13:25+09:00
2015-09-09T14:02:51+09:00
2015-09-04T00:00:00+09:00
JVNDB-2015-000129
PIXMA MG7500 Series vulnerable to cross-site request forgery
PIXMA MG7500 Series provided by Canon Inc. contain a cross-site request forgery vulnerability. TOMITA Ryo of Fukuoka Junior High School attached to the Fukuoka University of Education (FUE) reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Canon
PIXMA MG7500 Series
cpe:/h:canon:pixma_mg7500_series_inkjet_printer
Inkjet Printer
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
If a user views a malicious page while logged into the Remote UI, unintended operations may be performed.
[Apply a Workaround] The following workaround can mitigate the affects of this vulnerability. * Do not access other websites while logged into the Remote UI
Canon
Useful Tips for Reducing the Risk of Unauthorized Access for Inkjet Printer (PIXMA series)/Business Inkjet Printer (MAXIFY series)
http://www.canon.com/support/pdf/inkjet-printer.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5631
JVN
JVN#07427376
https://jvn.jp/en/jp/JVN07427376/index.html
National Vulnerability Database (NVD)
CVE-2015-5631
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5631
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/11]\n Web page was published\n[2015/09/15]\n References : Content was added
2015-09-11T14:17:45+09:00
2015-09-15T17:17:46+09:00
2015-09-11T00:00:00+09:00
JVNDB-2015-000130
applican vulnerable to URL whitelist bypass
applican provided by Newphoria Corporation Inc. is a platform to build hybrid applications for both iOS and Android. applican provides a whitelisting function (whitelist.xml) to limit the URLs that applications can access. However, if the application is launched using the URL-scheme, the access restriction is bypassed and URLs that are not whitelisted can be accessed. If an API of applican framework is specified in the URL, the API will be called in the context of the URL. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Newphoria Corporation
applican
cpe:/a:newphoria_corporation:applican
(for Android) versions 1.12.2 and earlier
(for iOS) versions 1.12.2 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Android apps built using applican may allow an applican API to be executed if that API has been granted permission in the android manifest. iOS apps built using applican may allow an arbitrary API to be executed.
[Update applican and rebuild the application] Update to the latest version of applican and rebuild the application according to the information provided by the developer.
JVN
Information from Newphoria Corporation
http://jvn.jp/en/jp/JVN73346595/995707/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5632
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5632
JVN
JVN#73346595
http://jvn.jp/en/jp/JVN73346595/index.html
National Vulnerability Database (NVD)
CVE-2015-5632
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5632
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/16]\n Web page was published\n[2015/10/05]\n References : Content was added\n[2015/10/14]\n Affected Products : Content was added
2015-09-16T16:58:07+09:00
2015-10-14T16:30:33+09:00
2015-09-16T00:00:00+09:00
JVNDB-2015-000131
Auction Camera vulnerable to URL whitelist bypass
Auction Camera provided by Newphoria Corporation Inc. is an application for both iOS or Android built using "applican". Auction Camera contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Newphoria Corporation
Auction Camera
cpe:/a:newphoria_corporation:auction_camera
for Android versions 1.1 and earlier
for iOS
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Android version of this app may allow an applican API to be executed if that API has been granted permission in the android manifest. iOS version of this app may allow an arbitrary API to be executed.
For Auction Camera for Android: [Update the Software] Update to the latest version according to the information provided by the developer. For Auction Camera for iOS: [Do not use Auction Camera for iOS] Auction Camera for iOS is no longer being developed or maintained. It is recommended to stop using Auction Camera for iOS.
JVN
Information from Newphoria Corporation
http://jvn.jp/en/jp/JVN71815309/995707/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5633
JVN
JVN#71815309
http://jvn.jp/en/jp/JVN71815309/index.html
National Vulnerability Database (NVD)
CVE-2015-5633
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5633
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/16]\n Web page was published\n[2015/10/05]\n References : Content was added
2015-09-16T16:58:08+09:00
2015-09-16T16:58:08+09:00
2015-09-16T00:00:00+09:00
JVNDB-2015-000132
MEGAPHONE MUSIC vulnerable to URL whitelist bypass
MEGAPHONE MUSIC provided by Newphoria Corporation Inc. is an application for both iOS or Android built using "applican". MEGAPHONE MUSIC contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Newphoria Corporation
MEGAPHONE MUSIC
cpe:/a:newphoria_corporation:megaphone_music
for Android versions 1.0 and earlier
for iOS versions 1.0 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Android version of this app may allow an applican API to be executed if that API has been granted permission in the android manifest. iOS version of this app may allow an arbitrary API to be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
JVN
Information from Newphoria Corporation
http://jvn.jp/en/jp/JVN83862346/995707/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5634
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5634
JVN
JVN#83862346
http://jvn.jp/en/jp/JVN83862346/index.html
National Vulnerability Database (NVD)
CVE-2015-5634
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5634
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/16]\n Web page was published\n[2015/10/02]\n References : Content was added
2015-09-16T16:58:10+09:00
2015-10-02T17:22:39+09:00
2015-09-16T00:00:00+09:00
JVNDB-2015-000133
Koritore vulnerable to URL whitelist bypass
Koritore provided by Newphoria Corporation Inc. is an application for both iOS or Android built using "applican". Koritore contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Newphoria Corporation
Koritore
cpe:/a:newphoria_corporation:koritore
for Android versions 1.0 and earlier
for iOS versions 1.0 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Android version of this app may allow an applican API to be executed if that API has been granted permission in the android manifest. iOS version of this app may allow an arbitrary API to be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
JVN
Information from Newphoria Corporation
http://jvn.jp/en/jp/JVN24517322/995707/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5635
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5635
JVN
JVN#24517322
https://jvn.jp/en/jp/JVN24517322/index.html
National Vulnerability Database (NVD)
CVE-2015-5635
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5635
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/16]\n Web page was published\n[2015/10/02]\n References : Content was added
2015-09-16T16:58:11+09:00
2015-10-02T17:22:25+09:00
2015-09-16T00:00:00+09:00
JVNDB-2015-000134
Reversi vulnerable to URL whitelist bypass
Reversi provided by Newphoria Corporation Inc. is an application for both iOS or Android built using "applican". Reversi contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Newphoria Corporation
Reversi
cpe:/a:newphoria_corporation:reversi
for Android versions 1.0.2 and earlier
for iOS versions 1.1 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Android version of this app may allow an applican API to be executed if that API has been granted permission in the android manifest. iOS version of this app may allow an arbitrary API to be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
JVN
Information from Newphoria Corporation
http://jvn.jp/en/jp/JVN67586379/995707/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5636
JVN
JVN#67586379
https://jvn.jp/en/jp/JVN67586379/index.html
National Vulnerability Database (NVD)
CVE-2015-5636
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5636
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/16]\n Web page was published\n[2015/10/02]\n References : Content was added
2015-09-16T16:58:13+09:00
2015-10-02T17:18:02+09:00
2015-09-16T00:00:00+09:00
JVNDB-2015-000135
Photon vulnerable to URL whitelist bypass
Photon provided by Newphoria Corporation Inc. is an application for Android built using "applican". Photon contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Newphoria Corporation
Photon
cpe:/a:newphoria_corporation:newphoria_photon
for Android versions 1.1 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Android version of this app may allow an applican API to be executed if that API has been granted permission in the android manifest.
[Update the Software] Update to the latest version according to the information provided by the developer.
JVN
Information from Newphoria Corporation
http://jvn.jp/en/jp/JVN19948778/995707/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5637
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5637
JVN
JVN#19948778
http://jvn.jp/en/jp/JVN19948778/index.html
National Vulnerability Database (NVD)
CVE-2015-5637
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5637
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/16]\n Web page was published\n[2015/10/02]\n References : Content was added
2015-09-16T16:58:14+09:00
2015-10-02T17:15:20+09:00
2015-09-16T00:00:00+09:00
JVNDB-2015-000136
H2O vulnerable to directory traversal
H2O is an open source web server software. H2O contains an issue in processing URL, which may result in a directory traversal (CWE-22) vulnerability. Yusuke OSUMI reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Kazuho Oku
H2O
cpe:/a:h2o_project:h2o
version 1.4.4 and earlier
version 1.5.0-beta1 and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
A remote attacker may obtain arbitrary files on the server if "file.dir" directive is specified.
[Update the Software] Update to the latest version according to the information provided by the developer.
Kazuho Oku
Kazuho Oku website
https://h2o.examp1e.net/vulnerabilities.html#CVE-2015-5638
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5638
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5638
JVN
JVN#65602714
http://jvn.jp/en/jp/JVN65602714/index.html
National Vulnerability Database (NVD)
CVE-2015-5638
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5638
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/17]\n Web page was published\n[2015/10/05]\n References : Content was added
2015-09-17T13:36:12+09:00
2015-10-05T17:32:32+09:00
2015-09-17T00:00:00+09:00
JVNDB-2015-000137
niconico App for iOS fails to verify SSL server certificates
niconico App for iOS provided by DWANGO Co., Ltd. fails to verify SSL server certificates. AOKI Keiichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
DWANGO Co., Ltd.
niconico
cpe:/a:dwango:niconico
App for iOS version 6.37 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Software] Update to the latest version according to the information provided by the developer.
DWANGO
DWANGO Co., Ltd. website
http://blog.nicovideo.jp/niconews/ni055746.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5639
JVN
JVN#20355129
http://jvn.jp/en/jp/JVN20355129/index.html
National Vulnerability Database (NVD)
CVE-2015-5639
https://nvd.nist.gov/vuln/detail/CVE-2015-5639
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/29]\n Web page was published
1
2018-03-07T12:10:09+09:00
[2018/03/07]\n References : Content was added
2015-09-29T14:05:19+09:00
2018-03-07T12:26:32+09:00
2015-09-29T00:00:00+09:00
JVNDB-2015-000138
baserCMS fails to restrict access permissions
baserCMS is an open-source Contents Management System (CMS). baserCMS contains a vulnerability where user settings may be changed when processing specially crafted request sent by an attacker logged into the system. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
baserCMS Users Community
baserCMS
cpe:/a:basercms:basercms
3.0.7 and earlier
Medium
5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N
User information may be changed to arbitrary values by a logged in attacker that does not have requisite privileges.
[Update the Software] Update to the latest version according to the information provided by the developer. [Apply the Patch] Patches for versions 3.0.0 through 3.0.7 have been released. For more information, refer to "How to Apply the Patches".
baserCMS Users Community
baserCMS Users Community website
http://basercms.net/security/JVN04855224
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5640
JVN
JVN#04855224
http://jvn.jp/en/jp/JVN04855224/index.html
National Vulnerability Database (NVD)
CVE-2015-5640
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5640
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/30]\n Web page was published\n[2015/10/07]\n References : Content was added
2015-09-30T14:46:04+09:00
2015-10-07T17:38:20+09:00
2015-09-30T00:00:00+09:00
JVNDB-2015-000139
baserCMS vulnerable to SQL injection
baserCMS contains an SQL injection vulnerability. baserCMS is an open-source Contents Management System (CMS). baserCMS contains a vulnerability that allows an authenticated user to inject arbitrary SQL statements (CWE-89). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
baserCMS Users Community
baserCMS
cpe:/a:basercms:basercms
3.0.7 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
A logged in attacker may execute arbitrary SQL statements.
