JVNDB-2016-005802
Microsoft IME may insecurely load Dynamic Link Libraries
Microsoft IME, bundled with Microsoft Windows, contains an issue in loading DLLs. When some application programs are invoked, they may initiate Microsoft IME. This IME, when initiated, checks a certain registry key for a file path to a DLL file and loads it. This registry key does not exist by default, and can be created by a normal user. If an application program is invoked with some high privilege, this mechanism can be leveraged for privilege escalation attacks. Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Microsoft Corporation
Microsoft IME
cpe:/a:microsoft:ime
Microsoft Corporation
Microsoft Windows 10
cpe:/o:microsoft:windows_10
for 32-bit Systems
for x64-based Systems
Version 1511 for 32-bit Systems
Version 1511 for x64-based Systems
Version 1607 for 32-bit Systems
Version 1607 for x64-based Systems
Microsoft Corporation
Microsoft Windows 7
cpe:/o:microsoft:windows_7
for 32-bit Systems SP1
for x64-based Systems SP1
Microsoft Corporation
Microsoft Windows 8.1
cpe:/o:microsoft:windows_8.1
for 32-bit Systems
for x64-based Systems
Microsoft Corporation
Microsoft Windows RT 8.1
cpe:/o:microsoft:windows_rt_8.1
Microsoft Corporation
Microsoft Windows Server 2008
cpe:/o:microsoft:windows_server_2008
for 32-bit Systems SP2
for 32-bit Systems SP2 (Server Core installation)
for Itanium-based Systems SP2
for x64-based Systems SP2
for x64-based Systems SP2 (Server Core installation)
R2 for Itanium-based Systems SP1
R2 for x64-based Systems SP1
R2 for x64-based Systems SP1 (Server Core installation)
Microsoft Corporation
Microsoft Windows Server 2012
cpe:/o:microsoft:windows_server_2012
(Server Core installation)
R2
R2 (Server Core installation)
Microsoft Corporation
Microsoft Windows Server 2016
cpe:/o:microsoft:windows_server_2016
for x64-based Systems
for x64-based Systems (Server Core installation)
Microsoft Corporation
Microsoft Windows Vista
cpe:/o:microsoft:windows_vista
SP2
x64 Edition SP2
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the execution privilege of the application program which initiated Microsoft IME. This can occur when a user is tricked into placing a malicious DLL file prepared by an attacker in a specific folder and enter in the registry key the specific folder location.
[Update the Software] Apply the Windows Updates according to the information provided by Microsoft. This issue is addressed in MS16-130 released on November 8th, 2016.
Microsoft Security Bulletin
MS16-130
https://technet.microsoft.com/en-us/library/security/ms16-130.aspx
Common Vulnerabilities and Exposures (CVE)
CVE-2016-7221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7221
IPA SECURITY ALERTS
Security Alert for Vulnerability in Microsoft IME (November 2016)(JVN#21627267)
https://www.ipa.go.jp/security/ciadr/vul/20161109-ms.html
JPCERT REPORT
JPCERT-AT-2016-0046
https://www.jpcert.or.jp/english/at/2016/at160046.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#21627267
http://jvn.jp/en/jp/JVN21627267/index.html
National Vulnerability Database (NVD)
CVE-2016-7221
https://nvd.nist.gov/vuln/detail/CVE-2016-7221
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/07]\n Web page was published
2017-07-07T15:47:24+09:00
2017-07-07T15:47:24+09:00
2017-07-07T00:00:00+09:00
JVNDB-2017-000001
Olive Blog vulnerable to cross-site scripting
Olive Blog provided by Olive Design contains a cross-site scripting vulnerability (CWE-79) due to a flaw in processing the search parameter. Ueki Shuya reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
OliveDesign
Olive Blog
cpe:/a:olive_design:olive_blog
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Do not use Olive Blog] Olive Blog is no longer being developed or maintained. It is recommended to stop using Olive Blog.
JVN
Information from Olive Design
http://jvn.jp/en/jp/JVN60879379/995115/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2016-7839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7839
JVN
JVN#60879379
https://jvn.jp/en/jp/JVN60879379/index.html
National Vulnerability Database (NVD)
CVE-2016-7839
https://nvd.nist.gov/vuln/detail/CVE-2016-7839
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/06]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-01-06T13:56:25+09:00
2017-06-01T15:58:55+09:00
2017-01-06T00:00:00+09:00
JVNDB-2017-000002
WEB SCHEDULE vulnerable to cross-site scripting
WEB SCHEDULE provided by Olive Design contains a cross-site scripting vulnerability (CWE-79) due to a flaw in processing the month parameter.
OliveDesign
WEB SCHEDULE
cpe:/a:olive_design:web_schedule
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An artbitrary script may be executed on the user's web browser.
[Do not use WEB SCHEDULE] WEB SCHEDULE is no longer being developed or maintained. It is recommended to stop using WEB SCHEDULE.
JVN
Information from Olive Design
http://jvn.jp/en/jp/JVN12124922/995115/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2016-7840
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7840
JVN
JVN#12124922
https://jvn.jp/en/jp/JVN12124922/index.html
National Vulnerability Database (NVD)
CVE-2016-7840
https://nvd.nist.gov/vuln/detail/CVE-2016-7840
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/06]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-01-06T14:01:31+09:00
2017-06-01T15:58:54+09:00
2017-01-06T00:00:00+09:00
JVNDB-2017-000003
Olive Diary DX vulnerable to cross-site scripting
Olive Diary DX provided by Olive Design contains a cross-site scripting vulnerability (CWE-79) due to a flaw in processing the page parameter.
OliveDesign
Olive Diary DX
cpe:/a:olive_design:olive_diary_dx
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An artbitrary script may be executed on the user's web browser.
[Do not use Olive Diary DX] Olive Diary DX is no longer being developed or maintained. It is recommended to stop using Olive Diary DX.
JVN
Information from Olive Design
http://jvn.jp/en/jp/JVN71538099/995115/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2016-7841
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7841
JVN
JVN#71538099
https://jvn.jp/en/jp/JVN71538099/index.html
National Vulnerability Database (NVD)
CVE-2016-7841
https://nvd.nist.gov/vuln/detail/CVE-2016-7841
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/06]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-01-06T14:02:00+09:00
2017-06-01T15:58:52+09:00
2017-01-06T00:00:00+09:00
JVNDB-2017-000007
Cybozu Remote Service Manager fails to verify client certificates
Remote Service Manager provided by Cybozu, Inc. is a software to access internal systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager fails to verify client certificates. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Remote Service Manager
cpe:/a:cybozu:remote_service_manager
3.0.0 to 3.1.4
Medium
4.9
AV:N/AC:M/Au:S/C:P/I:P/A:N
Medium
4.2
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
A user may access internal web systems that do not allow access from external network. As a result, unintended operations may be conducted on those systems.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1277]
https://support.cybozu.com/ja-jp/article/9689
Common Vulnerabilities and Exposures (CVE)
CVE-2016-7815
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7815
JVN
JVN#19241292
https://jvn.jp/en/jp/JVN19241292/index.html
National Vulnerability Database (NVD)
CVE-2016-7815
https://nvd.nist.gov/vuln/detail/CVE-2016-7815
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/11]\n Web page was published\n[2017/06/06]\n References : Content was added
2017-01-11T13:46:46+09:00
2017-06-06T15:52:22+09:00
2017-01-11T00:00:00+09:00
JVNDB-2017-000008
AttacheCase vulnerable to directory traversal
AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains a directory traversal vulnerability (CWE-22) due to a flaw in processing filenames in ATC files. Kazuki Furukawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
HiBARA Software
AttacheCase
cpe:/a:hibara:attachecase
ver.2.8.2.8 and earlier
ver.3.2.0.4 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Low
3.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Decrypting a crafted ATC file may result in creation of an arbitrary file or overwriting of an existing file.
[Update the Software] Update to the latest version according to the information provided by the developer.
HiBARA Software
HiBARA Software website
https://hibara.org/software/attachecase/?lang=en
Common Vulnerabilities and Exposures (CVE)
CVE-2016-7842
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7842
JVN
JVN#83917769
https://jvn.jp/en/jp/JVN83917769/index.html
National Vulnerability Database (NVD)
CVE-2016-7842
https://nvd.nist.gov/vuln/detail/CVE-2016-7842
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/16]\n Web page was published\n[2017/06/06]\n References : Content was added
2017-01-16T14:35:06+09:00
2017-06-06T16:13:42+09:00
2017-01-16T00:00:00+09:00
JVNDB-2017-000009
MaruUo Factory's multiple AttacheCase products vulnerable to directory traversal
Multiple AttacheCase products provided by MaruUo Factory contain a directory traversal vulnerability (CWE-22) due to a flaw in processing filenames in ATC files. Kazuki Furukawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
MaruUo Factory
AttacheCase
cpe:/a:misc:maruuo_factory_attachecase
for Java Ver0.60 and earlier
Lite Ver1.4.6 and earlier
Pro Ver1.5.7 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Low
3.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Decrypting a crafted ATC file may result in creation of an arbitrary file or overwriting of an existing file.
[Update the Software] Update to the latest version according to the information provided by the developer. When updating AttacheCase for Java from Ver0.60 or a prior version, delete the old version first, then install Ver0.62 or the later version.
App Store
AttacheCase Pro
https://itunes.apple.com/app/attachecase-pro/id605254510?l=ja&ls=1&mt=8
App Store
AttacheCase Lite
https://itunes.apple.com/app/atasshekesu-for-iphone/id595593124?mt=8&ign-mpt=uo%3D4
MaruUo Factory
MaruUo Factory website
http://maruuofactory.life.coocan.jp/attachecase/
MaruUo Factory
Path traversal vulnerability
http://maruuofactory.life.coocan.jp/attachecase/#pathTraversal
Common Vulnerabilities and Exposures (CVE)
CVE-2016-7843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7843
JVN
JVN#28331227
https://jvn.jp/en/jp/JVN28331227/index.html
National Vulnerability Database (NVD)
CVE-2016-7843
https://nvd.nist.gov/vuln/detail/CVE-2016-7843
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/16]\n Web page was published\n[2017/06/06]\n References : Content was added
2017-01-16T14:41:06+09:00
2017-06-06T16:13:41+09:00
2017-01-16T00:00:00+09:00
JVNDB-2017-000010
smalruby-editor vulnerable to OS command injection
smalruby-editor provided by Ruby Programming Shounendan is web-based editor to create Ruby programs. smalruby-editor containts an OS command injection vulnerability (CWE-78). Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ruby Programming Shounendan
smalruby-editor
cpe:/a:smalruby_project:smalruby-editor
v0.4.0 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
A remote attacker may execute arbitrary OS command on the server where smalruby-editor resides.
[Update the Software] Update to the latest version according to the information provided by the developer.
Ruby Programming Shounendan
Ruby Programming Shounendan website
http://smalruby.jp/blog/2017/01/14/smalruby-editor-0-4-1-has-been-released-english.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2096
JVN
JVN#50197114
http://jvn.jp/en/jp/JVN50197114/index.html
National Vulnerability Database (NVD)
CVE-2017-2096
https://nvd.nist.gov/vuln/detail/CVE-2017-2096
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/24]\n Web page was published\n[2017/06/06]\n References : Content was added
2017-01-24T13:34:11+09:00
2017-06-06T15:40:52+09:00
2017-01-24T00:00:00+09:00
JVNDB-2017-000011
Knowledge vulnerable to cross-site request forgery
Knowledge provided by support-project.org is an open-source knowledge base platform. Knowledge contains a cross-site request forgery vulnerability (CWE-352).
support-project.org
Knowledge
cpe:/a:support-project:knowledge
versions prior to v1.7.0
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
High
7.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
If a user views a malicious page while logged in, unintended operations may be performed.
[Update the Software] Update to the latest version according to the information provided by the developer.
support-project.org
support-project.org website
https://github.com/support-project/knowledge/releases
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2097
JVN
JVN#09460804
https://jvn.jp/en/jp/JVN09460804/index.html
National Vulnerability Database (NVD)
CVE-2017-2097
https://nvd.nist.gov/vuln/detail/CVE-2017-2097
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/24]\n Web page was published\n[2017/06/06]\n References : Content was added
2017-01-24T14:12:04+09:00
2017-06-06T14:38:56+09:00
2017-01-24T00:00:00+09:00
JVNDB-2017-000012
Java (OGNL) code execution in Apache Struts 2 when devMode is enabled
Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating Java web applications. There is a known risk that arbitrary Java (OGNL) code may be executed in Apache Struts 2 when devMode is enabled in production environment. It is confirmed that proof-of-concept code exploiting this issue is publicly available. Hiroshi Fujimoto and Ken Kitahara of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apache Software Foundation
Apache Struts
cpe:/a:apache:struts
2.3.30 and earlier
2.5.1 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
5.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
An attacker who has access to Apache Struts 2 may execute arbitrary Java (OGNL) code.
[Update the Software] Users of affected versions are recommended to update to the latest version. [Disable devMode] The developer has already published Apache Struts 2 documentation describing the risk when devMode is enabled in production. Disable devMode unless it is necessary to be enabled.
Apache Struts
Apache Struts
https://struts.apache.org/index.html
Apache Struts 2 Documentation
Security - Disable devMode
http://struts.apache.org/docs/security.html#Security-DisabledevMode
JVN
JVN#92395431
https://jvn.jp/en/jp/JVN92395431/index.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/20]\n Web page was published
2017-01-20T14:01:45+09:00
2017-01-20T14:01:45+09:00
2017-01-20T00:00:00+09:00
JVNDB-2017-000013
Nessus vulnerable to cross-site scripting
Nessus contains a stored cross-site scripting (CWE-79) vulnerability in handling .nessus files. Noriaki Iwasaki of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Tenable, Inc.
Nessus
cpe:/a:tenable:nessus
prior to version 6.9
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
5.2
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Arbitrary JavaScript may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Tenable Network Security
[R5] Nessus 6.9 Fixes Multiple Vulnerabilities
http://jp.tenable.com/security/tns-2016-16
Common Vulnerabilities and Exposures (CVE)
CVE-2016-9260
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9260
JVN
JVN#12796388
http://jvn.jp/en/jp/JVN12796388/index.html
National Vulnerability Database (NVD)
CVE-2016-9260
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9260
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/24]\n Web page was published\n[2017/02/20]\n References : Content was added
2017-01-24T13:38:05+09:00
2017-02-20T17:44:29+09:00
2017-01-24T00:00:00+09:00
JVNDB-2017-000014
CubeCart vulnerable to directory traversal
CubeCart from CubeCart Limited is an open source system for creating online shopping websites. CubeCart contains a directory traversal vulnerability (CWE-22). ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CubeCart Limited
CubeCart
cpe:/a:cubecart:cubecart
versions prior to 6.1.4
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
A local file on the server may be accessed by a remote attacker.