[Update the Software] Update to the latest version according to the information provided by the developer. [Apply the Patch] Patches for versions 3.0.0 through 3.0.7 have been released. For more information, refer to "How to Apply the Patches".
baserCMS Users Community
baserCMS Users Community website
http://basercms.net/security/JVN79633796
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5641
JVN
JVN#79633796
http://jvn.jp/en/jp/JVN79633796/index.html
National Vulnerability Database (NVD)
CVE-2015-5641
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5641
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/30]\n Web page was published\n[2015/10/07]\n References : Content was added
2015-09-30T14:46:06+09:00
2015-10-07T17:38:21+09:00
2015-09-30T00:00:00+09:00
JVNDB-2015-000140
Canary Labs Trend Web Server vulnerable to buffer overflow
Trend Web Server provided by Canary Labs is a solution used for data visualization. Trend Web Server contains a buffer overflow (CWE-119) vulnerability. Kuang-Chun Hung reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Canary Labs
Trend Web Server
cpe:/a:canarylabs:trendweb
versions prior to 9.5.2
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
A remote attacker may cause a denial-of-service (DoS) or execute arbitrary code when sending a specially crafted TCP packet.
[Stop using Trend Web Server] According to the developer, Trend Web Server is no longer being developed. Please consider using another solution.
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5653
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5653
JVN
JVN#07676450
http://jvn.jp/en/jp/JVN07676450/index.html
National Vulnerability Database (NVD)
CVE-2015-5653
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5653
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/01]\n Web page was published\n[2015/10/06]\n References : Content was added
2015-10-01T14:11:41+09:00
2015-10-06T18:00:34+09:00
2015-10-01T00:00:00+09:00
JVNDB-2015-000141
Python for Windows may insecurely load dynamic libraries
Python for Windows contains an issue with the DLL search path, which may lead to insecurely loading a DLL called readline.pyd. Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Python Software Foundation
Python
cpe:/a:python:python
for Windows
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Arbitray code may be executed with the privileges of python.exe.
[Apply a workaround] Applying the following workaround will mitigate the effects of this issue * Ensure that a file with the name "readline.pyd" is not in the current directory prior to executing python.exe
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5652
JVN
JVN#49503705
http://jvn.jp/en/jp/JVN49503705/index.html
National Vulnerability Database (NVD)
CVE-2015-5652
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5652
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/01]\n Web page was published\n[2015/10/08]\n References : Content was added
2015-10-01T14:11:43+09:00
2015-10-08T15:25:52+09:00
2015-10-01T00:00:00+09:00
JVNDB-2015-000142
Apache Cordova plugin cordova-plugin-file-transfer vulnerable to HTTP header injection
cordova-plugin-file-transfer, a plugin for Apache Cordova provided by the Apache Software Foundation, provides functionality to upload and download files in applications created by Apache Cordova. It also provides functionality to add HTTP headers. Android applications that use cordova-plugin-file-transfer contain a HTTP header injection vulnerability due to a flaw in processing file names. Muneaki Nishimura of Sony Digital Network Applications, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apache Software Foundation
cordova-plugin-file-transfer
cpe:/a:apache:cordova_file_transfer
1.2.1 and earlier versions
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
File name inclusion in additional HTTP headers may result in a forged webpage to be displayed on the user's web browser, arbitrary script execution, or setting arbitrary values for cookies.
[Update the plugin and rebuild the application] Update cordova-plugin-file-transfer to 1.3.0 or above versions and rebuild the application. According to the developer, the updated version is compliant with RFC2616, therefore any non-ASCII characters and control characters will be deleted when adding HTTP headers. For more information, please refer to the information provided by the developer.
Apache Cordova
The Apache Cordova Project Management Committee (PMC) website
http://cordova.apache.org/news/2015/09/21/file-transfer-release.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5204
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5204
JVN
JVN#21612597
http://jvn.jp/en/jp/JVN21612597/index.html
National Vulnerability Database (NVD)
CVE-2015-5204
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5204
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/29]\n Web page was published\n[2015/12/21]\n References : Content was added
2015-09-29T14:04:58+09:00
2015-12-21T17:45:29+09:00
2015-09-29T00:00:00+09:00
JVNDB-2015-000143
MATCHA INVOICE vulnerable to SQL injection
MATCHA INVOICE provided by ICZ Corporation is a web-based billing management software. MATCHA INVOICE contains multiple SQL injection (CWE-89) vulnerabilities. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ICZ Corporation
MATCHA INVOICE
cpe:/a:icz:matcha_bill
2.5.6 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
An authenticated attacker may obtain or alter information stored in the database.
[Update the Software] Update to the latest version according to the information provided by the developer.
ICZ Corporation
MATCHA INVOICE 2.5.7 Released
http://oss.icz.co.jp/news/?p=1073
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5642
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5642
JVN
JVN#18232032
http://jvn.jp/en/jp/JVN18232032/index.html
National Vulnerability Database (NVD)
CVE-2015-5642
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5642
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/30]\n Web page was published\n[2015/10/08]\n References : Content was added
2015-09-30T15:04:57+09:00
2015-10-08T15:25:53+09:00
2015-09-30T00:00:00+09:00
JVNDB-2015-000144
MATCHA INVOICE vulnerable to code injection
MATCHA INVOICE provided by ICZ Corporation is a web-based billing management software. MATCHA INVOICE contains a code injection (CWE-94) vulnerability due to a flaw when configuring the database during installation. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ICZ Corporation
MATCHA INVOICE
cpe:/a:icz:matcha_bill
2.5.6 and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
An unauthenticated attacker who can execute the installer may execute arbitrary PHP code on the server where MATCHA INVOICE resides.
[Update the Software] Update to the latest version according to the information provided by the developer.
ICZ Corporation
MATCHA INVOICE 2.5.7 Released
http://oss.icz.co.jp/news/?p=1073
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5643
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5643
JVN
JVN#66984217
http://jvn.jp/en/jp/JVN66984217/index.html
National Vulnerability Database (NVD)
CVE-2015-5643
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5643
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/30]\n Web page was published\n[2015/10/08]\n References : Content was added
2015-09-30T15:04:58+09:00
2015-10-08T15:25:55+09:00
2015-09-30T00:00:00+09:00
JVNDB-2015-000145
MATCHA SNS vulnerable to code injection
MATCHA SNS provided by ICZ Corporation is an SNS software. MATCHA SNS contains a code injection (CWE-94) vulnerability due to a flaw when configuring the database during installation. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ICZ Corporation
MATCHA SNS
cpe:/a:icz:matchasns
1.3.6 and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
An unauthenticated attacker who can execute the installer may execute arbitrary PHP code on the server where MATCHA SNS resides.
[Update the Software] Update to the latest version according to the information provided by the developer.
ICZ Corporation
MATCHA SNS 1.3.7 Released
http://oss.icz.co.jp/news/?p=1075
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5644
JVN
JVN#08535069
http://jvn.jp/en/jp/JVN08535069/index.html
National Vulnerability Database (NVD)
CVE-2015-5644
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5644
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/30]\n Web page was published\n[2015/10/08]\n References : Content was added
2015-09-30T15:05:00+09:00
2015-10-08T15:25:56+09:00
2015-09-30T00:00:00+09:00
JVNDB-2015-000146
MATCHA SNS access restriction bypass vulnerability
MATCHA SNS provided by ICZ Corporation is an SNS software. MATCHA SNS contains an access restriction bypass vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ICZ Corporation
MATCHA SNS
cpe:/a:icz:matchasns
1.3.6 and earlier
Medium
5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N
A user without administrative privileges may obtain administrative privileges.
[Update the Software] Update to the latest version according to the information provided by the developer.
ICZ Corporation
MATCHA SNS 1.3.7 Released
http://oss.icz.co.jp/news/?p=1075
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5645
JVN
JVN#85118545
http://jvn.jp/en/jp/JVN85118545/index.html
National Vulnerability Database (NVD)
CVE-2015-5645
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5645
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/30]\n Web page was published\n[2015/10/08]\n References : Content was added
2015-09-30T15:05:01+09:00
2015-10-08T15:25:58+09:00
2015-09-30T00:00:00+09:00
JVNDB-2015-000147
AjaXplorer vulnerable to directory traversal
AjaXplorer contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability. Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Pydio
AjaXplorer
cpe:/a:pydio:ajaxplorer
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
An authenticated attacker may view files on the server.
[Use Pydio] The developer states that the development of AjaXplorer has been discontinued and there are no plans for AjaXplorer to be updated. Use Pydio, the successor of AjaXplorer.
Pydio
Pydio, formerly AjaXplorer
https://pyd.io/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5650
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5650
JVN
JVN#27462572
http://jvn.jp/en/jp/JVN27462572/index.html
National Vulnerability Database (NVD)
CVE-2015-5650
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5650
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/01]\n Web page was published\n[2015/10/07]\n References : Content was added
2015-10-01T14:11:45+09:00
2015-10-07T17:38:23+09:00
2015-10-01T00:00:00+09:00
JVNDB-2015-000148
Dotclear vulnerable to cross-site scripting
Dotclear is a weblog software. Dotclear contains a cross-site scripting vulnerability. Yuji Tounai of NTT Com Security(Japan)KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Dotclear
Dotclear
cpe:/a:dotclear:dotclear
versions 2.8.0 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
If a user views a specially crafted page while logged in, an arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the infomration provided by the developer.
Dotclear
Dotclear 2.8.1
http://dotclear.org/blog/post/2015/09/23/Dotclear-2.8.1
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5651
JVN
JVN#65668004
http://jvn.jp/en/jp/JVN65668004/index.html
National Vulnerability Database (NVD)
CVE-2015-5651
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5651
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/02]\n Web page was published\n[2015/10/06]\n References : Content was added
2015-10-02T13:36:42+09:00
2015-10-06T18:02:53+09:00
2015-10-02T00:00:00+09:00
JVNDB-2015-000149
gollum vulnerable to file exposure
gollum is a wiki system that uses git repositories. gollum contains a vulnerability which may allow an attacker to view arbitrary files on the server. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
gollum
gollum
cpe:/a:gollum_project:gollum
v4.0.0 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
A remote attacker may view arbitrary files on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
GitHub
Issue#1070: [SECURITY] [FIXED] Information disclosure vulnerability, please update!
https://github.com/gollum/gollum/issues/1070
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7314
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7314
JVN
JVN#27548431
http://jvn.jp/en/jp/JVN27548431/index.html
National Vulnerability Database (NVD)
CVE-2015-7314
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7314
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/02]\n Web page was published\n[2015/10/08]\n References : Content was added
2015-10-02T13:36:43+09:00
2015-10-08T15:26:00+09:00
2015-10-02T00:00:00+09:00
JVNDB-2015-000151
Multiple PHP code execution vulnerabilitles in Cybozu Garoon
Cybozu Garoon is a groupware. Cybozu Garoon contains multiple PHP code execution vulnerabilities. * [CyVDB-863] Cybozu Garoon allows remote authenticated users to execute arbitrary PHP code, [CyVDB-867] Cybozu Garoon allows remote authenticated users to execute arbitrary PHP code (CVE-2015-5646) * [CyVDB-866] Cybozu Garoon allows remote authenticated users to execute arbitrary PHP code in RSS Reader function (CVE-2015-5647) For more details, refer to the information provided by the developer.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.0.3
High
8.5
AV:N/AC:M/Au:S/C:C/I:C/A:C
An authenticated attacker may execute arbitrary PHP code on the application server.