[Update the Software] Update to the latest version according to the information provided by the developer.
CubeCart
CubeCart 6.1.4 Released
https://forums.cubecart.com/topic/52088-cubecart-614-released/
CubeCart
Open Source Shopping Cart Software | CubeCart
https://www.cubecart.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2098
JVN
JVN#81618356
https://jvn.jp/en/jp/JVN81618356/index.html
National Vulnerability Database (NVD)
CVE-2017-2098
https://nvd.nist.gov/vuln/detail/CVE-2017-2098
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/01/27]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-01-27T13:49:03+09:00
2017-06-01T11:30:17+09:00
2017-01-27T00:00:00+09:00
JVNDB-2017-000015
Norton Download Manager may insecurely load Dynamic Link Libraries
Norton Download Manager provided by Symantec Japan, Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Symantec Corporation
Norton Download Manager
cpe:/a:symantec:norton_download_manager
5.6 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privileges of the user running the application.
[Use the latest Norton Download Manager] Use the latest Norton Download Manager according to the information provided by the developer. The developer states the following in the advisory : * Norton Download Manager is not updated through Liveupdate * Delete any previously downloaded version of Norton Download Manager * Download the updated version of Norton Download Manager associated with their Norton security product
Symantec Security Advisory
SYM17-001: Norton Download Manager DLL Loading
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170117_00
Common Vulnerabilities and Exposures (CVE)
CVE-2016-6592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6592
JVN
JVN#40667528
http://jvn.jp/en/jp/JVN40667528/index.html
National Vulnerability Database (NVD)
CVE-2016-6592
https://nvd.nist.gov/vuln/detail/CVE-2016-6592
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/10]\n Web page was published
2017-02-10T14:58:11+09:00
2017-02-10T14:58:11+09:00
2017-02-10T00:00:00+09:00
JVNDB-2017-000016
LaLa Call App for Android fails to verify SSL server certificates
LaLa Call App for Android provided by K-Opticom Corporation fails to verify SSL server certificates. Yuto Iso of NTT Security (Japan) KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
K-Opticom Corporation
LaLa Call
cpe:/a:k-opticom_corporation:lala_call
App for Android ver2.4.7 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
Google Play
LaLa Call
https://play.google.com/store/apps/details?id=jp.eonet.kopt.voip.android.mobilephone050&hl=ja
K-Opticom
K-Opticom Corporation website
https://support.lalacall.jp/news/510/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2103
JVN
JVN#01014759
https://jvn.jp/en/jp/JVN01014759/index.html
National Vulnerability Database (NVD)
CVE-2017-2103
https://nvd.nist.gov/vuln/detail/CVE-2017-2103
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/03]\n Web page was published\n[2017/06/06]\n References : Content was added
2017-02-03T13:31:01+09:00
2017-06-06T11:52:07+09:00
2017-02-03T00:00:00+09:00
JVNDB-2017-000017
Business LaLa Call App for Android fails to verify SSL server certificates
Business LaLa Call App for Android provided by K-Opticom Corporation fails to verify SSL server certificates. Yuto Iso of NTT Security (Japan) KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
K-Opticom Corporation
Business LaLa Call
cpe:/a:k-opticom_corporation:business_lala_call
App for Android ver1.4.7 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
Google Play
Business LaLa Call
https://play.google.com/store/apps/details?id=jp.eonet.kopt.voip.android.businesslalacall&hl=ja
K-Opticom
K-Opticom Corporation website
http://business.lalacall.jp/support/news/511/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2104
JVN
JVN#21114208
https://jvn.jp/en/jp/JVN21114208/index.html
National Vulnerability Database (NVD)
CVE-2017-2104
https://nvd.nist.gov/vuln/detail/CVE-2017-2104
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/03]\n Web page was published\n[2017/06/06]\n References : Content was added
2017-02-03T13:58:53+09:00
2017-06-06T11:52:05+09:00
2017-02-03T00:00:00+09:00
JVNDB-2017-000018
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to remote code execution
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a remote code execution vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Hands-on Vulnerability Learning Tool "AppGoat" for Web Application
cpe:/a:ipa:appgoat
V3.0.0 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
If a user accesses a malicious web page, arbitrary code may be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/security/vuln/appgoat/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2099
JVN
JVN#71666779
http://jvn.jp/en/jp/JVN71666779/index.html
National Vulnerability Database (NVD)
CVE-2017-2099
https://nvd.nist.gov/vuln/detail/CVE-2017-2099
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/09]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-09T14:47:55+09:00
2017-06-01T11:30:18+09:00
2017-02-09T00:00:00+09:00
JVNDB-2017-000019
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to DNS rebinding
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a DNS rebinding vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Hands-on Vulnerability Learning Tool "AppGoat" for Web Application
cpe:/a:ipa:appgoat
V3.0.0 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
If a user accesses a malicious web page, arbitrary code may be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/security/vuln/appgoat/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2100
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2100
JVN
JVN#87662835
http://jvn.jp/en/jp/JVN87662835/index.html
National Vulnerability Database (NVD)
CVE-2017-2100
https://nvd.nist.gov/vuln/detail/CVE-2017-2100
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/09]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-09T14:47:56+09:00
2017-06-01T11:30:19+09:00
2017-02-09T00:00:00+09:00
JVNDB-2017-000020
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to authentication bypass
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains an authentication bypass vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Hands-on Vulnerability Learning Tool "AppGoat" for Web Application
cpe:/a:ipa:appgoat
V3.0.0 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
A remote unauthenticated attacker may perform an arbitrary operation.
[Update the Software] Update to the latest version according to the information provided by the developer.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/security/vuln/appgoat/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2101
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2101
JVN
JVN#88176589
https://jvn.jp/en/jp/JVN88176589/index.html
National Vulnerability Database (NVD)
CVE-2017-2101
https://nvd.nist.gov/vuln/detail/CVE-2017-2101
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/09]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-09T14:39:37+09:00
2017-06-01T11:30:19+09:00
2017-02-09T00:00:00+09:00
JVNDB-2017-000021
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to cross-site request forgery
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a cross-site request forgery vulnerability. Shoji Baba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Hands-on Vulnerability Learning Tool "AppGoat" for Web Application
cpe:/a:ipa:appgoat
V3.0.0 and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
Medium
5
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
If a user views a malicious page while logged in, unintended operations may be performed.
[Update the Software] Update to the latest version according to the information provided by the developer.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/security/vuln/appgoat/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2102
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2102
JVN
JVN#39008927
https://jvn.jp/en/jp/JVN39008927/index.html
National Vulnerability Database (NVD)
CVE-2017-2102
https://nvd.nist.gov/vuln/detail/CVE-2017-2102
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/09]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-09T14:40:09+09:00
2017-06-01T11:30:20+09:00
2017-02-09T00:00:00+09:00
JVNDB-2017-000022
Multiple cross-site scripting vulnerabilities in Webmin
Webmin contains multiple cross-site scripting vulnerabilities (CWE-79) due to issues in outputting error messages into a HTML page and the function to edit the database. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Webmin Project
Webmin
cpe:/a:webmin:webmin
versions prior to 1.830
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer.
GitHub
Strip out unsafe HTML from error messages
https://github.com/webmin/webmin/commit/475cc4fbdf51c865b291d252d81a58bad05de0c7
Webmin
Downloads
http://www.webmin.com/download.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2106
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2106
JVN
JVN#34207650
http://jvn.jp/en/jp/JVN34207650/index.html
National Vulnerability Database (NVD)
CVE-2017-2106
https://nvd.nist.gov/vuln/detail/CVE-2017-2106
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/09]\n Web page was published\n[2017/06/02]\n References : Content was added
2017-02-09T14:06:10+09:00
2017-06-02T18:04:45+09:00
2017-02-09T00:00:00+09:00
JVNDB-2017-000023
TVer App for Android fails to verify SSL server certificates
TVer App for Android provided by PRESENTCAST INC. fails to verify SSL server certificates. Yuto Iso of NTT Security (Japan) KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
PRESENTCAST INC.
TVer
cpe:/a:presentcast_inc:tver
App for Android ver3.2.7 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
Google Play
TVer - Android Apps on Google Play
https://play.google.com/store/apps/details?id=jp.hamitv.hamiand1&hl=ja
TVer
Top Page
http://tver.jp/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2105
JVN
JVN#53880182
http://jvn.jp/en/jp/JVN53880182/index.html
National Vulnerability Database (NVD)
CVE-2017-2105
https://nvd.nist.gov/vuln/detail/CVE-2017-2105
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/10]\n Web page was published\n[2017/06/06]\n References : Content was added
2017-02-10T15:14:56+09:00
2017-06-06T11:52:04+09:00
2017-02-10T00:00:00+09:00
JVNDB-2017-000024
Self-Extracting Archives created by 7-ZIP32.DLL may insecurely load Dynamic Link Libraries
7-ZIP32.DLL is an open source library for compressing and decompressing 7z and zip format files. It can also create self-extracting archive files. Self-extracting archive files created by 7-ZIP32.DLL contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Akky
7-ZIP32.DLL
cpe:/a:akky:7-zip32.dll
ver9.22.00.01 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking a vulnerable self-extracting archive file.
[Use the Latest Library to Recreate Self-Extracting Archive files] Use the latest version according to the information provided by the developer, and recreate self-extracting archive files.
AkkyWareHOUSE
Akky website
http://akky.xrea.jp/security/7-zip4.txt
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2107
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2107
JVN
JVN#86200862
http://jvn.jp/en/jp/JVN86200862/index.html
National Vulnerability Database (NVD)
CVE-2017-2107
https://nvd.nist.gov/vuln/detail/CVE-2017-2107
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/17]\n Web page was published\n[2017/06/05]\n References : Content was added
2017-02-17T15:13:52+09:00
2017-06-05T11:55:36+09:00
2017-02-17T00:00:00+09:00
JVNDB-2017-000025
Apache Brooklyn vulnerable to cross-site scripting
Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains cross-site scripting vulnerabilities. It is known that proof-of-concept code to exploit these vulnerabilties exist. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apache Software Foundation
Apache Brooklyn
cpe:/a:apache:brooklyn
0.9.0 and all prior versions
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Upgrade to Apache Brooklyn 0.10.0] According to the developer, Apache Brooklyn 0.10.0 includes the following commit. * pull request #35: JS clean-up
Apache Brooklyn
Release Notes Version 0.10.0
https://brooklyn.apache.org/v/0.10.0/misc/release-notes.html
Apache Brooklyn
CVE-2017-3165: Cross-site vulnerabilities in Apache Brooklyn
https://brooklyn.apache.org/community/security/CVE-2017-3165.html
GitHub
pull request #35: JS clean-up
https://github.com/apache/brooklyn-ui/pull/35
Common Vulnerabilities and Exposures (CVE)
CVE-2017-3165
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3165
JVN
JVN#55489964
http://jvn.jp/en/jp/JVN55489964/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/15]\n Web page was published
2017-02-15T16:20:49+09:00
2017-02-15T16:20:49+09:00
2017-02-15T00:00:00+09:00
JVNDB-2017-000026
Apache Brooklyn vulnerable to cross-site request forgery
Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains a cross-site request forgery vulnerability. It is known that proof-of-concept code to exploit these vulnerabilties exist. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apache Software Foundation
Apache Brooklyn
cpe:/a:apache:brooklyn
0.9.0 and all prior versions
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Unintended operations may be performed on Brooklyn server with the privilege of a user, when the user views a malicious page while logged in to the Brooklyn server.
[Upgrade to Apache Brooklyn 0.10.0] According to the developer, Apache Brooklyn 0.10.0 includes the following commits. * pull request #430: Use CSRF headers and pull request #37: request and set the csrf header protection added to brooklyn server
Apache Brooklyn
Release Notes Version 0.10.0
https://brooklyn.apache.org/v/0.10.0/misc/release-notes.html
Apache Brooklyn
CVE-2016-8737: Cross-site request forgery vulnerability in Apache Brooklyn
https://brooklyn.apache.org/community/security/CVE-2016-8737.html
GitHub
pull request #37: request and set the csrf header protection added to brooklyn server
https://github.com/apache/brooklyn-ui/pull/37
GitHub
pull request #430: Use CSRF headers
https://github.com/apache/brooklyn-server/pull/430
Common Vulnerabilities and Exposures (CVE)
CVE-2016-8737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8737
JVN
JVN#55489964
http://jvn.jp/en/jp/JVN55489964/index.html
National Vulnerability Database (NVD)
CVE-2016-8737
https://nvd.nist.gov/vuln/detail/CVE-2016-8737
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/15]\n Web page was published
1
2018-03-07T09:51:07+09:00
[2018/03/07]\n References : Content was added
2017-02-15T16:20:47+09:00
2018-03-07T14:35:57+09:00
2017-02-15T00:00:00+09:00
JVNDB-2017-000027
Cybozu Garoon vulnerable to SQL injection
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an SQL injection vulnerability. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.2.3
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
A user may execute arbitrary SQL commands.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1207]
https://support.cybozu.com/ja-jp/article/9499
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2090
JVN
JVN#73182875
http://jvn.jp/en/jp/JVN73182875/index.html
National Vulnerability Database (NVD)
CVE-2017-2090
https://nvd.nist.gov/vuln/detail/CVE-2017-2090
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/20]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-20T15:38:35+09:00
2017-06-01T15:05:21+09:00
2017-02-20T00:00:00+09:00
JVNDB-2017-000028
Cybozu Garoon fails to restrict access permission in the Phone Messages function
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an access restriction flaw in the Phone Messages function Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.2.3
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
A user may set uncofirmed phone messages to be displayed as if they have already been confirmed.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1215]
https://support.cybozu.com/ja-jp/article/9570
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2091
JVN
JVN#73182875
http://jvn.jp/en/jp/JVN73182875/index.html
National Vulnerability Database (NVD)
CVE-2017-2091
https://nvd.nist.gov/vuln/detail/CVE-2017-2091
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/20]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-20T15:38:34+09:00
2017-06-01T15:05:24+09:00
2017-02-20T00:00:00+09:00
JVNDB-2017-000029
Cybozu Garoon vulnerable to cross-site scripting
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains a cross-site scripting. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.2.3
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Arbitrary scripts may be executed on the logged-in user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1225]
https://support.cybozu.com/ja-jp/article/9555
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2092
JVN
JVN#73182875
http://jvn.jp/en/jp/JVN73182875/index.html
National Vulnerability Database (NVD)
CVE-2017-2092
https://nvd.nist.gov/vuln/detail/CVE-2017-2092
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/20]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-20T15:38:32+09:00
2017-06-01T15:05:27+09:00
2017-02-20T00:00:00+09:00
JVNDB-2017-000030
Cybozu Garoon vulnerable to information disclosure
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an information disclosure vulnerability. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.2.3
Medium
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Token used for cross-site request forgery (CSRF) protection may be disclosed.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1251]
https://support.cybozu.com/ja-jp/article/9647
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2093
JVN
JVN#73182875
https://jvn.jp/en/jp/JVN73182875/index.html
National Vulnerability Database (NVD)
CVE-2017-2093
https://nvd.nist.gov/vuln/detail/CVE-2017-2093
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/20]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-20T15:40:02+09:00
2017-06-01T15:05:32+09:00
2017-02-20T00:00:00+09:00
JVNDB-2017-000031
Cybozu Garoon fails to restrict access permission in Workflow and the function "MultiReport"
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an access restriction flaw in Workflow and the function "MultiReport". Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.2.3
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
A user may alter or delete information of Workflow and the multi report function, which the user does not have permission to access.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1276]
https://support.cybozu.com/ja-jp/article/9655
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2094
JVN
JVN#73182875
https://jvn.jp/en/jp/JVN73182875/index.html
National Vulnerability Database (NVD)
CVE-2017-2094
https://nvd.nist.gov/vuln/detail/CVE-2017-2094
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/20]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-20T15:40:04+09:00
2017-06-01T15:05:34+09:00
2017-02-20T00:00:00+09:00
JVNDB-2017-000032
Cybozu Garoon fails to restrict access permission in the mail function
Cybozu Garoon provided by Cybozu,Inc. is a groupware. Cybozu Garoon contains an access restriction flaw in the mail function. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.2.3
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
A user may alter the order of the mail folders.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1287]
https://support.cybozu.com/ja-jp/article/9660
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2095
JVN
JVN#73182875
https://jvn.jp/en/jp/JVN73182875/index.html
National Vulnerability Database (NVD)
CVE-2017-2095
https://nvd.nist.gov/vuln/detail/CVE-2017-2095
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/20]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-20T15:40:05+09:00
2017-06-01T15:05:36+09:00
2017-02-20T00:00:00+09:00
JVNDB-2017-000033
PrimeDrive Desktop Application Installer may insecurely load Dynamic Link Libraries
PrimeDrive Desktop Application is the client application for PrimeDrive online storage service provided by SoftBank Corp. The installer of PrimeDrive Desktop Application is vulnerable to load specific Dynamic Link Libraries in the same directory (CWE-427) . Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SoftBank
PrimeDrive Desktop Application
cpe:/a:softbank:primedrive_desktop_application
version 1.4.3 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the Latest Installer] Use the latest installer according to the information provided by the developer. According to the SoftBank Corp., users who have already installed PrimeDrive Desktop Application and use it do not need to re-install the application, because this vulnerability can be exploited only when installing the software and the application itself is not affected by this vulnerability.