[Apply the Patch] Apply the appropriate patch according to the information provided by the developer. [Added on May 30, 2016] [Update the Software] The developer has released the version that contains a fix for this vulnerability. Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-863] Cybozu Garoon allows remote authenticated users to execute arbitrary PHP code
https://support.cybozu.com/ja-jp/article/8809
Cybozu
[CyVDB-866] Cybozu Garoon allows remote authenticated users to execute arbitrary PHP code in RSS Reader function
https://support.cybozu.com/ja-jp/article/8810
Cybozu
[CyVDB-867] Cybozu Garoon allows remote authenticated users to execute arbitrary PHP code
https://support.cybozu.com/ja-jp/article/8811
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5646
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5646
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5647
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5647
IPA SECURITY ALERTS
Security Alert for Vulnerability in Cybozu Garoon (JVN#21025396)
http://www.ipa.go.jp/security/ciadr/vul/20151007-jvn.html
JVN
JVN#21025396
https://jvn.jp/en/jp/JVN21025396/index.html
National Vulnerability Database (NVD)
CVE-2015-5647
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5647
National Vulnerability Database (NVD)
CVE-2015-5646
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5646
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/07]\n Web page was published\n[2015/10/14]\n References : Contents were added\n[2016/05/30]\n Solution was modified
2015-10-07T14:48:03+09:00
2016-05-30T15:34:09+09:00
2015-10-07T00:00:00+09:00
JVNDB-2015-000152
Cybozu Garoon vulnerable to LDAP injection
Cybozu Garoon is a groupware. Cybozu Garoon contains an issue in processing authentication requests, which may result in an LDAP injection vulnerability.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.0.3
High
7
AV:N/AC:M/Au:S/C:C/I:P/A:N
A malicious user authorized to administer uesrs in certain groups may obtain information from the authentication server or may perform an unauthorized login to the product.
[Apply the Patch] Apply the appropriate patch according to the information provided by the developer. [Added on June 2, 2016] Update the Software Cybozu Garoon 4.2.0 has been released, which addressed this vulnerability. Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1018][CyVDB-1021]
https://support.cybozu.com/ja-jp/article/9176
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5649
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5649
IPA SECURITY ALERTS
Security Alert for Vulnerability in Cybozu Garoon (JVN#38369032)
http://www.ipa.go.jp/security/ciadr/vul/20151007-jvn.html
JVN
JVN#38369032
https://jvn.jp/en/jp/JVN38369032/index.html
National Vulnerability Database (NVD)
CVE-2015-5649
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5649
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/07]\n Web page was published\n[2015/10/13]\n References : Content was added\n[2016/06/02]\n Solution was modified
2015-10-07T14:48:03+09:00
2016-06-02T19:15:39+09:00
2015-10-07T00:00:00+09:00
JVNDB-2015-000153
Dojo Toolkit vulnerable to cross-site scripting
Dojo Toolkit is a software to assist in building web applications. Dojo Toolkit contains a cross-site scripting vulnerability. Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The Dojo Foundation
Dojo Toolkit
cpe:/a:dojofoundation:dojo_toolkit
versions prior to 1.2
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer.
Dojo Toolkit
Get the Dojo Toolkit
https://dojotoolkit.org/download/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5654
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5654
JVN
JVN#13456571
https://jvn.jp/en/jp/JVN13456571/index.html
National Vulnerability Database (NVD)
CVE-2015-5654
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5654
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/09]\n Web page was published\n[2015/10/14]\n References : Content was added
2015-10-09T14:12:24+09:00
2015-10-14T17:26:34+09:00
2015-10-09T00:00:00+09:00
JVNDB-2015-000154
phpRechnung vulnerable to SQL injection
phpRechnung is a web-based accounting software. list.php of phpRechnung contains an SQL injection (CWE-89) vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
phpRechnung
phpRechnung
cpe:/a:loenshotel:phprechnung
1.6.4 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
An authenticated attacker may obtain or alter information stored in the database.
[Update the Software] Update to the latest version according to the information provided by the developer.
phpRechnung
Download
https://www.loenshotel.de/download/phpRechnung/index.php
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5648
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5648
JVN
JVN#02671769
https://jvn.jp/en/jp/JVN02671769/index.html
National Vulnerability Database (NVD)
CVE-2015-5648
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5648
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/09]\n Web page was published\n[2015/10/14]\n References : Content was added
2015-10-09T14:12:25+09:00
2015-10-14T17:26:36+09:00
2015-10-09T00:00:00+09:00
JVNDB-2015-000158
Pref Shimane CMS vulnerable to SQL injection
Pref Shimane CMS is an open-source Contents Management System (CMS). Pref Shimane CMS contains an SQL injection vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Network Applied Communication Laboratory Ltd.
Pref Shimane CMS
cpe:/a:network_applied_communication_laboratory:shimane_prefecture_cms
versions 2.0.0
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
A logged in attacker may execute arbitrary SQL statements.
[Update the Software] Update to the latest version according to the information provided by the developer.
GitHub
Network Applied Communication Laboratory Ltd. website
https://github.com/NaCl-Ltd/pref-shimane-cms
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5659
JVN
JVN#84982142
https://jvn.jp/en/jp/JVN84982142/index.html
National Vulnerability Database (NVD)
CVE-2015-5659
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5659
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/09]\n Web page was published\n[2015/10/14]\n References : Content was added
2015-10-09T14:12:27+09:00
2015-10-14T17:26:37+09:00
2015-10-09T00:00:00+09:00
JVNDB-2015-000159
Party Track SDK for iOS fails to verify server certificates
Party Track SDK for iOS provided by Adways Inc. fails to verify server certificates in encrypted HTTPS communications. According to the developer, in addition to communications by the SDK, communications by the application using NSURLConnection also fail to verify server certificates. ma.la of LINE Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Adways Inc.
Party Track SDK
cpe:/a:adways:party_track_sdk
versions prior to 1.6.6
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
A man-in-the-middle attack may result in an attacker to eavesdrop or alter an encrypted communication.
[Update SDK and rebuild the application] Update to the latest version of Party Track SDK and rebuild the application according to the information provided by Adways Inc.
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5655
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5655
JVN
JVN#48211537
http://jvn.jp/en/jp/JVN48211537/index.html
National Vulnerability Database (NVD)
CVE-2015-5655
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5655
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/14]\n Web page was published\n[2015/10/22]\n Overview was modified\n[2015/11/11]\n References : Content was added
2015-10-14T15:41:20+09:00
2015-11-11T17:32:58+09:00
2015-10-14T00:00:00+09:00
JVNDB-2015-000160
Avast vulnerable to directory traversal
Avast contains an issue in processing archive files, which may result in a directory traversal (CWE-22) vulnerability. When an archive file such as zip is detected as containing a virus and the included virus file is being moved or deleted, the operation is done to the file path inside the archive file. Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
AVAST Software s.r.o.
avast Antivirus
cpe:/a:avast:avast_antivirus
with Virus Definition ID prior to 150918-0
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
When an archive such as zip is scanned and a file in the archive is detected to be a virus, and either the move or delete option is selected, the operation is performed against the file path specified within the archive file.
[Update the Virus Definition] Update the Virus Definition file to the latest version according to the information provided by the developer. According to the developer, the vulnerable code is included in Virus Definition and ID 150918-0 addressed the issue.
AVAST
Virus Update History
https://www.avast.com/virus-update-history
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5662
JVN
JVN#25576608
http://jvn.jp/en/jp/JVN25576608/index.html
National Vulnerability Database (NVD)
CVE-2015-5662
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5662
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/16]\n Web page was published\n[2015/10/20]\n References : Content was added
2015-10-16T14:00:54+09:00
2015-10-20T17:56:51+09:00
2015-10-16T00:00:00+09:00
JVNDB-2015-000162
AirDroid for Android vulnerable in handling of implicit intents
AirDroid for Android provided by SAND STUDIO contains a vulnerability in the handling of implicit intents. Gaku Mochizuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
AirDroid
AirDroid
cpe:/a:airdroid:airdroid
for Android 1.1.0 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N
Information in AirDroid may be leaked to a third party through a malicious Android application.
[Update the Software] Update to the latest version according to the information provided by the developer.
Google Play
AirDroid - Android Apps on Google Play
https://play.google.com/store/apps/details?id=com.sand.airdroid
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5661
JVN
JVN#37825153
http://jvn.jp/en/jp/JVN37825153/index.html
National Vulnerability Database (NVD)
CVE-2015-5661
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5661
JVNDB
CWE-DesignError
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/16]\n Web page was published\n[2015/10/20]\n References : Content was added
2015-10-16T14:00:55+09:00
2015-10-20T17:56:51+09:00
2015-10-16T00:00:00+09:00
JVNDB-2015-000164
ANA App fails to verify SSL server certificates
ANA App provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates. AOKI Keiichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ALL NIPPON AIRWAYS CO., LTD
ANA
cpe:/a:ana:all_nippon_airways
App for Android version 3.1.1 and earlier
App for iOS version 3.3.6 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Software] Update to the latest version according to the information provided by the developer.
ALL NIPPON AIRWAYS CO., LTD
ALL NIPPON AIRWAYS CO., LTD website
https://www.ana.co.jp/share/mobile/smartphone/app_ana/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5666
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5666
JVN
JVN#25086409
http://jvn.jp/en/jp/JVN25086409/index.html
National Vulnerability Database (NVD)
CVE-2015-5666
https://nvd.nist.gov/vuln/detail/CVE-2015-5666
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/28]\n Web page was published
1
2018-03-07T10:34:48+09:00
[2018/03/07]\n References : Content was added
2015-10-28T14:50:39+09:00
2018-03-07T13:50:02+09:00
2015-10-28T00:00:00+09:00
JVNDB-2015-000166
EC-CUBE vulnerable to cross-site request forgery
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a cross-site request forgery vulnerability (CWE-352). Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
EC-CUBE CO.,LTD.
EC-CUBE
cpe:/a:ec-cube:ec-cube
2.11.0 to 2.13.4
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
If a user views a malicious page, arbitrary PHP code may be executed on the server.
[Update or apply the patch] Update to the latest version or apply the patch according to the information provided by the developer.
EC-CUBE
About the vulnerability in EC-CUBE
https://www.ec-cube.net/info/weakness/201510_01/
EC-CUBE
Cross-site request forgery vulnerability (2015/10/23)
https://www.ec-cube.net/info/weakness/weakness.php?id=63
EC-CUBE
Cross-site request forgery vulnerability (2015/11/13)
http://www.ec-cube.net/info/weakness/weakness.php?id=64
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5665
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5665
JVN
JVN#97278546
http://jvn.jp/en/jp/JVN97278546/index.html
National Vulnerability Database (NVD)
CVE-2015-5665
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5665
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/26]\n Web page was published\n[2015/10/29]\n Impact was modified\n[2015/11/13]\n Affected Products : Content was modified\n Vendor Information : Contents were added \n References : Content was added
2015-10-26T12:27:08+09:00
2015-11-13T19:36:09+09:00
2015-10-26T00:00:00+09:00
JVNDB-2015-000167
Enisys Gw vulnerable to SQL injection
Enisys Gw provided by Techno Project Japan Co. is an open source groupware. Enisys Gw contains an SQL injection vulnerability (CWE-89). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Techno Project Japan Co.
ENISYS
cpe:/a:techno_project_japan:enisys_gw
Gw 1.4.0 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Information stored in the database may be obtained or altered by a remote unauthenticated attacker.
[Update the Software] Update to the latest version according to the information provided by the developer.
Techno Project Japan Co.
Techno Project Japan Co. website
http://www.tpj.co.jp/enisys/index.html
Techno Project Japan Co.
Download
http://www.tpj.co.jp/enisys/resource.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5668
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5668
JVN
JVN#58615092
http://jvn.jp/en/jp/JVN58615092/index.html
National Vulnerability Database (NVD)
CVE-2015-5668
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5668
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/29]\n Web page was published\n[2015/11/02]\n Vendor Information : Content was added\n References : Content was added
2015-10-29T13:37:03+09:00
2015-11-02T18:05:39+09:00
2015-10-29T00:00:00+09:00
JVNDB-2015-000168
Enisys Gw vulnerable to arbitrary file creation
Enisys Gw provided by Techno Project Japan Co. is an open source groupware. Enisys Gw contains a vulnerability that may allow a remote attacker to create arbitrary files. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Techno Project Japan Co.
ENISYS
cpe:/a:techno_project_japan:enisys_gw
Gw 1.4.0 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
An arbitrary file created by a logged in attacker may result in arbitrary code being executed on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
Techno Project Japan Co.
Techno Project Japan Co. website
http://www.tpj.co.jp/enisys/index.html
Techno Project Japan Co.
Download
http://www.tpj.co.jp/enisys/resource.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5669
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5669
JVN
JVN#33179297
http://jvn.jp/en/jp/JVN33179297/index.html
National Vulnerability Database (NVD)
CVE-2015-5669
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5669
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/29]\n Web page was published\n[2015/11/02]\n Vendor Information : Content was added\n References : Content was added
2015-10-29T13:37:05+09:00
2015-11-02T18:05:41+09:00
2015-10-29T00:00:00+09:00
JVNDB-2015-000169
Enisys Gw vulnerable to cross-site scripting
Enisys Gw provided by Techno Project Japan Co. is an open source groupware. Enisys Gw contains a cross-site scripting vulnerability (CWE-79). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Techno Project Japan Co.
ENISYS
cpe:/a:techno_project_japan:enisys_gw
Gw 1.4.0 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Techno Project Japan Co.
Techno Project Japan Co. website
http://www.tpj.co.jp/enisys/index.html
Techno Project Japan Co.
Download
http://www.tpj.co.jp/enisys/resource.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5670
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5670
JVN
JVN#13874649
http://jvn.jp/en/jp/JVN13874649/index.html
National Vulnerability Database (NVD)
CVE-2015-5670
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5670
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/29]\n Web page was published\n[2015/11/02]\n Vendor Information : Content was added\n References : Content was added
2015-10-29T13:46:51+09:00
2015-11-02T18:05:42+09:00
2015-10-29T00:00:00+09:00
JVNDB-2015-000170
Enisys Gw fails to restrict access permissions
Enisys Gw provided by Techno Project Japan Co. is an open source groupware. Enisys Gw fails to restrict access permissions.
Techno Project Japan Co.
ENISYS
cpe:/a:techno_project_japan:enisys_gw
Gw 1.4.0 and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
A remote unauthenticated attacker may be access to an arbitrary file uploaded on the product.
[Update the Software] Update to the latest version according to the information provided by the developer.
Techno Project Japan Co.
Techno Project Japan Co. website
http://www.tpj.co.jp/enisys/index.html
Techno Project Japan Co.
Download
http://www.tpj.co.jp/enisys/resource.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5671
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5671
JVN
JVN#68289108
http://jvn.jp/en/jp/JVN68289108/index.html
National Vulnerability Database (NVD)
CVE-2015-5671
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5671
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/29]\n Web page was published\n[2015/11/02]\n Vendor Information : Content was added\n References : Content was added
2015-10-29T13:46:50+09:00
2015-11-02T18:05:44+09:00
2015-10-29T00:00:00+09:00
JVNDB-2015-000171
HTML::Scrubber vulnerable to cross-site scripting
HTML::Scrubber is a Perl module for scrubbing/sanitizing html. HTML::Scrubber contains a cross-site scripting vulnerability (CWE-79). Toshiharu Sugiyama and Ryo Murakami of DeNA Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
HTML::Scrubber project
HTML::Scrubber
cpe:/a:html-scrubber_project:html-scrubber
version 0.14 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
If the function "comment" is enabled, an arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
metaCPAN
HTML-Scrubber-0.15 - Perl extension for scrubbing/sanitizing html - metacpan.org
https://metacpan.org/release/HTML-Scrubber
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5667
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5667
JVN
JVN#53973084
http://jvn.jp/en/jp/JVN53973084/index.html
National Vulnerability Database (NVD)
CVE-2015-5667
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5667
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/30]\n Web page was published\n[2015/11/04]\n References : Content was added
2015-10-30T15:16:41+09:00
2015-10-30T15:16:41+09:00
2015-10-30T00:00:00+09:00
JVNDB-2015-000172
Multiple routers contain issue in preventing clickjacking attacks
Multiple router products contain an issue in the protection against clickjacking attacks. Noriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
(Multiple Venders)
(Multiple Products)
cpe:/a:misc:multiple_vendors
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
If a user views a malicious page while logged in, unintended operations may be conducted.
[Apply a solution] Solutions vary depending on the product. Apply the appropriate solution according to the information provided by the developer.
FAQ for YAMAHA RT Series / Security
Yamaha Corporation website
http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/JVN48135658.html
FITELnet
vulnera_20151127
http://www.furukawa.co.jp/fitelnet/topic/vulnera_20151127.html
JVN
Information from Allied Telesis
https://jvn.jp/jp/JVN48135658/522154/index.html
NEC Security Information
NV15-019
http://jpn.nec.com/security-info/secinfo/nv15-019.html
PLANEX
PLANEX COMMUNICATIONS INC. website
http://www.planex.co.jp/news/info/20151030_info.shtml
Security Infomation
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2016/clickjacking/
JVN
JVN#48135658
http://jvn.jp/en/jp/JVN48135658/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/10/30]\n Web page was published\n[2015/11/04]\n Vendor Information : Content was added\n[2015/11/12]\n Vendor Information : Content was added\n[2015/12/25]\n Vendor Information : Content was added\n[2016/02/12]\n Vendor Information : Content was added
2015-10-30T15:16:43+09:00
2016-02-12T17:16:01+09:00
2015-10-30T00:00:00+09:00
JVNDB-2015-000174
Multiple TYPE-MOON games vulnerable to OS command injection
Multiple games provided by TYPE-MOON contain an OS command injection vulnerability (CWE-78) due to an issue in loading save data. KUSANO Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TYPE-MOON / Notes Co.,Ltd.
Fate/hollow ataraxia
cpe:/a:typemoon:fate%2Fhollow_ataraxia
TYPE-MOON / Notes Co.,Ltd.
Fate/stay night
cpe:/a:typemoon:fate%2Fstay_night
(CD, DVD)
TYPE-MOON / Notes Co.,Ltd.
Fate/stay night + hollow ataraxia set
cpe:/a:typemoon:fate%2Fstay_night_%2B_hollow_ataraxia_set
TYPE-MOON / Notes Co.,Ltd.
Witch on the Holy Night
cpe:/a:typemoon:witch_on_the_holy_night
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
When specially crafted save data is loaded, an arbitrary OS command may be executed.
[Apply a Workaround] The following workaround can mitigate the affects of this vulnerability. * Do not load save data provided by an untrusted source.
TYPE-MOON / Notes Co.,Ltd.
TYPE-MOON / Notes Co.,Ltd. website
http://www.typemoon.com/support/vulnerability150902.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5672
JVN
JVN#80144272
https://jvn.jp/en/jp/JVN80144272/index.html
National Vulnerability Database (NVD)
CVE-2015-5672
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5672
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/05]\n Web page was published\n[2015/11/09]\n References : Content was added
2015-11-05T14:11:43+09:00
2015-11-09T10:39:09+09:00
2015-11-05T00:00:00+09:00
JVNDB-2015-000175
ISUCON5 qualifier portal web application (eventapp) vulnerable to OS command injection
ISUCON5 qualifier portal web application (eventapp) provided by ISUCON organizers contains an OS command injection (CWE-78) vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ISUCON organizers
ISUCON5 qualifier portal web application (eventapp)
cpe:/a:isucon:isucon_5_qualifier_eventapp
versions prior to commit 150e3e6d851acb31a0b15ce93380a7dab14203fa
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
A logged in attacker may execute arbitrary OS commands on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
GitHub
ISUCON 5 qualifier eventapp
https://github.com/isucon/isucon5-qualify/pull/5
GitHub
Merge pull request #5 from sorah/osci
https://github.com/isucon/isucon5-qualify/commit/150e3e6d851acb31a0b15ce93380a7dab14203fa
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5673
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5673
JVN
JVN#04281281
https://jvn.jp/en/jp/JVN04281281/index.html
National Vulnerability Database (NVD)
CVE-2015-5673
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5673
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/02]\n Web page was published\n[2015/11/11]\n Vendor Information : Content was added\n References : Content was added
2015-11-02T14:10:16+09:00
2015-11-11T15:33:32+09:00
2015-11-02T00:00:00+09:00
JVNDB-2015-000176
SonicWall TotalSecure TZ 100 Series vulnerable to denial-of-service (DoS)
SonicWall TotalSecure TZ 100 Series is a firewall product provided by Dell Inc. SonicWall TotalSecure TZ 100 Series contains a denial-of-service (DoS) vulnerability. FFRI,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Dell
SonicWall TotalSecure TZ 100 Series firmware
cpe:/o:dell:sonicwall_totalsecure_tz_100_firmware
versions prior to 5.9.1.0-22o
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Processing a specially crafted packet may lead to a denial-of-service (DoS).
[Update the firmware] Update to the latest version of the firmware according to the information provided by the developer.
Product Support
SonicWALL TZ Series
https://support.software.dell.com/sonicwall-tz-series/100
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7770
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7770
JVN
JVN#90135579
https://jvn.jp/en/jp/JVN90135579/index.html
National Vulnerability Database (NVD)
CVE-2015-7770
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7770
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/06]\n Web page was published\n[2015/11/09]\n References : Content was added
2015-11-06T12:30:02+09:00
2015-11-09T10:47:57+09:00
2015-11-06T00:00:00+09:00
JVNDB-2015-000177
Apple OS X authentication issue when recovering from sleep mode
Apple OS X contains an issue with authentication when recovering from sleep mode. This issue exists due to a flaw in the the processing of the text entered in the dialog box upon recovering from sleep mode. Masaki Katayama of Cyber Risks Laboratory Naviplus CO,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apple Inc.
Apple Mac OS X
cpe:/o:apple:mac_os_x
Mavericks versions prior to 10.9
Apple Inc.