Softbank
SoftBank Corp. website
http://www.softbank.jp/biz/news/cloud/170426/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2108
JVN
JVN#88713190
http://jvn.jp/en/jp/JVN88713190/index.html
National Vulnerability Database (NVD)
CVE-2017-2108
https://nvd.nist.gov/vuln/detail/CVE-2017-2108
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/01]\n Web page was published\n[2017/05/15]\n Vendor Information : Update status\n References : Content was added
2017-03-01T15:53:06+09:00
2017-05-15T11:27:59+09:00
2017-03-01T00:00:00+09:00
JVNDB-2017-000034
Access CX App fails to verify SSL server certificates
Access CX App provided by NISSAN SECURITIES CO., LTD. fails to verify SSL server certificates. Gaku Taniguchi of RiskFinder,inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NISSAN SECURITIES CO., LTD.
Access CX App
cpe:/a:nissan_securities:access_cx
for Android prior to Ver2.0.0.1
for iOS prior to Ver2.0.2
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
App Store
Access CX
https://itunes.apple.com/jp/app/akusesucx/id931352116?mt=8
Google Play
Access CX
https://play.google.com/store/apps/details?id=jp.co.nc_sec.accesscx.android&hl=ja
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2110
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2110
JVN
JVN#82619692
http://jvn.jp/en/jp/JVN82619692/index.html
National Vulnerability Database (NVD)
CVE-2017-2110
https://nvd.nist.gov/vuln/detail/CVE-2017-2110
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/01]\n Web page was published\n[2017/06/05]\n References : Content was added
2017-03-01T16:31:51+09:00
2017-06-05T11:26:34+09:00
2017-03-01T00:00:00+09:00
JVNDB-2017-000035
WBCE CMS vulnerable to cross-site scripting
WBCE CMS provided by WBCE Team is an open-source Contents Management System (CMS). WBCE CMS contains a cross-site scripting vulnerability (CWE-79). ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
WBCE Team
WBCE CMS
cpe:/a:wbce:wbce_cms
1.1.10 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer. [Apply the Patch] The patch for WBCE CMS 1.1.3 to 1.1.10 is available. Apply the patch according to the information provided by the developer.
WBCE Team
Announcements >> WBCE 1.1.11 Security/Maintenance Rel.
https://forum.wbce.org/viewtopic.php?id=977
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2118
JVN
JVN#73083905
http://jvn.jp/en/jp/JVN73083905/index.html
National Vulnerability Database (NVD)
CVE-2017-2118
https://nvd.nist.gov/vuln/detail/CVE-2017-2118
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/28]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-28T14:21:17+09:00
2017-06-01T12:28:04+09:00
2017-02-28T00:00:00+09:00
JVNDB-2017-000036
WBCE CMS vulnerable to directory traversal
WBCE CMS provided by WBCE Team is an open-source Contents Management System (CMS). WBCE CMS contains a directory traversal vulnerability (CWE-22). ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
WBCE Team
WBCE CMS
cpe:/a:wbce:wbce_cms
1.1.10 and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Medium
5.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
An arbitrary local file on the server may be accessed by a remote attacker. An arbitrary local file outside of WBCE CMS may be deleted by an administrator of WBCE CMS.
[Update the software] Update to the latest version according to the information provided by the developer. [Apply the Patch] The patch for WBCE CMS 1.1.3 to 1.1.10 is available. Apply the patch according to the information provided by the developer.
WBCE Team
Announcements >> WBCE 1.1.11 Security/Maintenance Rel.
https://forum.wbce.org/viewtopic.php?id=977
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2119
JVN
JVN#73083905
http://jvn.jp/en/jp/JVN73083905/index.html
National Vulnerability Database (NVD)
CVE-2017-2119
https://nvd.nist.gov/vuln/detail/CVE-2017-2119
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/28]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-28T14:21:51+09:00
2017-06-01T12:28:06+09:00
2017-02-28T00:00:00+09:00
JVNDB-2017-000037
WBCE CMS vulnerable to SQL injection
WBCE CMS provided by WBCE Team is an open-source Contents Management System (CMS). WBCE CMS contains an SQL injection vulnerability (CWE-89). ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
WBCE Team
WBCE CMS
cpe:/a:wbce:wbce_cms
1.1.10 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
An unexpected SQL command may be executed by a WBCE CMS administrator.
[Update the software] Update to the latest version according to the information provided by the developer. [Apply the Patch] The patch for WBCE CMS 1.1.3 to 1.1.10 is available. Apply the patch according to the information provided by the developer.
WBCE Team
Announcements >> WBCE 1.1.11 Security/Maintenance Rel.
https://forum.wbce.org/viewtopic.php?id=977
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2120
JVN
JVN#73083905
http://jvn.jp/en/jp/JVN73083905/index.html
National Vulnerability Database (NVD)
CVE-2017-2120
https://nvd.nist.gov/vuln/detail/CVE-2017-2120
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/28]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-28T14:22:28+09:00
2017-06-01T12:28:08+09:00
2017-02-28T00:00:00+09:00
JVNDB-2017-000038
CubeCart vulnerable to directory traversal
CubeCart from CubeCart Limited is an open source system for creating online shopping websites. CubeCart contains a directory traversal vulnerability (CWE-22). ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CubeCart Limited
CubeCart
cpe:/a:cubecart:cubecart
versions prior to 6.1.5
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
4.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
A local file outside of CubeCart may be accessed by an administrator of CubeCart.
[Update the Software] Update to the latest version according to the information provided by the developer.
CubeCart
CubeCart 6.1.5 Released
https://forums.cubecart.com/topic/52188-cubecart-615-released/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2117
JVN
JVN#63474730
http://jvn.jp/en/jp/JVN63474730/index.html
National Vulnerability Database (NVD)
CVE-2017-2117
https://nvd.nist.gov/vuln/detail/CVE-2017-2117
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/02/28]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-02-28T14:13:58+09:00
2017-06-01T12:18:19+09:00
2017-02-28T00:00:00+09:00
JVNDB-2017-000039
Multiple I-O DATA network camera products vulnerable to HTTP header injection
Multiple network camera products provided by I-O DATA DEVICE, INC. contain a HTTP header injection vulnerability. Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
TS-PTCAM firmware
cpe:/o:i-o_data_device:ts-ptcam_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-PTCAM/POE firmware
cpe:/o:i-o_data_device:ts-ptcam%2Fpoe_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WLC2 firmware
cpe:/o:i-o_data_device:ts-wlc2_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WLCE firmware
cpe:/o:i-o_data_device:ts-wlce_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WPTCAM firmware
cpe:/o:i-o_data_device:ts-wptcam_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WPTCAM2 firmware
cpe:/o:i-o_data_device:ts-wptcam2_firmware
version 1.00
I-O DATA DEVICE, INC.
TS-WRLC firmware
cpe:/o:i-o_data_device:ts-wrlc_firmware
version 1.17 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Forged information may be displayed on the logged-in user's web browser by exploiting HTTP response splitting.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2017/camera201702/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2111
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2111
JVN
JVN#46830433
http://jvn.jp/en/jp/JVN46830433/index.html
National Vulnerability Database (NVD)
CVE-2017-2111
https://nvd.nist.gov/vuln/detail/CVE-2017-2111
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/02]\n Web page was published\n[2017/03/08]\n Affected Products : Product was added\n[2017/06/06]\n References : Content was added
2017-03-02T14:36:25+09:00
2017-06-06T15:52:23+09:00
2017-03-02T00:00:00+09:00
JVNDB-2017-000040
Multiple I-O DATA network camera products vulnerable to OS command injection
Multiple network camera products provided by I-O DATA DEVICE, INC. contain an OS command injection vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
TS-PTCAM firmware
cpe:/o:i-o_data_device:ts-ptcam_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-PTCAM/POE firmware
cpe:/o:i-o_data_device:ts-ptcam%2Fpoe_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WLC2 firmware
cpe:/o:i-o_data_device:ts-wlc2_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WLCE firmware
cpe:/o:i-o_data_device:ts-wlce_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WPTCAM firmware
cpe:/o:i-o_data_device:ts-wptcam_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WPTCAM2 firmware
cpe:/o:i-o_data_device:ts-wptcam2_firmware
version 1.00
I-O DATA DEVICE, INC.
TS-WRLC firmware
cpe:/o:i-o_data_device:ts-wrlc_firmware
version 1.17 and earlier
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
A remote unauthenticated attacker may execute an arbitrary OS command on the product.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2017/camera201702/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2112
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2112
JVN
JVN#46830433
http://jvn.jp/en/jp/JVN46830433/index.html
National Vulnerability Database (NVD)
CVE-2017-2112
https://nvd.nist.gov/vuln/detail/CVE-2017-2112
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/02]\n Web page was published\n[2017/03/08]\n Affected Products : Product was added\n[2017/06/06]\n References : Content was added
2017-03-02T14:36:26+09:00
2017-06-06T15:52:25+09:00
2017-03-02T00:00:00+09:00
JVNDB-2017-000041
Multiple I-O DATA network camera products vulnerable to buffer overflow
Multiple network camera products provided by I-O DATA DEVICE, INC. contain a Buffer overflow vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
TS-PTCAM firmware
cpe:/o:i-o_data_device:ts-ptcam_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-PTCAM/POE firmware
cpe:/o:i-o_data_device:ts-ptcam%2Fpoe_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WLC2 firmware
cpe:/o:i-o_data_device:ts-wlc2_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WLCE firmware
cpe:/o:i-o_data_device:ts-wlce_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WPTCAM firmware
cpe:/o:i-o_data_device:ts-wptcam_firmware
version 1.18 and earlier
I-O DATA DEVICE, INC.
TS-WPTCAM2 firmware
cpe:/o:i-o_data_device:ts-wptcam2_firmware
version 1.00
I-O DATA DEVICE, INC.
TS-WRLC firmware
cpe:/o:i-o_data_device:ts-wrlc_firmware
version 1.17 and earlier
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
A remote unauthenticated attacker may execute an arbitrary OS command on the product.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2017/camera201702/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2113
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2113
JVN
JVN#46830433
http://jvn.jp/en/jp/JVN46830433/index.html
National Vulnerability Database (NVD)
CVE-2017-2113
https://nvd.nist.gov/vuln/detail/CVE-2017-2113
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/02]\n Web page was published\n[2017/03/08]\n Affected Products : Product was added\n[2017/06/05]\n References : Content was added
2017-03-02T14:36:28+09:00
2017-06-05T11:10:40+09:00
2017-03-02T00:00:00+09:00
JVNDB-2017-000042
OneThird CMS vulnerable to cross-site scripting
OneThird CMS provided by SpiQe Software contains a cross-site scripting vulnerability (CWE-79) due to an issue in processing the language selection screen. Note that this vulnerability is different from JVN#13003724. Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SpiQe Software
OneThird CMS
cpe:/a:spiqe:onethird
v1.73 Heaven's Door and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
For the users who have installed OneThird CMS already: [Update the Software] Update to the latest version according to the information provided by the developer. For the users who are to install OneThird CMS for the first time: [Install using OneThird CMS Online Installer or OneThird CMS v1.80 Show Off and later] Install using OneThird CMS Online Installer or OneThird CMS v1.80 Show Off and later according to the information provided by the developer.
SpiQe Software
download
https://onethird.net/en/download
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2123
JVN
JVN#49408248
https://jvn.jp/en/jp/JVN49408248/index.html
National Vulnerability Database (NVD)
CVE-2017-2123
https://nvd.nist.gov/vuln/detail/CVE-2017-2123
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/08]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-03-08T09:57:32+09:00
2017-06-01T12:28:09+09:00
2017-03-07T00:00:00+09:00
JVNDB-2017-000043
OneThird CMS vulnerable to cross-site scripting
OneThird CMS provided by SpiQe Software contains a cross-site scripting vulnerability (CWE-79) due to an issue in processing the inquiry form. Note that this vulnerability is different from JVN#49408248. Satoshi Takagi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SpiQe Software
OneThird CMS
cpe:/a:spiqe:onethird
v1.73 Heaven's Door and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the logged in user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
SpiQe Software
download
https://onethird.net/en/download
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2124
JVN
JVN#13003724
https://jvn.jp/en/jp/JVN13003724/index.html
National Vulnerability Database (NVD)
CVE-2017-2124
https://nvd.nist.gov/vuln/detail/CVE-2017-2124
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/08]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-03-08T09:57:35+09:00
2017-06-01T15:08:23+09:00
2017-03-07T00:00:00+09:00
JVNDB-2017-000044
CentreCOM AR260S V2 vulnerable to privilege escalation
CentreCOM AR260S V2 provided by Allied Telesis K.K. is a wired LAN router. CentreCOM AR260S V2 contains a privilege escalation vulnerability. Ziv Chang of Trend Micro Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Allied Telesis
CentreCOM AR260S V2
cpe:/h:allied_telesis_k.k.:centrecom_ar260s_v2
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
High
8
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Unintended operations may be performed with administrative privileges by a user who can log into the produt with "guest" account.