Apple Remote Desktop
cpe:/a:apple:apple_remote_desktop
versions prior to 3.7
Low
3.7
AV:L/AC:H/Au:N/C:P/I:P/A:P
When Apple Remote Desktop is used in full screen mode and the remote connection is alive upon entering sleep mode, the text entered in the dialog box upon recovering from sleep mode is sent to the remotely connected host instead of the local host. This may result in command execution at the remote host.
[Update Apple OS X and Apple Remote Desktop] The developer has provided fixes for this issue in both Apple OS X and Apple Remote Desktop. Update both OS X and Apple Remote Desktop to the latest versions.
JVN
Information from Apple
http://jvn.jp/en/jp/JVN56210048/741993/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2013-5229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5229
JVN
JVN#56210048
https://jvn.jp/en/jp/JVN56210048/index.html
National Vulnerability Database (NVD)
CVE-2013-5229
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5229
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/13]\n Web page was published\n[2015/11/17]\n References : Content was added\n Vendor Information : Content was added
2015-11-13T14:25:32+09:00
2015-11-17T16:15:06+09:00
2015-11-13T00:00:00+09:00
JVNDB-2015-000178
applican vulnerable to script injection
applican provided by Newphoria Corporation Inc. is a platform to build hybrid applications for both iOS and Android. applican is vulnerable to script injection due to an issue in processing SSID. Note that this vulnerability is different from JVN#64625488. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Newphoria Corporation
applican
cpe:/a:newphoria_corporation:applican
for Android versions 1.12.6 and earlier
for iOS versions 1.12.3 and earlier
Medium
5.4
AV:A/AC:M/Au:N/C:P/I:P/A:P
When an application built using applican processes a specially crafted SSID, an arbitrary script may be executed leading to an arbitrary API being called.
[Update applican and rebuild the application] Update to the latest version of applican and rebuild the application according to the information provided by the developer.
JVN
Information from Newphoria Corporation
http://jvn.jp/en/jp/JVN71088919/995707/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7771
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7771
JVN
JVN#71088919
http://jvn.jp/en/jp/JVN71088919/index.html
National Vulnerability Database (NVD)
CVE-2015-7771
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7771
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/17]\n Web page was published\n[2015/11/24]\n References : Content was added
2015-11-17T14:20:07+09:00
2015-11-24T18:03:03+09:00
2015-11-17T00:00:00+09:00
JVNDB-2015-000179
applican vulnerable to script injection
applican provided by Newphoria Corporation Inc. is a platform to build hybrid applications for both iOS and Android. applican is vulnerable to script injection due to an issue in proccessing URL. Note that this vulnerability is different from JVN#71088919. Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Newphoria Corporation
applican
cpe:/a:newphoria_corporation:applican
for Android versions 1.12.6 and earlier
for iOS versions 1.12.3 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
When a user accesses a specially crafted URL through an application built using applican, an arbitrary script may be executed leading to an arbitrary API being called.
[Update applican and rebuild the application] Update to the latest version of applican and rebuild the application according to the information provided by the developer.
JVN
Information from Newphoria Corporation
http://jvn.jp/en/jp/JVN64625488/995707/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7772
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7772
JVN
JVN#64625488
http://jvn.jp/en/jp/JVN64625488/index.html
National Vulnerability Database (NVD)
CVE-2015-7772
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7772
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/17]\n Web page was published\n[2015/11/24]\n References : Content was added
2015-11-17T14:20:31+09:00
2015-11-24T18:03:02+09:00
2015-11-17T00:00:00+09:00
JVNDB-2015-000180
pWebManager vulnerable to OS command injection
pWebManager provided by PC-EGG Co.,Ltd. contains an OS command injection vulnerability (CWE-78). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
PC-EGG Co.,Ltd.
pWebManager
cpe:/a:pc-egg:pwebmanager
(for PHP4) 2.2.2 and earlier
(UTF-8) 3.3.9a and earlier
3.3.9a and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
An arbitrary OS command may be executed on the server by a user logged in with editor permissions.
[Update the Software] Update to the latest version according to the information provided by the developer.
PC-EGG Co.,Ltd.
PC-EGG Co.,Ltd. website
http://www.pwebmanager.org/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7774
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7774
JVN
JVN#25323093
https://jvn.jp/en/jp/JVN25323093/index.html
National Vulnerability Database (NVD)
CVE-2015-7774
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7774
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/13]\n Web page was published\n[2015/11/17]\n References : Content was added
2015-11-13T14:25:34+09:00
2015-11-17T16:21:54+09:00
2015-11-13T00:00:00+09:00
JVNDB-2015-000181
Gurunavi App for iOS fails to verify SSL server certificates
Gurunavi App for iOS provided by Gurunavi, Inc. fails to verify SSL server certificates. AOKI Keiichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Gurunavi, Inc.
Gurunavi
cpe:/a:gurunavi:gournavi
App for iOS ver.5.4.4 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Software] Update to the latest version according to the information provided by the developer.
Gurunavi, Inc.
Gurunavi, Inc. website
https://itunes.apple.com/jp/app/gurunabi/id311691979?mt=8
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7778
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7778
JVN
JVN#29141986
https://jvn.jp/en/jp/JVN29141986/index.html
National Vulnerability Database (NVD)
CVE-2015-7778
https://nvd.nist.gov/vuln/detail/CVE-2015-7778
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/17]\n Web page was published
1
2018-03-07T11:39:11+09:00
[2018/03/07]\n References : Content was added
2015-11-17T14:21:15+09:00
2018-03-07T12:17:32+09:00
2015-11-17T00:00:00+09:00
JVNDB-2015-000182
Kirby vulnerable to arbitrary file creation
Kirby is a content management system (CMS). Kirby contains a vulnerability that may allow a remote attacker to create arbitrary files. Yuji Tounai of NTT Com Security(Japan)KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Bastian Allgeier GmbH
Kirby
cpe:/a:bastian_allgeier:kirby
2.1.1 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
An arbitrary file created by a logged in attacker may result in arbitrary PHP code being executed on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
Bastian Allgeier GmbH
Security Update - Kirby 2.1.2
http://getkirby.com/changelog/kirby-2-1-2
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7773
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7773
JVN
JVN#34780384
https://jvn.jp/en/jp/JVN34780384/index.html
National Vulnerability Database (NVD)
CVE-2015-7773
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7773
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/17]\n Web page was published\n[2015/11/24]\n References : Content was added
2015-11-17T14:21:49+09:00
2015-11-24T18:03:00+09:00
2015-11-17T00:00:00+09:00
JVNDB-2015-000184
Void vulnerable to cross-site scripting
Void is an open source content management system (CMS). Void contains a cross-site scripting vulnerability (CWE-79). Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA under Information Security Early Warning Partnership.
Joseph Ernest
Void
cpe:/a:void_project:void
versions released prior to October 2, 2015
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Apply an update] Update to the latest version according to the information provided by the developer.
GitHub
Merge pull request #18 from g-sato/fix_security_bug
https://github.com/josephernest/void/commit/84b9615ae7fe233c40a80bf749085caaef6f4919
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7777
JVN
JVN#20649799
https://jvn.jp/en/jp/JVN20649799/index.html
National Vulnerability Database (NVD)
CVE-2015-7777
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7777
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/20]\n Web page was published\n[2015/11/24]\n References : Content was added
2015-11-20T13:38:48+09:00
2015-11-24T18:02:59+09:00
2015-11-20T00:00:00+09:00
JVNDB-2015-000185
ManageEngine Firewall Analyzer vulnerable to directory traversal
ManageEngine Firewall Analyzer provided by Zoho Corporation is a log analytics and configuration management software for network security devices. ManageEngine Firewall Analyzer contains a directory traversal vulnerability. Mukai Akihito and Hasegawa Tomoshige reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Zoho Corporation
ManageEngine Firewall Analyzer
cpe:/a:zohocorp:manageengine_firewall_analyzer
versions prior to 8.0
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
An authenticated attacker may be able to obtain arbitrary files on the server.
[Update the software] Update to the latest version according to the information provided by the developer.
ZOHO Corp.
ManageEngine Firewall Analyzer
https://www.manageengine.com/products/firewall/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7780
JVN
JVN#21968837
https://jvn.jp/en/jp/JVN21968837/index.html
National Vulnerability Database (NVD)
CVE-2015-7780
https://nvd.nist.gov/vuln/detail/CVE-2015-7780
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/27]\n Web page was published\n[2018/01/24]\n References : Content was added
2015-11-27T13:28:47+09:00
2018-01-24T12:05:46+09:00
2015-11-27T00:00:00+09:00
JVNDB-2015-000186
ManageEngine Firewall Analyzer fails to restrict access permissions
ManageEngine Firewall Analyzer provided by Zoho Corporation is a log analytics and configuration management software for network security devices. ManageEngine Firewall Analyzer contains a vulnerability where access permissions are not restricted. Mukai Akihito, Hasegawa Tomoshige reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Zoho Corporation
ManageEngine Firewall Analyzer
cpe:/a:zohocorp:manageengine_firewall_analyzer
versions prior to 8.0
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
An attacker may be able to obtain server logs.
[Update the software] Update to the latest version according to the information provided by the developer.
ZOHO Corp.
ManageEngine Firewall Analyzer
https://www.manageengine.com/products/firewall/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7781
JVN
JVN#12991684
https://jvn.jp/en/jp/JVN12991684/index.html
National Vulnerability Database (NVD)
CVE-2015-7781
https://nvd.nist.gov/vuln/detail/CVE-2015-7781
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/27]\n Web page was published\n[2018/01/24]\n References : Content was added
2015-11-27T13:29:10+09:00
2018-01-24T12:12:26+09:00
2015-11-27T00:00:00+09:00
JVNDB-2015-000187
Apache Cordova vulnerable to improper application of whitelist restrictions
Apache Cordova provided by the Apache Software Foundation is a framework for creating mobile applications for various platforms. Android applications built using Apache Cordova contain a vulnerability where whitelist restrictions are not properly applied. Muneaki Nishimura of Sony Digital Network Applications, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apache Software Foundation
Apache Cordova
cpe:/a:apache:cordova
Android versions 3.7.2 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Accessing a specially crafted URL may result in transitioning to a URL that the whitelist should restrict.
[Update Apache Cordova and re-build the Android application] Developers of Android applications should update Apache Cordova and re-build the application.
Apache Cordova
The Apache Software Foundation website
https://cordova.apache.org/announcements/2015/11/20/security.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5256
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5256
JVN
JVN#18889193
http://jvn.jp/en/jp/JVN18889193/index.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/27]\n Web page was published
2015-11-27T13:29:33+09:00
2015-11-27T13:29:33+09:00
2015-11-27T00:00:00+09:00
JVNDB-2015-000188
Frame high-speed chat vulnerable to cross-site scripting
Frame high-speed chat provided by Let's PHP! contains a cross-site scripting vulnerability (CWE-79).
Let's PHP!
Frame high-speed chat
cpe:/a:let%27s_php%21:frame_high-speed_chat
versions prior to 2015/09/22
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Apply an Update] Update to the latest version according to the information provided by the developer.
Let's PHP!