[Apply Workarounds] The following workarounds may mitigate the impacts of this vulnerability. * Change the password of the account "guest" The default password of the account "guest" is publicly known. Change the password of the account "guest" immediately to prevent an unauthenticated attacker from logging into the product. * Do not allow untrusted person to use the account "guest" Once logged into the vulnerable product as "guest", this vulnerability can be exploited. Therefore do not allow untrusted person to use the "guest" account. * Enable the Firewall protection The product has a firewall protection, and it is enabled by default. Enable firewall to protect the product from unintended accesses from WAN side.
Allied Telesis
Vulnerability of privilege elevation on CentreCOM AR260S V2
http://www.allied-telesis.co.jp/support/list/faq/vuls/20170330aen.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2125
JVN
JVN#55121369
https://jvn.jp/en/jp/JVN55121369/index.html
National Vulnerability Database (NVD)
CVE-2017-2125
https://nvd.nist.gov/vuln/detail/CVE-2017-2125
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/30]\n Web page was published\n[2017/06/05]\n References : Content was added
2017-03-30T14:37:12+09:00
2017-06-05T10:51:05+09:00
2017-03-30T00:00:00+09:00
JVNDB-2017-000045
Cybozu KUNAI for Android information management vulnerability
Cybozu KUNAI for Android is a mobile client software for using Cybozu from an Android device. Cybozu KUNAI for Android provides a function to output log information when synchronizing data with Cybozu, however the function is disabled by default. Cybozu KUNAI for Android contains an issue where it outputs log information when its data is synchronized with Cybozu for the first time, even if the log output function is disabled. Kusano Kazuhiko reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu KUNAI
cpe:/a:cybozu:kunai
for Android 3.0.4 to 3.0.5.1
Low
2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N
Low
2.5
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
If a user of Cybozu KUNAI for Android uses another malicious Android application, the log information managed by Cybozu KUNAI for Android may be disclosed.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1166]
https://support.cybozu.com/ja-jp/article/9836
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2109
JVN
JVN#88745657
https://jvn.jp/en/jp/JVN88745657/index.html
National Vulnerability Database (NVD)
CVE-2017-2109
https://nvd.nist.gov/vuln/detail/CVE-2017-2109
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/13]\n Web page was published\n[2017/06/02]\n References : Content was added
2017-03-13T13:42:14+09:00
2017-06-02T18:04:47+09:00
2017-03-13T00:00:00+09:00
JVNDB-2017-000047
Security guide for website operators vulnerable to OS command injection
Security guide for website operators provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) contains an OS command injection vulnerability (CWE-78) due to an issue in loading saved data. This vulnerability was reported by IPA to notify users of its solution through JVN. JPCERT/CC and IPA coordinated under the Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Security guide for website operators
cpe:/a:ipa:introduction_to_safe_website_operation
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
When specially crafted saved data is loaded, an arbitrary OS command may be executed.
[Do not use Security guide for website operators] The developer has stated that the support of Security guide for website operators has been discontinued, thus recommends users to stop using it.
IPA
Security guide for website operators
https://www.ipa.go.jp/security/vuln/7incidents/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2128
JVN
JVN#11448789
https://jvn.jp/en/jp/JVN11448789/index.html
National Vulnerability Database (NVD)
CVE-2017-2128
https://nvd.nist.gov/vuln/detail/CVE-2017-2128
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/16]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-03-16T13:32:24+09:00
2017-06-01T15:08:27+09:00
2017-03-16T00:00:00+09:00
JVNDB-2017-000049
Installer of PhishWall Client Internet Explorer version may insecurely load Dynamic Link Libraries
PhishWall Client Internet Explorer version, provided by SecureBrain Corporation, is an anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer version contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). According to the developer, the affected installer was built using a version of Install Shield with all Hotfixes applied as of August 2016. The developer has confirmed that the version of Install Shield with the most recent Hotfix applied addresses this issue. For details on the Hotfixes, refer to Best Practices to Avoid Windows Setup Launcher Executable Issues. Yuji Tounai of NTT Communications Corporation and Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SecureBrain Corporation
The Installer of PhishWall Client
cpe:/a:securebrain:phishwall_client
Internet Explorer version, Ver. 3.7.13 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed PhishWall Client Internet Explorer version, do not need to re-install the application, because this issue affects the installer only.
Flexera Software
Best Practices to Avoid Windows Setup Launcher Executable Issues
https://flexeracommunity.force.com/customer/articles/INFO/Best-Practices-to-Avoid-Windows-Setup-Launcher-Executable-Issues
SecureBrain Corporation
SecureBrain Corporation website
http://www.securebrain.co.jp/about/news/2017/03/170316.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2130
JVN
JVN#93699304
https://jvn.jp/en/jp/JVN93699304/index.html
National Vulnerability Database (NVD)
CVE-2017-2130
https://nvd.nist.gov/vuln/detail/CVE-2017-2130
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/22]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-03-22T14:43:00+09:00
2017-06-01T17:16:28+09:00
2017-03-22T00:00:00+09:00
JVNDB-2017-000050
WordPress plugin "YOP Poll" vulnerable to cross-site scripting
The WordPress plugin "YOP Poll" contains a stored cross-site scripting (CWE-79) vulnerability. Sho Ueshima, Takashi Honda, Tsuyoshi Ogawa and Minaho Umehara of SIE Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
YOP
YOP Poll
cpe:/a:misc:yop_yop_poll
versions prior to 5.8.1
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of a user accessing the poll generated by the application.
[Update the plugin] Update the plugin according to the information provided by the developer.
YOP Poll
WordPress Plugins - YOP Poll - Changelog
https://wordpress.org/plugins/yop-poll/changelog/
YOP Poll
Changeset 1608599 for yop-poll/trunk/models/custom_field_model.php
https://plugins.trac.wordpress.org/changeset/1608599#file3
YOP Poll
Changeset 1608599 for yop-poll/trunk/models/question_model.php
https://plugins.trac.wordpress.org/changeset/1608599#file4
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2127
JVN
JVN#55294532
https://jvn.jp/en/jp/JVN55294532/index.html
National Vulnerability Database (NVD)
CVE-2017-2127
https://nvd.nist.gov/vuln/detail/CVE-2017-2127
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/03/23]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-03-23T12:23:01+09:00
2017-06-01T15:08:25+09:00
2017-03-23T00:00:00+09:00
JVNDB-2017-000054
ASSETBASE vulnerable to cross-site scripting
ASSETBASE provided by UCHIDA YOKO CO., LTD. is an IT asset management tool. ASSETBASE contains a cross-site scripting vulnerability (CWE-79). Keitaro Yamazaki of Kyoto University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
UCHIDA YOKO CO., LTD.
ASSETBASE
cpe:/a:uchida_yoko_co._ltd:assetbase
Ver.8.0 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of a user who logged-in as an administrator.
[Update the Software] Update to the latest version according to the information provided by the developer. [Apply a Workaround] Until an update can be applied, the following workaround may mitigate the effect of this vulnerability. * Do not access suspicious hyperlinks while logged into the product * Logout immidiately when the operation finished
UCHIDA YOKO CO., LTD.
UCHIDA YOKO CO., LTD. website
http://www.asset-base.jp/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2134
JVN
JVN#82019695
https://jvn.jp/en/jp/JVN82019695/index.html
National Vulnerability Database (NVD)
CVE-2017-2134
https://nvd.nist.gov/vuln/detail/CVE-2017-2134
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/11]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-11T13:37:28+09:00
2017-06-01T17:16:26+09:00
2017-04-11T00:00:00+09:00
JVNDB-2017-000055
NETGEAR ProSAFE Plus Configuration Utility vulnerable to improper access control
ProSAFE Plus Configuration Utility provided by NETGEAR is a Windows application to configure and manage NETGEAR's ProSAFE Plus and Click Switches. An operator uses the utility to login and configure NETGEAR switches. When the utility is invoked, it starts listening on a certain port for SOAP requests. The utility executes configuration tasks for switches according to the SOAP requests. The utility accepts connections from network, hence unintended operation may be conducted on the switches through the utility (CWE-284). Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NETGEAR
ProSAFE Plus Configuration Utility
cpe:/o:netgear:prosafe_plus_configuration_utility
prior to 2.3.29
Low
2.9
AV:A/AC:M/Au:N/C:N/I:P/A:N
Low
3.4
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
The Configuration Utility may be manipulated by some unexpected SOAP requests to configure the connected switch.
[Update the Software] Update to the latest version according to the information provided by the developer.
NETGEAR Support
Security Advisory for Insecure SOAP Access in ProSAFE Plus Configuration Utility, PSV-2017-1997
https://kb.netgear.com/000038443/Security-Advisory-for-Insecure-SOAP-Access-in-ProSAFE-Plus-Configuration-Utility-PSV-2017-1997?cid=wmt_netgear_organic
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2137
JVN
JVN#08740778
https://jvn.jp/en/jp/JVN08740778/index.html
National Vulnerability Database (NVD)
CVE-2017-2137
https://nvd.nist.gov/vuln/detail/CVE-2017-2137
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/18]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-18T13:42:57+09:00
2017-06-01T15:24:06+09:00
2017-04-18T00:00:00+09:00
JVNDB-2017-000056
CS-Cart Japanese Edition fails to restrict access permissions
CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions (CWE-425). Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Simtech Ltd.
CS-Cart
cpe:/a:misc:simtech_ltd_cs-cart
Japanese Edition v4.3.10 and earlier (excluding v2 and v3)
Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3)
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
An unauthenticated remote attacker may obtain consumer's information such as its name and street address registered in the website.
[Update the Software] Update to the latest version according to the information provided by the developer.
Frogman Office
Frogman Office Inc. website
http://tips.cs-cart.jp/fix-jvn-14396697.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2139
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2139
JVN
JVN#14396697
https://jvn.jp/en/jp/JVN14396697/index.html
National Vulnerability Database (NVD)
CVE-2017-2139
https://nvd.nist.gov/vuln/detail/CVE-2017-2139
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/10]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-10T18:13:29+09:00
2017-06-01T17:39:42+09:00
2017-04-06T00:00:00+09:00
JVNDB-2017-000057
CS-Cart Japanese Edition vulnerable to cross-site request forgery
CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition contains a cross-site request forgery (CWE-352) vulnerability. Hirota Kazuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Simtech Ltd.
CS-Cart
cpe:/a:misc:simtech_ltd_cs-cart
Japanese Edition v4.3.10 and earlier (excluding v2 and v3)
Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3)
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
If a consumer views a malicious page while logged in, an unintended item may be purchased.
[Update the Software] Update to the latest version according to the information provided by the developer.
Frogman Office
Frogman Office Inc. website
http://tips.cs-cart.jp/fix-csrf-20170406.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2138
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2138
JVN
JVN#87770873
https://jvn.jp/en/jp/JVN87770873/index.html
National Vulnerability Database (NVD)
CVE-2017-2138
https://nvd.nist.gov/vuln/detail/CVE-2017-2138
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/10]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-04-10T18:13:56+09:00
2018-01-24T13:49:53+09:00
2017-04-06T00:00:00+09:00
JVNDB-2017-000058
Tablacus Explorer vulnerable to script injection
Tablacus Explorer is a tabbled file manager. Tablacus Explorer contains a script injection vulnerability due to improper handling of directory names. Touma Hatano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Gaku
Tablacus Explorer
cpe:/a:gaku:tablacus_explorer
17.3.30 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
When a user accesses a crafted directory, an arbitrary script may be executed on Tablacus Explorer. As a result, an arbitrary OS command may be executed with the privilege of Tablacus Explorer.
[Update the Software] Update to the latest version according to the information provided by the developer.
Gaku
Gaku website
http://www.eonet.ne.jp/~gakana/tablacus/explorer_en.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2140
JVN
JVN#64451600
http://jvn.jp/en/jp/JVN64451600/index.html
National Vulnerability Database (NVD)
CVE-2017-2140
https://nvd.nist.gov/vuln/detail/CVE-2017-2140
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/07]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-07T14:47:27+09:00
2017-06-01T15:24:04+09:00
2017-04-07T00:00:00+09:00
JVNDB-2017-000059
WN-G300R3 vulnerable to OS command injection
WN-G300R3 provided by I-O DATA DEVICE, INC. contain an OS command injection vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
WN-G300R3 firmware
cpe:/o:i-o_data_device:wn-g300r3_firmware
Ver.1.03 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
An authenticated attacker may execute an arbitrary OS command on the product.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2017/wn-g300r3/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2141
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2141
JVN
JVN#81024552
http://jvn.jp/en/jp/JVN81024552/index.html
National Vulnerability Database (NVD)
CVE-2017-2141
https://nvd.nist.gov/vuln/detail/CVE-2017-2141
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/10]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-10T13:36:36+09:00
2017-06-01T15:24:03+09:00
2017-04-10T00:00:00+09:00
JVNDB-2017-000060
WN-G300R3 vulnerable to stack based buffer overflow
WN-G300R3 provided by I-O DATA DEVICE, INC. contain a stack based buffer overflow vulnerability. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
WN-G300R3 firmware
cpe:/o:i-o_data_device:wn-g300r3_firmware
Ver.1.03 and earlier
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An attacker who can access the product may execute an arbitrary OS command on the product.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2017/wn-g300r3/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2142
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2142
JVN
JVN#81024552
http://jvn.jp/en/jp/JVN81024552/index.html
National Vulnerability Database (NVD)
CVE-2017-2142
https://nvd.nist.gov/vuln/detail/CVE-2017-2142
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/10]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-10T13:40:08+09:00
2017-06-01T13:53:18+09:00
2017-04-10T00:00:00+09:00
JVNDB-2017-000061
CS-Cart Japanese Edition fails to restrict access permissions
CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition fails to restrict access permissions (CWE-425). Note that this vulnerability is different from JVN#14396697. Hirota Kazuki of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Simtech Ltd.
CS-Cart
cpe:/a:misc:simtech_ltd_cs-cart
Japanese Edition v4.3.10-jp-1 and earlier
Multivendor Japanese Edition v4.3.10-jp-1 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
An unauthenticated remote attacker may create a request of return an item that a consumer has purchased.
[Update the Software] Update to the latest version according to the information provided by the developer.
Frogman Office
Frogman Office Inc. website
http://tips.cs-cart.jp/fix-jvn-25598952.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2143
JVN
JVN#25598952
https://jvn.jp/en/jp/JVN25598952/index.html
National Vulnerability Database (NVD)
CVE-2017-2143
https://nvd.nist.gov/vuln/detail/CVE-2017-2143
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/10]\n Web page was published\n[2017/04/13]\n Affected Products : Product version was modified\n[2017/06/06]\n References : Content was added
2017-04-10T13:47:14+09:00
2017-06-06T11:52:12+09:00
2017-04-10T00:00:00+09:00
JVNDB-2017-000062
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
The WordPress plugin "WP Statistics" provided by WP Statistics contains a reflected cross-site scripting vulnerability (CWE-79). ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
VeronaLabs
WP Statistics
cpe:/a:veronalabs:wp_statistics
version 12.0.1 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
WP Statistics
WP Statistics V12.0.2/3 Released!
https://wp-statistics.com/wp-statistics-v12-0-23-released/
WP Statistics
Change Log
https://wp-statistics.com/change-log/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2135
JVN
JVN#17633442
https://jvn.jp/en/jp/JVN17633442/index.html
National Vulnerability Database (NVD)
CVE-2017-2135
https://nvd.nist.gov/vuln/detail/CVE-2017-2135
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/10]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-10T13:47:16+09:00
2017-06-01T15:24:01+09:00
2017-04-10T00:00:00+09:00
JVNDB-2017-000063
The design setting screen in Cybozu Office vulnerable to cross-site scripting
The design setting screen in Cybozu Office contains a cross-site scripting vulnerability. Kazuto Sagamihara reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Office
cpe:/a:cybozu:office
10.0.0 to 10.5.0
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Arbitrary scripts may be executed on the logged-in user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1164]
https://support.cybozu.com/ja-jp/article/9738
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2114
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2114
JVN
JVN#17535578
http://jvn.jp/en/jp/JVN17535578/index.html
National Vulnerability Database (NVD)
CVE-2017-2114
https://nvd.nist.gov/vuln/detail/CVE-2017-2114
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/11]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-11T16:05:01+09:00
2017-06-01T11:30:20+09:00
2017-04-11T00:00:00+09:00
JVNDB-2017-000064
Cybozu Office fails to restrict access permission in the file export function in "customapp"
Cybozu Office contains an access restriction flaw in the file export function in "customapp". Cybozu, Inc. reported this vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Office
cpe:/a:cybozu:office
10.0.0 to 10.5.0
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Information of "customapp" may be obtained by the other logged-in user.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1239]
https://support.cybozu.com/ja-jp/article/9737
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2115
JVN
JVN#17535578
http://jvn.jp/en/jp/JVN17535578/index.html
National Vulnerability Database (NVD)
CVE-2017-2115
https://nvd.nist.gov/vuln/detail/CVE-2017-2115
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/11]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-11T16:05:02+09:00
2017-06-01T11:30:21+09:00
2017-04-11T00:00:00+09:00
JVNDB-2017-000065
Cybozu Office fails to restrict access permission in the templates delete function in "customapp"
Cybozu Office contains an access restriction flaw in the templates delete function in "customapp". Cybozu, Inc. reported this vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Office
cpe:/a:cybozu:office
10.0.0 to 10.5.0
Medium
5.5
AV:N/AC:L/Au:S/C:N/I:P/A:P
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
"customapp" templates may be deleted by the other logged-in user.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1241]
https://support.cybozu.com/ja-jp/article/9736
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2116
JVN
JVN#17535578
http://jvn.jp/en/jp/JVN17535578/index.html
National Vulnerability Database (NVD)
CVE-2017-2116
https://nvd.nist.gov/vuln/detail/CVE-2017-2116
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/11]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-11T16:05:04+09:00
2017-06-01T12:18:17+09:00
2017-04-11T00:00:00+09:00
JVNDB-2017-000066
The API in Cybozu Office vulnerable to denial-of-service (DoS)
The API in Cybozu Office contains a denial-of-service (DoS) vulnerability. Cybozu, Inc. reported this vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Office
cpe:/a:cybozu:office
10.0.0 to 10.5.0
High
7.8
AV:N/AC:L/Au:N/C:N/I:N/A:C
High
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A denial-of-service (DoS) attack may cause a web server to crash.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1278]
https://support.cybozu.com/ja-jp/article/9735
Common Vulnerabilities and Exposures (CVE)
CVE-2016-4449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449
JVN
JVN#17535578
http://jvn.jp/en/jp/JVN17535578/index.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/11]\n Web page was published
2017-04-11T16:05:06+09:00
2017-04-11T16:05:06+09:00
2017-04-11T00:00:00+09:00
JVNDB-2017-000067
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability (CWE-79) in multiple pages due to a flaw in processing HTTP Referer headers. Note that this vulnerability is different from JVN#77253951. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
VeronaLabs
WP Statistics
cpe:/a:veronalabs:wp_statistics
version 12.0.4 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of a user accessing the page generated by the application.
[Update the plugin] Update the plugin according to the information provided by the developer.
WP Statistics
WP Statistics V12.0.5 released!
https://wp-statistics.com/wp-statistics-v12-0-5-released/
WP Statistics
Change Log
https://wp-statistics.com/change-log/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2136
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2136
JVN
JVN#62392065
http://jvn.jp/en/jp/JVN62392065/index.html
National Vulnerability Database (NVD)
CVE-2017-2136
https://nvd.nist.gov/vuln/detail/CVE-2017-2136
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/13]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-13T13:49:33+09:00
2017-06-01T15:23:59+09:00
2017-04-13T00:00:00+09:00
JVNDB-2017-000068
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability (CWE-79). Note that this vulnerability is different from JVN#62392065. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
VeronaLabs
WP Statistics
cpe:/a:veronalabs:wp_statistics
version 12.0.4 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of a user accessing the page generated by the application.
[Update the plugin] Update the plugin according to the information provided by the developer.
WP Statistics
WP Statistics V12.0.5 released!
https://wp-statistics.com/wp-statistics-v12-0-5-released/
WP Statistics
Change Log
https://wp-statistics.com/change-log/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2147
JVN
JVN#77253951
http://jvn.jp/en/jp/JVN77253951/index.html
National Vulnerability Database (NVD)
CVE-2017-2147
https://nvd.nist.gov/vuln/detail/CVE-2017-2147
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/13]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-13T13:49:35+09:00
2017-06-01T13:53:20+09:00
2017-04-13T00:00:00+09:00
JVNDB-2017-000069
Multiple installers of Toshiba memory card related software may insecurely load Dynamic Link Libraries
Multiple installers of Toshiba memory card related software contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TOSHIBA
SDHC Memory Card with embedded TransferJet functionality Configuration Software
cpe:/a:toshiba:sdhc_memory_card_with_transferjet_setting_software
V1.02 and earlier
TOSHIBA
SDHC Memory Card with embedded TransferJet functionality Software Update tool
cpe:/a:toshiba:sdhc_memory_card_with_transferjet_firmware_updatetool
V1.00.06 and earlier
TOSHIBA
SDHC Memory Card with embedded wireless LAN functionality FlashAir Configuration Software
cpe:/a:toshiba:wlan_sdhc_memory_card_flashair_setting_software
V3.0.2 and earlier
TOSHIBA
SDHC Memory Card with embedded wireless LAN functionality FlashAir Software Update tool
cpe:/a:toshiba:wlan_sdhc_memory_card_flashair_setting_software_updatetool
(SD-WB/WL series) V1.00.04 and earlier
(SD-WD/WC series<W-02>) V2.00.03 and earlier
(SD-WE series<W-03>) V3.00.01
TOSHIBA
SDHC/SDXC Memory Card with embedded NFC functionality Software Update Tool
cpe:/a:toshiba:nfc_sdhc_%2F_sdxc_memory_card_software_updatetool
V1.00.03 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installers] Use the latest installers according to the information provided by the developer. Users who already have installed the software do not need to re-install the application, because this issue affects the installers only.
Toshiba
Toshiba Corporation website
http://www.toshiba-personalstorage.net/news/20170414.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2149
JVN
JVN#05340816
http://jvn.jp/en/jp/JVN05340816/index.html
National Vulnerability Database (NVD)
CVE-2017-2149
https://nvd.nist.gov/vuln/detail/CVE-2017-2149
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/14]\n Web page was published\n[2017/12/21]\n References : Content was added
2017-04-14T14:09:21+09:00
2017-12-21T17:50:44+09:00
2017-04-14T00:00:00+09:00
JVNDB-2017-000070
WN-AC1167GR vulnerable to cross-site scripting
WN-AC1167GR provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-AC1167GR contains a stored cross-site scripting vulnerability (CWE-79). Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
WN-AC1167GR firmware
cpe:/o:i-o_data_device:wn-ac1167gr_firmware
version 1.04 and earlier
Low
1.4
AV:A/AC:H/Au:S/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
If a user accesses a malicious URL while logged in, an arbitrary script may be executed on the user's web browser.
[Update the Firmware] Apply the latest firmware update according to the information provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2017/wn-ac1167gr/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2148
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2148
JVN
JVN#01537659
http://jvn.jp/en/jp/JVN01537659/index.html
National Vulnerability Database (NVD)
CVE-2017-2148
https://nvd.nist.gov/vuln/detail/CVE-2017-2148
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/14]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-14T13:55:29+09:00
2017-06-01T13:53:21+09:00
2017-04-14T00:00:00+09:00
JVNDB-2017-000071
SEIL Series routers vulnerable to denial-of-service (DoS)
The DNS forwarder, the PPP Access Concentrator (L2TP) and the Measure(iPerf server) function in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service (DoS) vulnerability due to a flaw in processing certain packets. Internet Initiative Japan Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Internet Initiative Japan Inc. coordinated under the Information Security Early Warning Partnership.
Internet Initiative Japan Inc.
SEIL/B1
cpe:/h:iij:seil%2Fb1
1.00 to 5.62
Internet Initiative Japan Inc.
SEIL/BPV4
cpe:/h:iij:seil%2Fbpv4
5.00 to 5.62
Internet Initiative Japan Inc.
SEIL/X1
cpe:/h:iij:seil%2Fx1
1.30 to 5.62
Internet Initiative Japan Inc.
SEIL/X2
cpe:/h:iij:seil%2Fx2
1.30 to 5.62
Internet Initiative Japan Inc.
SEIL/x86 Fuji
cpe:/h:iij:seil_x86_fuji
1.70 to 5.62
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Receiving a specially crafted SSTP packet may result in the device becoming unresponsive.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
IIJ
Information from Internet Initiative Japan Inc.
http://www.seil.jp/support/security/a01783.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2153
JVN
JVN#86171513
https://jvn.jp/en/jp/JVN86171513/index.html
National Vulnerability Database (NVD)
CVE-2017-2153
https://nvd.nist.gov/vuln/detail/CVE-2017-2153
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/19]\n Web page was published\n[2017/06/06]\n References : Content was added
2017-04-19T14:43:22+09:00
2017-06-06T14:50:44+09:00
2017-04-19T00:00:00+09:00
JVNDB-2017-000072
WNC01WH vulnerable to OS command injection
WNC01WH provided by BUFFALO INC. is a network camera. WNC01WH contains an OS command injection vulnerability (CWE-78). Kiyotaka ATSUMI of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BUFFALO INC.
WNC01WH firmware
cpe:/o:buffalo_inc:wnc01wh_firmware
version 1.0.0.9 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
An arbitrary OS command may be executed by an authenticated attacker.
[Update the Firmware] Update to the latest version of firmware according to the information provided by the developer.
BUFFALO
BUFFALO INC. website
http://buffalo.jp/support_s/s20161201.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2152
JVN
JVN#48790793
https://jvn.jp/en/jp/JVN48790793/index.html
National Vulnerability Database (NVD)
CVE-2017-2152
https://nvd.nist.gov/vuln/detail/CVE-2017-2152
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/21]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-21T13:44:43+09:00
2017-06-01T13:53:26+09:00
2017-04-21T00:00:00+09:00
JVNDB-2017-000073
WordPress plugin "Booking Calendar" vulnerable to directory traversal
The WordPress plugin "Booking Calendar" provided by wpdevelop contains a directory traversal vulnerability (CWE-22). ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
wpdevelop
Booking Calendar
cpe:/a:booking_calendar_project:booking_calendar
version 7.0 and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Medium
5.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
A local file outside of the application on the server may be accessed by a remote attacker.
[Update the Software] Update to the latest version according to the information provided by the developer.
Booking Calendar
Changelog
http://wpbookingcalendar.com/changelog/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2150
JVN
JVN#18739672
http://jvn.jp/en/jp/JVN18739672/index.html
National Vulnerability Database (NVD)
CVE-2017-2150
https://nvd.nist.gov/vuln/detail/CVE-2017-2150
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/20]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-20T15:11:27+09:00
2017-06-01T13:53:23+09:00
2017-04-20T00:00:00+09:00
JVNDB-2017-000074
WordPress plugin "Booking Calendar" vulnerable to cross-site scripting
The WordPress plugin "Booking Calendar" provided by wpdevelop contains a stored cross-site scripting vulnerability (CWE-79). Satoshi Takagi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
wpdevelop
Booking Calendar
cpe:/a:booking_calendar_project:booking_calendar
version 7.1 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of a user accessing the page generated by the application.
[Update the Software] Update to the latest version according to the information provided by the developer.
Booking Calendar
Changelog
http://wpbookingcalendar.com/changelog/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2151
JVN
JVN#54762089
http://jvn.jp/en/jp/JVN54762089/index.html
National Vulnerability Database (NVD)
CVE-2017-2151
https://nvd.nist.gov/vuln/detail/CVE-2017-2151
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/20]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-20T15:11:29+09:00
2017-06-01T13:53:25+09:00
2017-04-20T00:00:00+09:00
JVNDB-2017-000075
Hoozin Viewer vulnerable to buffer overflow
Hoozin Viewer provided by ICON CORPORATION contains a buffer overflow vulnerability (CWE-121). Touma Hatano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ICON CORPORATION
Hoozin Viewer
cpe:/a:i.con_corporation:hoozin_viewer
Ver2
Ver3
Ver4.1.5.15 and earlier
Ver5.1.2.13 and earlier
Ver6.0.3.09 and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
Medium
5
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
If a user views a malicious page, arbitrary code may be executed.
[Update the Software] Update to the latest version according to the information provided by the developer.