Let's PHP! website
http://php.s3.to/chat/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7782
JVN
JVN#35845584
http://jvn.jp/en/jp/JVN35845584/index.html
National Vulnerability Database (NVD)
CVE-2015-7782
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7782
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/30]\n Web page was published\n[2016/01/07]\n References : Content was added
2015-11-30T13:44:57+09:00
2016-01-07T15:34:48+09:00
2015-11-30T00:00:00+09:00
JVNDB-2015-000189
p++BBS vulnerable to cross-site scripting
p++BBS provided by Let's PHP! contains a stored cross-site scripting vulnerability (CWE-79). Koki Takahashi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Let's PHP!
p++BBS
cpe:/a:let%27s_php%21:pbbs
v4.05 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Apply an Update] Update to the latest version according to the information provided by the developer.
Let's PHP!
Let's PHP! website
http://php.s3.to/bbs/bbs2.php
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7783
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7783
JVN
JVN#72891124
http://jvn.jp/en/jp/JVN72891124/index.html
National Vulnerability Database (NVD)
CVE-2015-7783
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7783
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/30]\n Web page was published\n[2016/01/07]\n References : Content was added
2015-11-30T13:44:59+09:00
2016-01-07T16:17:31+09:00
2015-11-30T00:00:00+09:00
JVNDB-2015-000190
EC-CUBE plugin BbAdminViewsControl vulnerable to SQL injection
BbAdminViewsControl from BOKUBLOCK CO., LTD. is an EC-CUBE plugin. BbAdminViewsControl contains an SQL injection vulnerability (CWE-89). Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BOKUBLOCK INC.
BbAdminViewsControl
cpe:/a:bokublock:bbadminviewscontrol
213 Ver1.0 and earlier
Ver2.0 and earlier
Medium
5.5
AV:N/AC:L/Au:S/C:P/I:N/A:P
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
A logged in attacker may execute SQL statements. According to the developer, this vulnerability affects availability of the server that EC-CUBE resides, but information in the database can not be obtained or altered.
[Do not use BbAdminViewsControl] Please stop use of BbAdminViewsControl. The developer has stopped distributing the product.
BOKUBLOCK INC.
Top page
https://www.bokublock.jp/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7784
JVN
JVN#55545372
http://jvn.jp/en/jp/JVN55545372/index.html
National Vulnerability Database (NVD)
CVE-2015-7784
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7784
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/03]\n Web page was published\n[2016/01/12]\n References : Content was added\n[2016/07/07]\n CVSS Severity was modified\n Vendor Information : Content was added\n Impact was modified\n Solution was modified
2015-12-03T14:26:19+09:00
2016-07-07T14:53:42+09:00
2015-12-03T00:00:00+09:00
JVNDB-2015-000191
GANMA! App for iOS fails to verify SSL server certificates
GANMA! App for iOS provided by COMICSMART INC. fails to verify SSL server certificates. Yuji Tounai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
COMICSMART INC.
GANMA!
cpe:/a:comicsmart:ganma%21
App for iOS version 2.0.9 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Software] Update to the latest version according to the information provided by the developer.
COMICSMART INC.
COMICSMART INC. website
https://itunes.apple.com/en/app/safecast/id709003148
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7785
JVN
JVN#44541100
http://jvn.jp/en/jp/JVN44541100/index.html
National Vulnerability Database (NVD)
CVE-2015-7785
https://nvd.nist.gov/vuln/detail/CVE-2015-7785
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/07]\n Web page was published
1
2018-03-07T10:26:21+09:00
[2018/03/07]\n References : Content was added
2015-12-07T14:21:40+09:00
2018-03-07T13:50:04+09:00
2015-12-07T00:00:00+09:00
JVNDB-2015-000192
WL-330NUL information management vulnerability
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains an issue in information management. TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ASUS JAPAN Inc.
WL-330NUL
cpe:/a:misc:asus_japan_wl-330nul
Firmware versions prior to 3.0.0.42
Low
3.3
AV:A/AC:L/Au:N/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
An attacker that can access the product may obtain the WPA2-PSK passphrase.
[Update the Firmware] Update the firmware to the latest version according to the information provided by the developer.
ASUS JAPAN Inc.
Released firmware updates for vulnerabilities on ASUS WL-330NUL Wireless-N Pocket Router
http://www.asus.com/jp/News/FX04LE8HN0qBoqFI
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7787
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7787
JVN
JVN#69462495
http://jvn.jp/en/jp/JVN69462495/index.html
National Vulnerability Database (NVD)
CVE-2015-7787
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7787
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/09]\n Web page was published\n[2016/01/13]\n References : Content was added
2015-12-09T14:38:06+09:00
2016-01-13T17:37:02+09:00
2015-12-09T00:00:00+09:00
JVNDB-2015-000193
WL-330NUL vulnerable to remote command execution
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a remote command execution vulnerability. TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ASUS JAPAN Inc.
WL-330NUL
cpe:/a:misc:asus_japan_wl-330nul
Firmware versions prior to 3.0.0.42
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
An attacker that can access the product may execute an arbitrary command with administrative privileges.
[Update the Firmware] Update the firmware to the latest version according to the information provided by the developer.
ASUS JAPAN Inc.
Released firmware updates for vulnerabilities on ASUS WL-330NUL Wireless-N Pocket Router
http://www.asus.com/jp/News/FX04LE8HN0qBoqFI
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7788
JVN
JVN#34489380
http://jvn.jp/en/jp/JVN34489380/index.html
National Vulnerability Database (NVD)
CVE-2015-7788
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7788
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/09]\n Web page was published\n[2016/01/13]\n References : Content was added
2015-12-09T14:41:49+09:00
2016-01-13T17:37:01+09:00
2015-12-09T00:00:00+09:00
JVNDB-2015-000194
WL-330NUL vulnerable to denial-of-service (DoS)
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a denial-of-service (DoS) vulnerability. TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ASUS JAPAN Inc.
WL-330NUL
cpe:/a:misc:asus_japan_wl-330nul
Firmware versions prior to 3.0.0.42
Low
3.3
AV:A/AC:L/Au:N/C:N/I:N/A:P
Medium
4.3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
An attacker who can access the product may be able to cause a denial-of-service (DoS).
[Update the Firmware] Update the firmware to the latest version according to the information provided by the developer.
ASUS JAPAN Inc.
Released firmware updates for vulnerabilities on ASUS WL-330NUL Wireless-N Pocket Router
http://www.asus.com/jp/News/FX04LE8HN0qBoqFI
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7789
JVN
JVN#85359294
http://jvn.jp/en/jp/JVN85359294/index.html
National Vulnerability Database (NVD)
CVE-2015-7789
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7789
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/09]\n Web page was published\n[2016/01/13]\n References : Content was added
2015-12-09T14:47:01+09:00
2016-01-13T17:37:01+09:00
2015-12-09T00:00:00+09:00
JVNDB-2015-000195
WL-330NUL vulnerable to cross-site scripting
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a stored cross-site scripting vulnerability. TAIZO TSUKAMOTO of GLOBAL SECURITY EXPERTS Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ASUS JAPAN Inc.
WL-330NUL
cpe:/a:misc:asus_japan_wl-330nul
Firmware versions prior to 3.0.0.42
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Firmware] Update the firmware to the latest version according to the information provided by the developer.
ASUS JAPAN Inc.
Released firmware updates for vulnerabilities on ASUS WL-330NUL Wireless-N Pocket Router
http://www.asus.com/jp/News/FX04LE8HN0qBoqFI
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7790
JVN
JVN#89965717
https://jvn.jp/jp/JVN89965717/index.html
National Vulnerability Database (NVD)
CVE-2015-7790
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7790
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/09]\n Web page was published\n[2016/01/13]\n References : Content was added
2015-12-09T14:51:47+09:00
2016-01-13T17:37:00+09:00
2015-12-09T00:00:00+09:00
JVNDB-2015-000196
Web Analytics Service vulnerable to cross-site scripting
The JavaScript module for using Web Analytics Service which was provided by NTT DATA Smart Sourcing Corporation contains a cross-site scripting vulnerability (CWE-79) due to a flaw in escaping process. According to the developer, this script was distributed from 26 November, 2003 to 9 July, 2013.
NTT DATA Smart Sourcing Corporation
Web Analytics Service
cpe:/a:misc:ntt_data_smart_sourcing_access_kaiseki
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Delete the JavaScript] Web Analytics Service has been discontinued. Delete the JavaScript according to the information provided by the developer.
NTT DATA Smart Sourcing Corporation
NTT DATA Smart Sourcing Corporation website
http://www.nttdata-smart.co.jp/information/2015/000040.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7786
JVN
JVN#70083512
http://jvn.jp/en/jp/JVN70083512/index.html
National Vulnerability Database (NVD)
CVE-2015-7786
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7786
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/08]\n Web page was published\n[2016/01/07]\n References : Content was added
2015-12-08T14:29:51+09:00
2016-01-07T15:13:55+09:00
2015-12-08T00:00:00+09:00
JVNDB-2015-000197
Zend Framework vulnerable to SQL injection
Zend Framework is an open source web application framework. Zend Framework contains an SQL injection vulnerability (CWE-89) due to the argument of the ORDER BY clause. Hiroshi Tokumaru of HASH Consulting Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Zend Technologies Ltd.
Zend Framework
cpe:/a:zend:zend_framework
1.12.7 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
5.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
An attacker who can access the product may execute SQL commands.
[Update the Software] Update to the latest version according to the information provided by the developer. This vulnerability has been addressed on 26 August, 2014.
GitHub
Pull Request #418: Improved regex for SQL group, order, from
https://github.com/zendframework/zf1/pull/418
Security Advisory
ZF2014-04: Potential SQL injection in the ORDER implementation of Zend_Db_Select
http://framework.zend.com/security/advisory/ZF2014-04
Common Vulnerabilities and Exposures (CVE)
CVE-2014-4914
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914
JVN
JVN#71730320
http://jvn.jp/en/jp/JVN71730320/index.html
National Vulnerability Database (NVD)
CVE-2014-4914
https://nvd.nist.gov/vuln/detail/CVE-2014-4914
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/11]\n Web page was published
1
2018-04-11T09:50:19+09:00
[2018/04/11]\n References : Content was added
2015-12-11T13:46:47+09:00
2018-04-11T11:32:42+09:00
2015-12-11T00:00:00+09:00
JVNDB-2015-000199
WinRAR may insecurely load executable files
WinRAR contains a function where user specified files on the local disk can be executed. When this file does not have a file extension, a file of the same name with a file extension contained in the same folder may be executed by WinRAR instead of the user specified file. WinRAR also contains a function where registry settings can be saved and registry settings can be recovered from files. If the folder displayed on screen contains an executable file, such as REGEDIT.BAT, when attempting to save or recover registry settings, REGEDIT.BAT is executed instead of the Windows registry editor (regedit.exe).
RARLAB
WinRAR
cpe:/a:rarlab:winrar
5.30 beta 4 (32 bit) and earlier
5.30 beta 4 (64 bit) and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
If an attacker convinces a user to open a file without an extension through WinRAR, a file with the same name with a file extension in the same folder will be executed with the privileges of WinRAR. If an attacker places an executable file, such as REGEDIT.BAT into a folder that is being displayed through WinRAR, when the user saves or restores WinRAR settings, REGEDIT.BAT will be executed with the privileges of WinRAR instead of the Windows registry editor (regedit.exe).
[Update the Software] This vulnerability has been addressed in WinRAR 5.30 beta 5. Update to the latest version according to the information provided by the developer.