ICON CORPORATION
ICON CORPORATION website
http://www.icon-co.jp/news/20170420/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2155
JVN
JVN#93931029
https://jvn.jp/en/jp/JVN93931029/index.html
National Vulnerability Database (NVD)
CVE-2017-2155
https://nvd.nist.gov/vuln/detail/CVE-2017-2155
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/20]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-20T14:48:03+09:00
2017-06-01T13:40:22+09:00
2017-04-20T00:00:00+09:00
JVNDB-2017-000076
Multiple JustSystems products including Hanako may insecurely load Dynamic Link Libraries
Hanako and multiple software suites containing Hanako provided by JustSystems Corporation contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
JustSystems Corporation
Hanako
cpe:/a:justsystems:hanako
2015
2016
2017
2017 trial version
JustSystems Corporation
Hanako Police
cpe:/a:justsystems:hanako_police
5
JustSystems Corporation
Hanako Pro
cpe:/a:justsystems:hanako_pro
3
JustSystems Corporation
Just Frontier
cpe:/a:justsystems:just_frontier
3
JustSystems Corporation
JUST Government
cpe:/a:justsystems:just_government
3
JustSystems Corporation
Just Jump
cpe:/a:justsystems:just_jump
Class 2
JustSystems Corporation
JUST Office
cpe:/a:justsystems:just_office
3 & Tri-De DataProtect Package
3 [Eco Print Package]
3 [Standard]
JustSystems Corporation
JUST Police
cpe:/a:justsystems:just_police
3
JustSystems Corporation
Just School
cpe:/a:justsystems:justschool
6 Premium
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privileges of the user running the application.
[Update the Software] Update to the latest version according to the information provided by the developer.
JustSystems Corporation
[JS17002] Vulnerability in Hanako may allow arbitrary code execution
https://www.justsystems.com/jp/info/js17002.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2154
JVN
JVN#54268888
https://jvn.jp/en/jp/JVN54268888/index.html
National Vulnerability Database (NVD)
CVE-2017-2154
https://nvd.nist.gov/vuln/detail/CVE-2017-2154
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/20]\n Web page was published\n[2017/06/01]\n References : Content was added
2017-04-20T15:11:47+09:00
2017-06-01T13:40:21+09:00
2017-04-20T00:00:00+09:00
JVNDB-2017-000077
Installer of Vivaldi for Windows may insecurely load executable files
The installer of Vivaldi for Windows contains an issue in the file search path when loading files, which may insecurely load executable files (CWE-427). Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Vivaldi Technologies
Vivaldi
cpe:/a:vivaldi:vivaldi_installer_for_windows
installer for windows prior to version 1.7.735.48
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed Vivaldi, do not need to re-install the application, because this issue affects the installer only.
Vivaldi Technologies
Vulnerability Disclosure: Vivaldi installer for Windows could run arbitrary downloaded code (JVN#71572107)
https://vivaldi.com/security/vulnerability-disclosure-vivaldi-installer-for-windows-could-run-arbitrary-downloaded-code-jvn71572107/
Vivaldi Technologies
Vivaldi
https://vivaldi.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2156
JVN
JVN#71572107
https://jvn.jp/en/jp/JVN71572107/index.html
National Vulnerability Database (NVD)
CVE-2017-2156
https://nvd.nist.gov/vuln/detail/CVE-2017-2156
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/04/25]\n Web page was published\n[2017/06/06]\n References : Content was added
2017-04-25T13:36:32+09:00
2017-06-06T15:04:39+09:00
2017-04-25T00:00:00+09:00
JVNDB-2017-000078
SOY CMS vulnerable to directory traversal
SOY CMS provided by Nippon Institute of Agroinformatics Ltd. is a Contents Management System (CMS). SOY CMS contains a directory traversal vulnerability (CWE-22) due to a flaw in processing shop_id parameter. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Nippon Institute of Agroinformatics
SOY CMS
cpe:/a:n-i-agroinformatics:soy_cms
Ver.1.8.1 to Ver.1.8.12
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
An authenticated attacker may execute arbitrary PHP code on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
Nippon Institute of Agroinformatics Ltd.
Nippon Institute of Agroinformatics Ltd. website
https://www.soycms.net/release_note/article/SOY_CMS_Ver.1.8.13
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2163
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2163
JVN
JVN#51819749
http://jvn.jp/en/jp/JVN51819749/index.html
National Vulnerability Database (NVD)
CVE-2017-2163
https://nvd.nist.gov/vuln/detail/CVE-2017-2163
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/11]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-05-11T13:36:27+09:00
2017-11-27T17:23:07+09:00
2017-05-11T00:00:00+09:00
JVNDB-2017-000079
The installer of SOY CMS vulnerable to cross-site scripting
SOY CMS provided by Nippon Institute of Agroinformatics Ltd. is a Contents Management System (CMS). The installer of SOY CMS contains a cross-site scripting vulnerability (CWE-79) due to a flaw in processing parameter. Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Nippon Institute of Agroinformatics
SOY CMS
cpe:/a:n-i-agroinformatics:soy_cms
with installer, 1.8.12 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
When a user accesses a malicious page that leads to where the SOY CMS installer resides, an arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer. According to the developer, the installer should be removed afer the installation is completed.
Nippon Institute of Agroinformatics Ltd.
Nippon Institute of Agroinformatics Ltd. website
https://www.soycms.net/release_note/article/SOY_CMS_Ver.1.8.13
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2164
JVN
JVN#51978169
http://jvn.jp/en/jp/JVN51978169/index.html
National Vulnerability Database (NVD)
CVE-2017-2164
https://nvd.nist.gov/vuln/detail/CVE-2017-2164
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/11]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-05-11T13:37:04+09:00
2017-11-27T17:23:05+09:00
2017-05-11T00:00:00+09:00
JVNDB-2017-000080
PrimeDrive Desktop Application Installer may insecurely load executable files
PrimeDrive Desktop Application is the client application for PrimeDrive online storage service provided by SoftBank Corp. The installer of PrimeDrive Desktop Application contains an issue with the file search path, which may insecurely load executable files (CWE-427). Eili Masami of Tachibana Lab. and Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SoftBank
PrimeDrive Desktop Application
cpe:/a:softbank:primedrive_desktop_application
version 1.4.4 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the Latest Installer] Use the latest installer according to the information provided by the developer. According to the SoftBank Corp., users who have already installed PrimeDrive Desktop Application and use it do not need to re-install the application, because this vulnerability can only be exploited when installing the software and the application itself is not affected by this vulnerability.
Softbank
SoftBank Corp. website
http://www.softbank.jp/biz/news/cloud/170426/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2167
JVN
JVN#16248227
http://jvn.jp/en/jp/JVN16248227/index.html
National Vulnerability Database (NVD)
CVE-2017-2167
https://nvd.nist.gov/vuln/detail/CVE-2017-2167
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/12]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-05-12T13:36:24+09:00
2017-11-27T16:55:29+09:00
2017-05-12T00:00:00+09:00
JVNDB-2017-000082
Nessus vulnerable to cross-site scripting
Nessus provided by Tenable Network Security, Inc. contains a stored cross-site scripting vulnerability (CWE-79) (CVE-2017-2122). An authenticated user may store crafted contents to Nessus. According to the developer, another stored cross-site scripting vulnerability (CVE-2017-5179) was found and fixed in Nessus 6.9.3 as well as the issue of CVE-2017-2122. For more information, please see the developer's advisory. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability (CVE-2017-2122) to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Tenable, Inc.
Nessus
cpe:/a:tenable:nessus
6.8.0, 6.8.1, 6.9.0, 6.9.1, 6.9.2
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary JavaScript may be executed on the logged in user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Tenable Network Security
TNS-2017-01 - Nessus 6.9.3 Fixes Two Vulnerabilities
https://www.tenable.com/security/tns-2017-01
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2122
JVN
JVN#87760109
http://jvn.jp/en/jp/JVN87760109/index.html
National Vulnerability Database (NVD)
CVE-2017-2122
https://nvd.nist.gov/vuln/detail/CVE-2017-2122
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/09]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-05-09T13:52:02+09:00
2017-11-27T16:55:27+09:00
2017-05-09T00:00:00+09:00
JVNDB-2017-000083
The installer of The Public Certification Service for Individuals "The JPKI user's software" may insecurely load Dynamic Link Libraries
The installer of The Public Certification Service for Individuals "The JPKI user's software" provided by Japan Agency for Local Authority Information Systems (J-LIS) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Note that this vulnerability is different from JVN#91002412. Eiji James Yoshida of Security Professionals Network Inc. and Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Japan Agency for Local Authority Information Systems
The Public Certification Service for Individuals "The JPKI user's software"
cpe:/a:j-lis:the_public_certification_service_for_individuals
(for Windows 7 and later) Ver3.1 and earlier
(for Windows Vista)
Ver2.6 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer of The Public Certification Service for Individuals "The JPKI user's software"] Use the latest installer of The Public Certification Service for Individuals "The JPKI user's software", according to the information provided by J-LIS. Note that The Public Certification Service for Individuals "The JPKI user's software (for Windows Vista)" and the software Ver2.6 are no longer being developed or maintained.
J-LIS
JPKI Client Software for Windows download
https://www.jpki.go.jp/download/win.html#dl
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2157
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2157
JVN
JVN#39605485
http://jvn.jp/en/jp/JVN39605485/index.html
National Vulnerability Database (NVD)
CVE-2017-2157
https://nvd.nist.gov/vuln/detail/CVE-2017-2157
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/09]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-05-09T13:52:33+09:00
2017-11-27T17:23:04+09:00
2017-05-09T00:00:00+09:00
JVNDB-2017-000089
GroupSession fails to restrict access permissions
GroupSession provided by Japan Total System Co.,Ltd. is open source groupware. GroupSession fails to restrict access permissions. Norihiko Hirukawa of FiveDrive Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Japan Total System Co.,Ltd.
GroupSession
cpe:/a:groupsession:groupsession
version 4.6.4 and earlier
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
An authenticated attacker may obtain other user's senisitive information such as email.
[Update the Software] Update to the latest version according to the information provided by the developer.
JVN
Information from Japan Total System Co.,Ltd.
http://jvn.jp/en/jp/JVN42164352/995424/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2165
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2165
JVN
JVN#42164352
http://jvn.jp/en/jp/JVN42164352/index.html
National Vulnerability Database (NVD)
CVE-2017-2165
https://nvd.nist.gov/vuln/detail/CVE-2017-2165
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/25]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-05-25T14:14:43+09:00
2018-01-24T11:59:26+09:00
2017-05-25T00:00:00+09:00
JVNDB-2017-000090
FlashAir fails to restrict access permissions in PhotoShare
FlashAir by Toshiba Corporation is an SDHC memory card which provides wireless LAN access functions. FlashAir PhotoShare function enables to share the selected data with other users as it switches the original wireless LAN connection set by FlashAir default to the wireless LAN connection for PhotoShare. FlashAir fails to restrict access permissions (CWE-425) in PhotoShare. Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TOSHIBA
FlashAir
cpe:/a:toshiba:flashair
SDHC Memory Card (SD-WD/WC Series <W-02>) V2.00.04 and earlier
SDHC Memory Card (SD-WE Series <W-03>) V3.00.02 and earlier
Low
2.7
AV:A/AC:L/Au:S/C:P/I:N/A:N
Low
3.5
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
A user who access PhotoShare may obtain image data that are set not to be shared with other users. Because of the vulnerability stated in JVN#81820501, when enabling PhotoShare with web browsers, an attacker with access to the wireless LAN may obtain these image data.
[Update the software and configure appropriate wireless LAN setting] Update to the latest software versions of the product using the latest version of FlashAir Software Update tool (V3.00.02 or V2.00.04), and set SSID and password using appropriate application (either for Android or iOS) to prevent unintended accesses. For more details, refer to the information provided by the developer.
Toshiba
Photoshare of FlashAir may have a security vulnerability to access restriction
http://www.toshiba-personalstorage.net/news/20170516a.htm
Toshiba
How to Use the Photoshare function
http://www.toshiba-personalstorage.net/support/manual/flashair/wewdwc/photoshare.htm
Toshiba
SDHC Memory Card with embedded wireless LAN functionality FlashAir(SD-WD/WC series<W-02>)
http://www.toshiba-personalstorage.net/endproduct/flashair/index_j.htm
Toshiba
SDHC Memory Card with embedded wireless LAN functionality FlashAir(SD-WE series<W-03>)
http://www.toshiba-personalstorage.net/product/flashair/index_j.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2161
JVN
JVN#46372675
http://jvn.jp/en/jp/JVN46372675/index.html
National Vulnerability Database (NVD)
CVE-2017-2161
https://nvd.nist.gov/vuln/detail/CVE-2017-2161
JVNDB
CWE-284
Improper Access Control
https://cwe.mitre.org/data/definitions/284.html
0
2018-02-17T10:37:53+09:00
[2017/05/16]\n Web page was published\n[2017/12/21]\n References : Content was added
2017-05-16T15:34:10+09:00
2017-12-21T19:13:27+09:00
2017-05-16T00:00:00+09:00
JVNDB-2017-000091
FlashAir do not set credential information in PhotoShare
FlashAir by Toshiba Corporation is an SDHC memory card which provides wireless LAN access functions. FlashAir PhotoShare function enables to share the image data in a certain folder with other users as it switches the original wireless LAN connection set by FlashAir default to the wireless LAN connection for PhotoShare. When enabling PhotoShare with a mobile application (either for Android or iOS), the application prompts a user to set credentials. But when enabling PhotoShare with web browsers, the wireless LAN connection for PhotoShare cannot be enabled, and default credentials are set to the other wireless network configured to the device. As a result, a remote attacker with access to the wireless LAN may obtain image data by using default credentials (CWE-284). Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TOSHIBA
FlashAir
cpe:/a:toshiba:flashair
SDHC Memory Card (SD-WD/WC Series <W-02>) V2.00.03 and earlier
SDHC Memory Card (SD-WE Series <W-03>) V3.00.01 and earlier
Low
3.3
AV:A/AC:L/Au:N/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
If PhotoShare is enabled by web browsers, an attacker with access to the wireless LAN may obtain image data.
[Use mobile application] When enabling PhotoShare, use the mobile application (either for Android or for iOS) to set SSID and password. According to the developer, firmware versions listed below and later disable PhotoShare setting from web browsers. FlashAir SDHC Memory Card (SD-WE Series <W-03>) V3.00.02 FlashAir SDHC Memory Card (SD-WD/WC Series <W-02>) V2.00.04
Toshiba
SDHC Memory Card with embedded wireless LAN functionality FlashAir (SD-WE series<W-03>)
http://www.toshiba-personalstorage.net/product/flashair/index_j.htm
Toshiba
How to Use the Photoshare function
http://www.toshiba-personalstorage.net/support/manual/flashair/wewdwc/photoshare.htm
Toshiba
Photoshare of FlashAir may have a security vulnerability to a fixed password
http://www.toshiba-personalstorage.net/news/20170516a.htm
Toshiba
SDHC Memory Card with embedded wireless LAN functionality FlashAir (SD-WD/WC series<W-02>)
http://www.toshiba-personalstorage.net/endproduct/flashair/index_j.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2162
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2162
JVN
JVN#81820501
http://jvn.jp/en/jp/JVN81820501/index.html
National Vulnerability Database (NVD)
CVE-2017-2162
https://nvd.nist.gov/vuln/detail/CVE-2017-2162
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/16]\n Web page was published\n[2017/12/21]\n References : Content was added
2017-05-16T15:46:11+09:00
2017-12-21T19:16:58+09:00
2017-05-16T00:00:00+09:00
JVNDB-2017-000092
WordPress plugin "WP Booking System" vulnerable to cross-site scripting
The WordPress plugin "WP Booking System" provided by WP Booking System contains a stored cross-site scripting vulnerability (CWE-79). Satoshi Takagi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
WP Booking System
WP Booking System
cpe:/a:wpbookingsystem:wp_booking_system
Free version prior to version 1.4
Premium version prior to version 3.7
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of a user who logged-in as an administrator.