RARLAB
WinRAR archiver, a powerful tool to process RAR and ZIP files
http://www.rarlab.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5663
JVN
JVN#64636058
https://jvn.jp/en/jp/JVN64636058/index.html
National Vulnerability Database (NVD)
CVE-2015-5663
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5663
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/17]\n Web page was published\n[2016/01/07]\n References : Content was added
2015-12-17T15:19:49+09:00
2016-01-07T15:36:03+09:00
2015-12-17T00:00:00+09:00
JVNDB-2015-000200
Welcart vulnerable to SQL injection
Welcart provided by Collne Inc. is a WordPress plugin. Welcart contains an SQL injection vulnerability (CWE-89) due to a flaw in the processing of search[column] and switch parameter in admin.php. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Collne Inc.
Welcart
cpe:/a:collne:welcart_plugin
V1.5.2 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
An unauthenticated attacker may obtain or alter information stored in the database.
[Apply an Update] Apply the update according to the information provided by the developer.
Collne Inc.
Collne Inc. website
http://www.welcart.com/community/archives/76035
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7791
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7791
JVN
JVN#43344629
https://jvn.jp/en/jp/JVN43344629/index.html
National Vulnerability Database (NVD)
CVE-2015-7791
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7791
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/17]\n Web page was published\n[2016/01/07]\n References : Content was added
2015-12-17T15:19:52+09:00
2016-01-07T15:37:17+09:00
2015-12-17T00:00:00+09:00
JVNDB-2015-000201
CG-WLBARGS does not properly perform authentication
CG-WLBARGS provided by Corega Inc is a wireless LAN router. CG-WLBARGS does not properly perform authentication. Kousuke Kawahira of DWANGO Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Corega Inc
CG-WLBARGS
cpe:/h:corega:cg-wlbargs
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An attacker who can access the product may log in with administrative privileges. As a result, an arbitrary administrative operations may be executed.
[Apply a Workaround] The following workarounds may mitigate the affects of this vulnerability. * Disable the remote access function to avoid access to the product from the internet * Encrypt wireless LAN communications to avoid access to the product from adjacent networks Note that these workarounds above do not prevent access from wired local networks.
corega
About the authentication flaw
http://corega.jp/support/security/20151224_wlbargs.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7792
JVN
JVN#51349622
https://jvn.jp/en/jp/JVN51349622/index.html
National Vulnerability Database (NVD)
CVE-2015-7792
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7792
JVNDB
CWE-DesignError
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/25]\n Web page was published\n[2016/01/07]\n References : Content was added
2015-12-25T14:33:51+09:00
2016-01-07T15:32:33+09:00
2015-12-25T00:00:00+09:00
JVNDB-2015-000202
CG-WLBARAGM may behave as an open proxy
CG-WLBARAGM provided by Corega Inc is a wireless LAN router. CG-WLBARAGM contains an issue where it may behave as an open proxy. Akihiro Nakajima of NTT Communications reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Corega Inc
CG-WLBARAGM
cpe:/h:corega:cg-wlbaragm
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Medium
5.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
The device may be leveraged as a proxy server to conduct cyber attacks.
[Apply a Workaround] The following workaround may mitigate the affects of this issue. * Disable contents filtering
corega
About the issue that may behave as an open proxy
http://corega.jp/support/security/20151224_wlbaragm.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7793
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7793
JVN
JVN#50775659
https://jvn.jp/en/jp/JVN50775659/index.html
National Vulnerability Database (NVD)
CVE-2015-7793
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7793
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/25]\n Web page was published\n[2016/01/07]\n References : Content was added
2015-12-25T14:45:50+09:00
2016-01-07T15:32:32+09:00
2015-12-25T00:00:00+09:00
JVNDB-2015-000203
CG-WLNCM4G may behave as an open resolver
CG-WLNCM4G provided by Corega Inc is a network camera. CG-WLNCM4G contains an issue where it may behave as an open resolver. SASABE Tetsuro of The University of Tokyo reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Corega Inc
CG-WLNCM4G
cpe:/h:corega:cg-wlncm4g
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Medium
5.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
The device may be leveraged for use in a DNS amplification attack and unknowingly become a part of a DDoS attack.
[Do not use CG-WLNCM4G] As of December 25, 2015, there are no practical solutions to this issue. It is recommended to stop using CG-WLNCM4G according to the information provided by the developer. According to the developer, the following products are not affected by this issue. * CG-NCBU031A * CG-NCVD031A * CG-NCDO011A * CG-NCPFE011A * CG-NCPVD032A [Apply a Workaround] The following workaround may mitigate the affects of this issue. * Restrict access to the product from the internet, through router settings or other functions
corega
About the issue that may behave as an open resolver
http://corega.jp/support/security/20151224_wlncm4g.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7794
JVN
JVN#51250073
https://jvn.jp/en/jp/JVN51250073/index.html
National Vulnerability Database (NVD)
CVE-2015-7794
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7794
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/25]\n Web page was published\n[2016/01/07]\n References : Content was added
2015-12-25T14:45:48+09:00
2016-01-07T15:32:30+09:00
2015-12-25T00:00:00+09:00
JVNDB-2015-000301
BBS X102 vulnerable to cross-site scripting
BBS X102 provided by guide-park.com is a bulletin board software. BBS X102 contains a cross-site scripting vulnerability. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on May 26, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
guide-park.com
BBS X102
cpe:/a:guide-park:bbs_x102
Ver1.03
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Consider stop using BBS X102 Ver1.03] Since the developer was unreachable, existence of any mitigations are unknown.
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2985
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2985
JVN
JVN#13684924
https://jvn.jp/en/jp/JVN13684924/index.html
National Vulnerability Database (NVD)
CVE-2015-2985
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2985
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/03]\n Web page was published\n[2015/09/09]\n References : Content was added
2015-09-03T15:00:19+09:00
2015-09-09T14:02:51+09:00
2015-09-03T00:00:00+09:00
JVNDB-2015-000302
hitSuji (rktSNS2) vulnetable to cross-site scripting
hitSuji (rktSNS2) provided by rakuto.net is an open source SNS software. hitSuji (rktSNS2) contains a cross-site scripting vulnerability. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on May 26, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
rakuto.net
hitSuji (rktSNS2)
cpe:/a:rakuto:rktsns2
0.2.2b
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Consider stop using hitSuji (rktSNS2) 0.2.2b] Since the developer was unreachable, existence of any mitigations are unknown.
Common Vulnerabilities and Exposures (CVE)
CVE-2015-2986
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2986
JVN
JVN#24692261
https://jvn.jp/en/jp/JVN24692261/index.html
National Vulnerability Database (NVD)
CVE-2015-2986
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2986
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/09/03]\n Web page was published\n[2015/09/09]\n References : Content was added
2015-09-03T14:46:40+09:00
2015-09-09T14:02:52+09:00
2015-09-03T00:00:00+09:00
JVNDB-2015-001268
Cross-site Scripting Vulnerability in Hitachi Command Suite Products
The online help of Hitachi Command Suite Products contains a cross-site scripting vulnerability.
Hitachi, Ltd
Hitachi Compute Systems Manager
cpe:/a:hitachi:compute_systems_manager
Software
Hitachi, Ltd
Hitachi Device Manager
cpe:/a:hitachi:device_manager
Software
Hitachi, Ltd
Hitachi Global Link Manager
cpe:/a:hitachi:global_link_manager
Software
Hitachi, Ltd
Hitachi Replication Manager
cpe:/a:hitachi:replication_manager
Software
Hitachi, Ltd
Hitachi Tiered Storage Manager
cpe:/a:hitachi:tiered_storage_manager
Software
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
A remote attacker can exploit this vulnerability to execute malicious scripts.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-001
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-001/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-1565
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1565
National Vulnerability Database (NVD)
CVE-2015-1565
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1565
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/16]\n Web page was published\n[2015/03/03]\n CVSS Severity was modified
2015-02-16T11:12:22+09:00
2015-03-03T16:59:05+09:00
2015-01-30T00:00:00+09:00
JVNDB-2015-001269
Cross-site Scripting Vulnerability in Hitachi Application Server Help
Hitachi Application Server Help contains a cross-site scripting vulnerability.
Hitachi, Ltd
Hitachi Application Server
cpe:/a:hitachi:hitachi_application_server
V10 Manual (UNIX(R))
V10 Manual (Windows(R))
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
A remote attacker can exploit this vulnerability to execute malicious scripts.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-002
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-002/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/16]\n Web page was published\n[2015/03/03]\n CVSS Severity was modified
2015-02-16T11:21:58+09:00
2015-03-03T16:59:04+09:00
2015-01-30T00:00:00+09:00
JVNDB-2015-001556
Multiple Cross-site Scripting Vulnerabilities in Hitachi Compute Systems Manager
Multiple cross-site scripting vulnerabilities were found in Hitachi Compute Systems Manager.
Hitachi, Ltd
Hitachi Compute Systems Manager
cpe:/a:hitachi:compute_systems_manager
Software
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Remote users can exploit multiple cross-site scripting vulnerabilities to execute malicious scripts.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-004
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-004/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/27]\n Web page was published
2015-02-27T15:55:49+09:00
2015-02-27T15:55:49+09:00
2015-02-19T00:00:00+09:00
JVNDB-2015-001557
Cross-site Scripting Vulnerability in JP1/IT Desktop Management - Manager and Hitachi IT Operations Director
A cross-site scripting vulnerability was found in the online help of JP1/IT Desktop Management - Manager and Hitachi IT Operations Director.
Hitachi, Ltd
Hitachi IT Operations Director
cpe:/a:hitachi:it_operations_director
Hitachi, Ltd
Job Management Partner 1/IT Desktop Management - Manager
cpe:/a:hitachi:job_management_partner_1%2Fit_desktop_management-manager
Hitachi, Ltd
JP1/IT Desktop Management
cpe:/a:hitachi:jp1_it_desktop_management
2 - Manager
Hitachi, Ltd
JP1/IT Desktop Management - Manager
cpe:/a:hitachi:jp1%2Fit_desktop_management-manager
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Remote users can exploit a cross-site scripting vulnerability to execute malicious scripts.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-005
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-005/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/27]\n Web page was published
2015-02-27T15:56:52+09:00
2015-02-27T15:56:52+09:00
2015-02-19T00:00:00+09:00
JVNDB-2015-001558
Cross-site Scripting Vulnerability in Hitachi IT Operations Analyzer
A cross-site scripting vulnerability was found in the online help of Hitachi IT Operations Analyzer.
Hitachi, Ltd
Hitachi IT Operations Analyzer
cpe:/a:hitachi:it_operations_analyzer
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Remote users can exploit a cross-site scripting vulnerability to execute malicious scripts.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-006
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-006/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/02/27]\n Web page was published
2015-02-27T15:57:44+09:00
2015-02-27T15:57:44+09:00
2015-02-19T00:00:00+09:00
JVNDB-2015-001959
JBoss RichFaces vulnerable to remote Java code execution
JBoss RichFaces contains a remote Java code execution vulnerability. JBoss RichFaces is an Ajax-enabled component library for JavaServer Faces (JSF). JBoss RichFaces contains a flaw in parsing the do parameter, which may result in arbitrary Java code execution. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Red Hat, Inc.
JBoss RichFaces
cpe:/a:redhat:richfaces
versions prior to 4.5.4
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
When a specially crafted input is processed, arbitrary Java code may be executed on the application server.