[Update the plugin] Update the plugin according to the information provided by the developer. The developer states: The Free (1.4 and higher) and the Premium version (3.7 and higher) are patched. Update the plugin or contact the plugin developer at support@wpbookingsystem.com if you have any questions.
WP Booking System
WordPress Plugins - WP Booking System - Changelog
https://wordpress.org/plugins/wp-booking-system/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2168
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2168
JVN
JVN#96165722
http://jvn.jp/en/jp/JVN96165722/index.html
National Vulnerability Database (NVD)
CVE-2017-2168
https://nvd.nist.gov/vuln/detail/CVE-2017-2168
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/16]\n Web page was published\n[2018/01/17]\n References : Content was added
2017-05-16T13:58:35+09:00
2018-01-17T11:46:14+09:00
2017-05-16T00:00:00+09:00
JVNDB-2017-000093
WordPress plugin "MaxButtons" vulnerable to cross-site scripting
The WordPress plugin "MaxButtons" provided by Max Foundry contains a cross-site scripting vulnerability (CWE-79). ASAI Ken and Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Max Foundry, LLC.
MaxButtons
cpe:/a:max_foundry:maxbuttons
prior to version 6.19
Pro prior to version 6.19
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Max Foundry, LLC.
WordPress Plugins - MaxButtons - Changelog
https://wordpress.org/plugins/maxbuttons/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2169
JVN
JVN#70411623
http://jvn.jp/en/jp/JVN70411623/index.html
National Vulnerability Database (NVD)
CVE-2017-2169
https://nvd.nist.gov/vuln/detail/CVE-2017-2169
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/16]\n Web page was published\n[2018/01/17]\n References : Content was added
2017-05-16T13:59:06+09:00
2018-01-17T12:28:50+09:00
2017-05-16T00:00:00+09:00
JVNDB-2017-000094
Multiple BestWebSoft WordPress plugins vulnerable to cross-site scripting
Multiple WordPress Plugins provided by BestWebSoft use a common function for displaying the BestWebSoft menu. This function contains a cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BestWebSoft
Captcha
cpe:/a:bestwebsoft:captcha
prior to version 4.3.0
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
BestWebSoft
Information from BestWebSoft
http://jvn.jp/en/jp/JVN24834813/995622/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2171
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2171
JVN
JVN#24834813
http://jvn.jp/en/jp/JVN24834813/index.html
National Vulnerability Database (NVD)
CVE-2017-2171
https://nvd.nist.gov/vuln/detail/CVE-2017-2171
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/16]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-05-16T14:00:13+09:00
2017-11-27T17:04:04+09:00
2017-05-16T00:00:00+09:00
JVNDB-2017-000096
Empirical Project Monitor - eXtended vulnerable to cross-site scripting
Empirical Project Monitor - eXtended provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) contains a stored cross-site scripting vulnerability (CWE-79). Note that this vulnerability is different from JVN#11326581. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Empirical Project Monitor - eXtended
cpe:/a:ipa:empirical_project_monitor_-_extended
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Do not use Empirical Project Monitor - eXtended] The developer has stated that the development and support of Empirical Project Monitor - eXtended has been discontinued, thus recommends users to stop using it.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/sec/info/20170519.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2173
JVN
JVN#85512750
http://jvn.jp/en/jp/JVN85512750/index.html
National Vulnerability Database (NVD)
CVE-2017-2173
https://nvd.nist.gov/vuln/detail/CVE-2017-2173
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/19]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-05-19T14:53:38+09:00
2017-11-27T18:01:32+09:00
2017-05-19T00:00:00+09:00
JVNDB-2017-000097
Empirical Project Monitor - eXtended vulnerable to cross-site scripting
Empirical Project Monitor - eXtended provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) contains a reflected cross-site scripting vulnerability. Note that this vulnerability is different from JVN#85512750. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Empirical Project Monitor - eXtended
cpe:/a:ipa:empirical_project_monitor_-_extended
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Do not use Empirical Project Monitor - eXtended] The developer has stated that the development and support of Empirical Project Monitor - eXtended has been discontinued, thus recommends users to stop using it.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/sec/info/20170519.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2174
JVN
JVN#11326581
http://jvn.jp/en/jp/JVN11326581/index.html
National Vulnerability Database (NVD)
CVE-2017-2174
https://nvd.nist.gov/vuln/detail/CVE-2017-2174
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/19]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-05-19T14:55:27+09:00
2017-11-27T18:01:30+09:00
2017-05-19T00:00:00+09:00
JVNDB-2017-000098
The installer of Empirical Project Monitor - eXtended may insecurely load Dynamic Link Libraries
The installer of Empirical Project Monitor - eXtended provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Empirical Project Monitor - eXtended
cpe:/a:ipa:empirical_project_monitor_-_extended
(Installer)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Do not use the installer of Empirical Project Monitor - eXtended] The developer has stated that the development and support of Empirical Project Monitor - eXtended has been discontinued, thus recommends users to stop using the installer.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/sec/info/20170519.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2175
JVN
JVN#12493656
http://jvn.jp/en/jp/JVN12493656/index.html
National Vulnerability Database (NVD)
CVE-2017-2175
https://nvd.nist.gov/vuln/detail/CVE-2017-2175
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/19]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-05-19T14:57:17+09:00
2017-11-27T18:01:29+09:00
2017-05-19T00:00:00+09:00
JVNDB-2017-000099
SSL Visibility Appliance may generate illegal RST packets
SSL Visibility Appliance provided by Blue Coat Systems, Inc. is used as a transparent proxy for encrypted traffic management. It is reported that the appliance generates RST packets with incorrect sequence numbers when it receives HTTPS requests from certain web browsers. When the web server behind the appliance fails to treat these incorrect RST packets, it keeps the encrypted session indefinitely. This behavior may be used to cause a denial-of-service (DoS) condition on the server side. According to the developer, this issue does not affect the appliance. NTT-ME CORPORATION Cyber Security Center reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Blue Coat Systems, Inc.
SSL Visibility Appliance
cpe:/a:bluecoat:ssl_visibility_appliance
3.8.4FC, 3.9, 3.10, and 3.11 prior to 3.11.3.1
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
High
7.2
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
A denial-of-service (DoS) attack to a server may be conducted by an unauthenticated remote attacker.
[Update the Appliance] Update to the latest version according to the information provided by the developer.
Security Advisories
SA142: Invalid TCP Packet Generation DoS in SSL Visibility
https://www.symantec.com/security-center/network-protection-security-advisories/SA142
Common Vulnerabilities and Exposures (CVE)
CVE-2016-10259
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10259
JVN
JVN#91438377
http://jvn.jp/en/jp/JVN91438377/index.html
National Vulnerability Database (NVD)
CVE-2016-10259
https://nvd.nist.gov/vuln/detail/CVE-2016-10259
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/24]\n Web page was published\n[2017/05/31]\n Vendor Information : Link was modified
2017-05-24T14:41:24+09:00
2017-05-31T19:27:52+09:00
2017-05-24T00:00:00+09:00
JVNDB-2017-000100
Installer of electronic tendering and bid opening system provided by Acquisition, Technology & Logistics Agency may insecurely load Dynamic Link Libraries
Installer of electronic tendering and bid opening system provided by Acquisition, Technology & Logistics Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Acquisition, Technology & Logistics Agency (ATLA)
Installer of electronic tendering and bid opening system
cpe:/a:atla:electronic_tendering_and_bid_opening_system
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
This vulnerability can be exploited when the following condition is met. If this vulnerability is exploited, arbitrary code may be executed with the privilege of the user invoking the installer. * A user is tricked into placing a malicious DLL file prepared by an attacker in a specific folder.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have built the bidding environment by using the installer are not affected by this vulnerability.
ATLA
Regarding the electronic bidding (Important notice)
http://www.mod.go.jp/atla/souhon/cals/nyusatsu_top.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2178
JVN
JVN#75514460
http://jvn.jp/en/jp/JVN75514460/index.html
National Vulnerability Database (NVD)
CVE-2017-2178
https://nvd.nist.gov/vuln/detail/CVE-2017-2178
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/25]\n Web page was published\n[2018/01/17]\n References : Content was added
2017-05-25T14:14:47+09:00
2018-01-17T13:58:33+09:00
2017-05-25T00:00:00+09:00
JVNDB-2017-000101
Installers of the screensavers provided by JAPAN AIR SELF DEFENSE FORCE, MINISTRY OF DEFENSE may insecurely load Dynamic Link Libraries
Installers of the screensavers provided by JAPAN AIR SELF DEFENSE FORCE, MINISTRY OF DEFENSE contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Japan Air Self-Defense Force (JASDF)
Screensaver
cpe:/a:jasdf:screensavers
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
This vulnerability can be exploited when the following condition is met. If this vulnerability is exploited, arbitrary code may be executed with the privilege of the user invoking the installer. * A user is tricked into placing a malicious DLL file prepared by an attacker in a specific folder.
[Do not install the screensavers] The screensavers are no longer being developed or maintained. It is recommended not to install the screensavers. Users who have already installed the screensavers are not affected by this vulnerability.
JASDF
DLL loading vulnerability in the screensaver installers
http://www.mod.go.jp/asdf/information/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2176
JVN
JVN#41185163
http://jvn.jp/en/jp/JVN41185163/index.html
National Vulnerability Database (NVD)
CVE-2017-2176
https://nvd.nist.gov/vuln/detail/CVE-2017-2176
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/05/25]\n Web page was published\n[2018/02/15]\n References : Content was added
2017-05-25T14:14:45+09:00
2018-02-15T15:30:24+09:00
2017-05-25T00:00:00+09:00
JVNDB-2017-000102
The installer of the Ministry of Justice [The electronic authentication system based on the commercial registration system "The CRCA user's Software"] may insecurely load Dynamic Link Libraries
The electronic authentication system based on the commercial registration system "The CRCA user's Software" provided by the Ministry of Justice contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The Ministry of Justice
The electronic authentication system based on the commercial registration system "The CRCA user's Software"
cpe:/a:moj:touki_denshi
Ver1.7 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed The electronic authentication system based on the commercial registration system "The CRCA user's Software" do not need to re-install the application, because this issue affects the installer only.
The Ministry of Justice
The electronic authentication system based on the commercial registration system "The CRCA user's Software" download page
http://www.moj.go.jp/MINJI/minji06_00027.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2177
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2177
JVN
JVN#92422409
https://jvn.jp/en/jp/JVN92422409/index.html
National Vulnerability Database (NVD)
CVE-2017-2177
https://nvd.nist.gov/vuln/detail/CVE-2017-2177
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/06]\n Web page was published\n[2018/01/17]\n References : Content was added
2017-06-06T11:19:10+09:00
2018-01-17T13:58:35+09:00
2017-05-26T00:00:00+09:00
JVNDB-2017-000103
WordPress plugin "WP Live Chat Support" vulnerable to cross-site scripting
The WordPress plugin "WP Live Chat Support" provided by CODECABIN_ contains a cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CODECABIN_
WP Live Chat Support
cpe:/a:codecabin_:wp_live_chat_support
prior to version 7.0.07
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
CODECABIN_
Changeset 1658232 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1658232/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2187
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2187
JVN
JVN#70951878
https://jvn.jp/en/jp/JVN70951878/index.html
National Vulnerability Database (NVD)
CVE-2017-2187
https://nvd.nist.gov/vuln/detail/CVE-2017-2187
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/01]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-06-01T14:06:05+09:00
2017-11-27T16:47:31+09:00
2017-06-01T00:00:00+09:00
JVNDB-2017-000104
RW-4040 driver installer may insecurely load Dynamic Link Libraries
RW-4040 driver installer for IC Card Reader/Writer devices provided by Sharp Corporation contains an issue with the DLL search path, which may lead to insecurely load Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation and BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sharp Corporation
RW-4040 Driver Installer for Windows 7
cpe:/a:sharp:rw-4040_driver_installer_for_windows_7
version 2.27A (RW4040V2.27_A_win7V.exe) and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. The following versions address the issue. * RW-4040 driver installer for Windows 7 version 2.2.7.1 (RW40Inst.exe) Users who already have installed the driver software do not need to re-install the software, because this issue affects the installers only.
Sharp Corporation
Sharp Corporation website
http://www.sharp.co.jp/support/iccrw/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2189
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2189
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#51274854
http://jvn.jp/en/jp/JVN51274854/index.html
National Vulnerability Database (NVD)
CVE-2017-2189
https://nvd.nist.gov/vuln/detail/CVE-2017-2189
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/01]\n Web page was published\n[2017/08/23]\n Overview was modified\n Affected Products : Product version was modified\n Solution was modified\n[2018/01/24]\n References : Content was added
2017-06-01T16:25:43+09:00
2018-01-24T13:57:59+09:00
2017-06-01T00:00:00+09:00
JVNDB-2017-000105
RW-4040 tool to verify execution environment may insecurely load Dynamic Link Libraries
RW-4040 tool to verify execution environment for IC Card Reader/Writer devices provided by Sharp Corporation contains an issue with the DLL search path, which may lead to insecurely load Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation and BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sharp Corporation
RW-4040 tool to verify execution environment
cpe:/a:sharp:rw-4040_operation_check_tool
for Windows 7 version 1.2.0.0A (RW4040Test_A_win7V.exe) and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the tool.