[Update the Software] Update to the latest version according to the information provided by the developer.
GitHub
RF-13977: prevent EL expression from executing methods
https://github.com/richfaces/richfaces/commit/4c5ddae4d6ddcea591fa949762c1c79ac11cac99
JBoss Community
RichFaces RichFaces 4.5.4.Final Release Announcement
https://developer.jboss.org/people/michpetrov/blog/2015/04/01/richfaces-453final-release-announcement
JBoss Community
Stable Downloads
http://richfaces.jboss.org/download/stable
JBoss Issue Tracker
RF-13977: Remote Command Injection (EL Injection)
https://issues.jboss.org/browse/RF-13977
Red Hat Security Advisory
Important: Red Hat JBoss Web Framework Kit 2.7.0 security update
https://rhn.redhat.com/errata/RHSA-2015-0719.html
Common Vulnerabilities and Exposures (CVE)
CVE-2015-0279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0279
IPA SECURITY ALERTS
Security Alert for Vulnerability in JBoss RichFaces (JVN#56297719)
http://www.ipa.go.jp/security/ciadr/vul/20150414-jvn.html
JVN
JVN#56297719
http://jvn.jp/en/jp/JVN56297719/index.html
National Vulnerability Database (NVD)
CVE-2015-0279
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0279
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/04/14]\n Web page was published
2015-04-14T13:24:51+09:00
2015-04-14T13:24:51+09:00
2015-03-24T00:00:00+09:00
JVNDB-2015-002705
Problem with directory permissions in JP1/Automatic Operation
There is a problem of permissions on file transfer directory in JP1/Automatic Operation.
Hitachi, Ltd
JP1/Automatic Operation
cpe:/a:hitachi:jp1_automatic_operation
Low
3.3
AV:L/AC:M/Au:N/C:P/I:P/A:N
Malicious local users might refer or modify transferred files.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-021
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-021/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/21]\n Web page was published
2015-05-21T16:36:35+09:00
2015-05-21T16:36:35+09:00
2015-05-15T00:00:00+09:00
JVNDB-2015-002706
Information Disclosure Vulnerability in JP1/Integrated Management - Universal CMDB
An information disclosure vulnerability was found in JP1/Integrated Management - Universal CMDB.
Hitachi, Ltd
JP1/Integrated Management
cpe:/a:hitachi:jp1_integrated_management
- Universal CMDB 10.1 Full
- Universal CMDB Advanced Edition
Medium
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
When UCMDB server uses UD probe (DFM probe), malicious remote users can acquire data stored in UD probe (DFM probe), by sending crafted HTTP request to server.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-022
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-022/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/05/21]\n Web page was published
2015-05-21T16:37:41+09:00
2015-05-21T16:37:41+09:00
2015-05-15T00:00:00+09:00
JVNDB-2015-005234
Adobe Flash Player issue where iframe contents may be overwritten
Adobe Flash Player contains an issue where the same-origin policy may be bypassed leading to iframe contents being overwritten. Tokuji Akamine reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Adobe Inc.
Adobe AIR
cpe:/a:adobe:adobe_air
Desktop Runtime before 19.0.0.213 (Windows/Macintosh)
Adobe Inc.
Adobe AIR SDK
cpe:/a:adobe:adobe_air_sdk
before 19.0.0.213 (Windows/Macintosh/Android/iOS)
Adobe Inc.
Adobe AIR SDK & Compiler
cpe:/a:adobe:adobe_air_sdk_and_compiler
before 19.0.0.213 (Windows/Macintosh/Android/iOS)
Adobe Inc.
Adobe Flash Player
cpe:/a:adobe:flash_player
before 11.2.202.535 (Linux)
before 19.0.0.207 (Chrome on Windows/Macintosh/Linux/ChromeOS)
before 19.0.0.207 (Internet Explorer 10/11 on Windows 8.0 and 8.1)
before 19.0.0.207 (Microsoft Edge/Internet Explorer 11 on Windows 10)
Desktop Runtime before 19.0.0.207 (Windows/Macintosh)
Extended Support Release before 18.0.0.252 (Windows/Macintosh)
Google
Google Chrome
cpe:/a:google:chrome
Microsoft Corporation
Microsoft Edge
cpe:/a:microsoft:edge
(Windows 10)
Microsoft Corporation
Microsoft Internet Explorer
cpe:/a:microsoft:internet_explorer
10 (Windows 8/Windows Server 2012/Windows RT)
11 (Windows 8.1/Windows Server 2012 R2/Windows RT 8.1)
Medium
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Processing specially crafted Flash content may lead to iframe contents being overwritten.
[Apply an Update] Update to the latest version according to the information provided by the developer. This issue was addressed in the update released on October 13, 2015.
Adobe Security Bulletin
APSB15-25
https://helpx.adobe.com/security/products/flash-player/apsb15-25.html
FUJITSU Security Information
Information of vulnerabilities in Adobe Flash Player
http://www.fmworld.net/biz/common/adobe/20151015f.html
Google
Chrome Releases
http://googlechromereleases.blogspot.jp/
Google
Google Chrome
https://www.google.com/intl/en/chrome/browser/features.html
Google
Update Google Chrome
https://support.google.com/chrome/answer/95414?hl=en
Microsoft Security Advisory
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge (2755801)
https://technet.microsoft.com/en-us/library/security/2755801
@Police
For Adobe Flash Player security fix (2015/10/14)
https://www.npa.go.jp/cyberpolice/topics/?seq=17024
Common Vulnerabilities and Exposures (CVE)
CVE-2015-7628
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7628
IPA SECURITY ALERTS
Security Alert for Vulnerability in Adobe Flash Player (APSB15-25)(CVE-2015-7628 and others)
http://www.ipa.go.jp/security/ciadr/vul/20151014-adobeflashplayer.html
JPCERT REPORT
JPCERT-AT-2015-0036
https://www.jpcert.or.jp/english/at/2015/at150036.html
JVN
JVN#22533124
https://jvn.jp/en/jp/JVN22533124/index.html
National Vulnerability Database (NVD)
CVE-2015-7628
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7628
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/17]\n Web page was published
2015-12-17T15:19:51+09:00
2015-12-17T15:19:51+09:00
2015-10-13T00:00:00+09:00
JVNDB-2015-005909
ArcSight Management Center and ArcSight Logger vulnerable to cross-site scripting
ArcSight Management Center and ArcSight Logger from Hewlett-Packard Development Company L.P. contain a stored cross-site scripting vulnerability (CWE-79). Mukai Akihito reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hewlett-Packard Development Company,L.P
HP ArcSight Logger
cpe:/a:hp:arcsight_logger
versions prior to v6.1
Hewlett-Packard Development Company,L.P
HP ArcSight Management Center
cpe:/a:hp:archsight_management_center
versions prior to v2.1
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the vendor.
Hewlett-Packard Development Company, L.P.
HPSBGN03507 rev.2 - HP Arcsight Management Center, Arcsight Logger, Remote Cross-Site Scripting (XSS)
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04797406
Common Vulnerabilities and Exposures (CVE)
CVE-2015-5441
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5441
JVN
JVN#51046809
https://jvn.jp/en/jp/JVN51046809/index.html
National Vulnerability Database (NVD)
CVE-2015-5441
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5441
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/11/20]\n Web page was published
2015-11-20T13:31:35+09:00
2015-11-20T13:31:35+09:00
2015-09-23T00:00:00+09:00
JVNDB-2015-006054
XML External Entity (XXE) Vulnerability in Hitachi Command Suite
XML External Entity (XXE) Vulnerability exists in Hitachi Command Suite.
Hitachi, Ltd
Hitachi Automation Director
cpe:/a:hitachi:automation_director
Hitachi, Ltd
Hitachi Compute Systems Manager
cpe:/a:hitachi:compute_systems_manager
Software (English version)
Software (Japanese version)
Hitachi, Ltd
Hitachi Device Manager
cpe:/a:hitachi:device_manager
Software
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Malicious attacker might exploit this vulnerability to disclose arbitrary files.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-028
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-028/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/01]\n Web page was published\n[2015/12/22]\n CVSS Severity was modified
2015-12-01T15:59:03+09:00
2015-12-22T17:43:56+09:00
2015-11-30T00:00:00+09:00
JVNDB-2015-006129
Multiple Cross-site Scripting Vulnerabilities in EUR
Multiple cross-site scripting vulnerabilities were found in EUR.
Hitachi, Ltd
EUR Developer
cpe:/a:hitachi:eur_developer
Hitachi, Ltd
EUR Server Enterprise
cpe:/a:hitachi:eur_server_enterprise
Hitachi, Ltd
uCosminexus EUR Developer
cpe:/a:hitachi:ucosminexus_eur_developer
Hitachi, Ltd
uCosminexus EUR Print Manager
cpe:/a:hitachi:ucosminexus_eur_print_manager
- Report Server
Hitachi, Ltd
uCosminexus EUR Server Enterprise
cpe:/a:hitachi:ucosminexus_eur_server_enterprise
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Remote users can exploit these vulnerabilities to execute malicious scripts.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-030
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-030/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/17]\n Web page was published\n[2015/12/28]\n CVSS Severity was modified
2015-12-17T16:18:28+09:00
2015-12-28T13:54:54+09:00
2015-12-07T00:00:00+09:00
JVNDB-2015-006130
Vulnerability in JP1/Automatic Job Management System 3
A vulnerability to denial-of-service attacks was found in JP1/Automatic Job Management System 3.
Hitachi, Ltd
JP1/Automatic Job Management System 3
cpe:/a:hitachi:jp1_automatic_job_management_system_3
- Manager
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attackers can exploit this vulnerability to cause a denial-of-service attack by sending ill-intended messages repeatedly from a malicious host in the network.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-032
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-032/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/17]\n Web page was published\n[2016/09/14]\n CVSS Severity was modified\n
2015-12-17T16:19:00+09:00
2016-09-14T18:18:17+09:00
2015-12-07T00:00:00+09:00
JVNDB-2015-006527
Cross-site Scripting Vulnerability in uCosminexus Portal Framework and Groupmax Collaboration
A cross-site scripting vulnerability was found in uCosminexus Portal Framework and Groupmax Collaboration.
Hitachi, Ltd
Groupmax Collaboration Portal
cpe:/a:hitachi:groupmax_collaboration_portal
Hitachi, Ltd
Groupmax Collaboration Web Client
cpe:/a:hitachi:groupmax_collaboration_web_client
- Forum/File Sharing
Hitachi, Ltd
Groupmax Collaboration Web Client - Mail/Schedule
cpe:/a:hitachi:groupmax_collaboration_web_client_mail_schedule
Hitachi, Ltd
uCosminexus Collaboration Portal
cpe:/a:hitachi:ucosminexus_collaboration_portal
- Forum/File Sharing
Hitachi, Ltd
uCosminexus Portal Framework
cpe:/a:hitachi:ucosminexus_portal_framework
- Light
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Remote users can exploit a cross-site scripting vulnerability to execute malicious scripts.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
HS15-034
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-034/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2015/12/28]\n Web page was published\n[2016/02/10]\n CVSS Severity was modified
2015-12-28T13:51:12+09:00
2016-02-10T14:36:02+09:00
2015-12-25T00:00:00+09:00