[Use the latest version of the tool to verify execution environment] Use the latest version of the tool according to the information provided by the developer. The following versions address the issue. * RW-4040 tool to verify execution environment for Windows 7 version 1.3.0.0 (RW4040Test_win7.exe)
Sharp Corporation
Sharp Corporation website
http://www.sharp.co.jp/support/iccrw/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2190
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#51274854
http://jvn.jp/en/jp/JVN51274854/index.html
National Vulnerability Database (NVD)
CVE-2017-2190
https://nvd.nist.gov/vuln/detail/CVE-2017-2190
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/01]\n Web page was published\n[2017/08/23]\n Overview was modified\n Affected Products : Product version was modified\n Solution was modified\n[2018/01/24]\n References : Content was added
2017-06-01T16:40:12+09:00
2018-01-24T14:05:48+09:00
2017-06-01T00:00:00+09:00
JVNDB-2017-000106
RW-5100 driver installer may insecurely load Dynamic Link Libraries
RW-5100 driver installer for IC Card Reader/Writer devices provided by Sharp Corporation contains an issue with the DLL search path, which may lead to insecurely load Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation and BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sharp Corporation
RW-5100 driver installer for Windows 7
cpe:/a:sharp:rw-5100_driver_installer_for_windows_7
version 1.0.0.9A (RW5100V1.0.0.9_A_win.exe) and earlier
Sharp Corporation
RW-5100 driver installer for Windows 8.1
cpe:/a:sharp:rw-5100_driver_installer_for_windows_8
version 1.0.1.0A (RW5100V1.0.1.0_A_win8.exe) and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. The following versions address the issue. * RW-5100 driver installer for Windows 7 version 1.2.0.0 (RW51Inst.exe) * RW-5100 driver installer for Windows 8.1 version 1.2.0.0 (RW51Inst.exe) Users who already have installed the driver software do not need to re-install the software, because this issue affects the installers only.
Sharp Corporation
Sharp Corporation website
http://www.sharp.co.jp/support/iccrw/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2191
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#51274854
http://jvn.jp/en/jp/JVN51274854/index.html
National Vulnerability Database (NVD)
CVE-2017-2191
https://nvd.nist.gov/vuln/detail/CVE-2017-2191
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/01]\n Web page was published\n[2017/08/23]\n Overview was modified\n Affected Products : Product versions were modified\n Solution was modified\n[2018/01/24]\n References : Content was added
2017-06-01T16:44:33+09:00
2018-01-24T14:15:35+09:00
2017-06-01T00:00:00+09:00
JVNDB-2017-000107
RW-5100 tool to verify execution environment may insecurely load Dynamic Link Libraries
RW-5100 tool to verify execution environment for IC Card Reader/Writer devices provided by Sharp Corporation contains an issue with the DLL search path, which may lead to insecurely load Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation and BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sharp Corporation
RW-5100 tool to verify execution environment
cpe:/a:sharp:rw-5100_operation_check_tool
for Windows 8.1 version 1.2.0.0A (RW5100Test_A_win8.exe) and earlier
for Windows 7 version 1.1.0.0A (RW5100Test_A_win7.exe) and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the tool.
[Use the latest version of the tool to verify execution environment] Use the latest version of the tool according to the information provided by the developer. The following versions address the issue. * RW-5100 tool to verify execution environment for Windows 7 version 1.2.0.0 (RW5100Test_win7.exe) * RW-5100 tool to verify execution environment for Windows 8.1 version 1.2.1.0 (RW5100Test_win8.1.exe)
Sharp Corporation
Sharp Corporation website
http://www.sharp.co.jp/support/iccrw/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2192
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2192
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#51274854
http://jvn.jp/en/jp/JVN51274854/index.html
National Vulnerability Database (NVD)
CVE-2017-2192
https://nvd.nist.gov/vuln/detail/CVE-2017-2192
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/01]\n Web page was published\n[2017/08/23]\n Overview was modified\n Affected Products : Product versions were modified\n Solution was modified\n[2018/01/24]\n References : Content was added
2017-06-01T16:47:23+09:00
2018-01-24T14:03:10+09:00
2017-06-01T00:00:00+09:00
JVNDB-2017-000108
Installer of Tera Term may insecurely load Dynamic Link Libraries
The installer of Tera Term provided by TeraTerm Project contains an issue with the DLL search path, which may lead to insecurely load Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TeraTerm Project
The installer of Tera Term
cpe:/a:tera_term_project:tera_term
4.94 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed Tera Term do not need to re-install the application, because this issue affects the installer only.
Tera Term
TeraTerm Project website
https://ttssh2.osdn.jp/SA/JVN06770361.html.en
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2193
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2193
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#06770361
https://jvn.jp/en/jp/JVN06770361/index.html
National Vulnerability Database (NVD)
CVE-2017-2193
https://nvd.nist.gov/vuln/detail/CVE-2017-2193
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/01]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-06-01T14:42:10+09:00
2018-01-24T14:20:58+09:00
2017-06-01T00:00:00+09:00
JVNDB-2017-000109
Installer of SaAT Netizen may insecurely load Dynamic Link Libraries
The installer of SaAT Netizen provided by NetMove Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). DigiGnome reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NetMove Corporation
SaAT Netizen
cpe:/a:saat:netizen
installer ver.1.2.10.510 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed SaAT Netizen do not need to re-install the application, because this issue affects the installer only.
NetMove Corporation
NetMove Corporation website
https://www.saat.jp/information/netizen/2017/0531_security_update_info.php
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2206
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2206
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#91170929
https://jvn.jp/en/jp/JVN91170929/index.html
National Vulnerability Database (NVD)
CVE-2017-2206
https://nvd.nist.gov/vuln/detail/CVE-2017-2206
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/02]\n Web page was published\n[2018/01/17]\n References : Content was added
2017-06-02T14:00:41+09:00
2018-01-17T12:29:32+09:00
2017-06-02T00:00:00+09:00
JVNDB-2017-000110
Installer of SaAT Personal may insecurely load Dynamic Link Libraries
The installer of SaAT Personal provided by NetMove Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). DigiGnome reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NetMove Corporation
SaAT Personal
cpe:/a:saat:personal
installer ver.1.0.10.272 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed SaAT Personal do not need to re-install the application, because this issue affects the installer only.
NetMove Corporation
NetMove Corporation website
https://www.saat.jp/information/personal/2017/0531_security_update_info.php
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2207
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#08020381
https://jvn.jp/en/jp/JVN08020381/index.html
National Vulnerability Database (NVD)
CVE-2017-2207
https://nvd.nist.gov/vuln/detail/CVE-2017-2207
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/02]\n Web page was published\n[2018/01/17]\n References : Content was added
2017-06-02T14:00:43+09:00
2018-01-17T12:25:44+09:00
2017-06-02T00:00:00+09:00
JVNDB-2017-000111
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to remote code execution
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a remote code execution vulnerability. Note that this vulnerability is different from JVN#20870477 and JVN#01404851. Masato Kinugawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Hands-on Vulnerability Learning Tool "AppGoat" for Web Application
cpe:/a:ipa:appgoat
V3.0.2 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
When accessing a specially crafted URL, arbitrary code may be executed on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/security/vuln/appgoat/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2179
JVN
JVN#80238098
http://jvn.jp/en/jp/JVN80238098/index.html
National Vulnerability Database (NVD)
CVE-2017-2179
https://nvd.nist.gov/vuln/detail/CVE-2017-2179
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/06]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-06-06T14:19:07+09:00
2017-11-27T17:22:08+09:00
2017-06-06T00:00:00+09:00
JVNDB-2017-000112
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to information disclosure
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains an information disclosure vulnerability. Masato Kinugawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Hands-on Vulnerability Learning Tool "AppGoat" for Web Application
cpe:/a:ipa:appgoat
V3.0.2 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
When accessing a specially crafted URL, a local file specified by an attacker may be obtained.
[Update the Software] Update to the latest version according to the information provided by the developer.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/security/vuln/appgoat/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2180
JVN
JVN#32120290
http://jvn.jp/en/jp/JVN32120290/index.html
National Vulnerability Database (NVD)
CVE-2017-2180
https://nvd.nist.gov/vuln/detail/CVE-2017-2180
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/06]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-06-06T14:20:07+09:00
2017-11-27T17:22:10+09:00
2017-06-06T00:00:00+09:00
JVNDB-2017-000113
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to remote code execution
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a remote code execution vulnerability. Note that this vulnerability is different from JVN#80238098 and JVN#01404851. Masato Kinugawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Hands-on Vulnerability Learning Tool "AppGoat" for Web Application
cpe:/a:ipa:appgoat
V3.0.2 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
When accessing a specially crafted URL, arbitrary code may be executed on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/security/vuln/appgoat/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2181
JVN
JVN#20870477
http://jvn.jp/en/jp/JVN20870477/index.html
National Vulnerability Database (NVD)
CVE-2017-2181
https://nvd.nist.gov/vuln/detail/CVE-2017-2181
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/06]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-06-06T14:21:08+09:00
2017-11-27T17:22:12+09:00
2017-06-06T00:00:00+09:00
JVNDB-2017-000114
Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to remote code execution
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a remote code execution vulnerability. Note that this vulnerability is different from JVN#80238098 and JVN#20870477. Masato Kinugawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Hands-on Vulnerability Learning Tool "AppGoat" for Web Application
cpe:/a:ipa:appgoat
V3.0.2 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
When accessing a specially crafted URL, an arbitrary code may be executed on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
https://www.ipa.go.jp/security/vuln/appgoat/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2182
JVN
JVN#01404851
http://jvn.jp/en/jp/JVN01404851/index.html
National Vulnerability Database (NVD)
CVE-2017-2182
https://nvd.nist.gov/vuln/detail/CVE-2017-2182
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/06]\n Web page was published\n[2017/11/27]\n References : Content was added
2017-06-06T14:19:07+09:00
2017-11-27T17:22:13+09:00
2017-06-06T00:00:00+09:00
JVNDB-2017-000115
WordPress plugin "Multi Feed Reader" vulnerable to SQL injection
The WordPress plugin "Multi Feed Reader" contains an SQL injection vulnerability (CWE-89). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Eric Teubert
Multi Feed Reader
cpe:/a:multi_feed_reader_project:multi_feed_reader
prior to version 2.2.4
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
An attacker who can access the product may execute an arbitrary SQL command. Information stored in the database may be obtained or altered by an attacker.
[Update the plugin] Update the plugin according to the information provided by the developer.
ericteubert
WordPress Plugins - Multi Feed Reader - Changelog
https://wordpress.org/plugins/multi-feed-reader/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2195
JVN
JVN#98617234
https://jvn.jp/en/jp/JVN98617234/index.html
National Vulnerability Database (NVD)
CVE-2017-2195
https://nvd.nist.gov/vuln/detail/CVE-2017-2195
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/06]\n Web page was published\n[2018/01/17]\n References : Content was added
2017-06-06T14:54:39+09:00
2018-01-17T13:58:37+09:00
2017-06-06T00:00:00+09:00
JVNDB-2017-000116
Installer of QuickTime for Windows may insecurely load Dynamic Link Libraries
Installer of QuickTime for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apple Inc.
QuickTime
cpe:/a:apple:quicktime
for Windows installer
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Do not use Installer of QuickTime for Windows] The developer has stated that the support of QuickTime for Windows has been discontinued thus recommends users to stop using Installer of QuickTime for Windows.
Apple
QuickTime 7.7.9 for Windows
https://support.apple.com/kb/DL837?locale=&viewlocale=en_US
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2218
JVN
JVN#94771799
http://jvn.jp/en/jp/JVN94771799/index.html
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2017-2218
https://nvd.nist.gov/vuln/detail/CVE-2017-2218
US-CERT Technical Cyber Security Alert
TA16-105A
https://www.us-cert.gov/ncas/alerts/TA16-105A
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/13]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-13T13:51:38+09:00
2018-02-14T11:58:55+09:00
2017-06-13T00:00:00+09:00
JVNDB-2017-000117
Installer of CASL II simulator(self-extract format) may insecurely load Dynamic Link Libraries
Installer of CASL II simulator(self-extract format) provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
CASL II simulator
cpe:/a:ipa:casl_ii_simulator
(self-extract format) installer
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Do not use CASL II simulator(self-extract format) installer] The developer has stated that the development and support of CASL II simulator(self-extract format) has been discontinued, thus recommends users to stop using the installer.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
http://www.jitec.ipa.go.jp/1_20casl2/casl2dl_2017_01.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2220
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#67305782
https://jvn.jp/en/jp/JVN67305782/index.html
National Vulnerability Database (NVD)
CVE-2017-2220
https://nvd.nist.gov/vuln/detail/CVE-2017-2220
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/09]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-09T13:49:16+09:00
2018-02-14T11:58:57+09:00
2017-06-09T00:00:00+09:00
JVNDB-2017-000119
Installer of Houkokusyo Sakusei Shien Tool provided by Ministry of the Environment may insecurely load Dynamic Link Libraries
Installer of Houkokusyo Sakusei Shien Tool provided by Ministry of the Environment contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Eili Masami of Tachibana Lab. and BlackWingCat of Pink Flying Whale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ministry of the Environment
Installer of Houkokusyo Sakusei Shien Tool
cpe:/a:misc:kankyosyo_report_preparation_support_tool
ver2.0 and later(For the first installation) (The versions which were available on the website prior to 2017 April 4)
ver3.02(For the first installation) (The version which was available on the website from 2017 April 4 to 2017 May 18)
ver3.03(For the first installation) (The version which was available on the website from 2017 May 31 to 2017 June 12)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privileges of the running application.
[Use the latest installer] The user who downloaded Houkokusyo Sakusei Shien Tool (Ver2.0 - 3.03) before 2017 June 12 should delete it immediately. When installing Houkokusyo Sakusei Shien Tool, be sure to download Houkokusyo Sakusei Shien Tool (Ver3.04) from the website and use the latest installer. According to the developer, it is recommended for the users to execute virus scan software with the latest pattern files applied. Note that this vulnerability affects the installer only, thus users who have already installed Houkokusyo Sakusei Shien Tool do not need to re-install the newer version (Ver3.04) For more information, refer to the information provided by the developer.
Ministry of the Environment
Houkokusyo Sakusei Shien Tool
http://ghg-santeikohyo.env.go.jp/tool
Ministry of the Environment
About a vulnerability found in Houkokusyo Sakusei Shien Tool, first published on 2017 May 26
http://ghg-santeikohyo.env.go.jp/files/system/report_20170526.pdf
Ministry of the Environment
About a vulnerability found in Houkokusyo Sakusei Shien Tool, revised on 2017 May 29
http://ghg-santeikohyo.env.go.jp/files/system/report_20170529_rev.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2209
JVN
JVN#24087303
https://jvn.jp/en/jp/JVN24087303/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2017-2209
https://nvd.nist.gov/vuln/detail/CVE-2017-2209
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/05]\n Web page was published\n[2017/06/15]\n Affected Products : Product was added \n Solution was modified\n[2017/08/02]\n Overview was modified\n Affected Products : Content was modified\n Solution was modified\n[2018/01/17]\n References : Content was added
2017-06-05T13:47:39+09:00
2018-01-17T13:49:22+09:00
2017-06-05T00:00:00+09:00
JVNDB-2017-000120
[Simeji for Windows] installer may insecurely load Dynamic Link Libraries
[Simeji for Windows] installer provided by Baidu Japan Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Baidu, Inc.
Simeji
cpe:/a:baidu:simeji
for Windows installer (simeji.exe)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Do not use [Simeji for Windows] installer] The developer has stated that the development and support of [Simeji for Windows] has been discontinued, thus recommends users to stop using the installer. Users who already have installed [Simeji for Windows] do not need to re-install the application, because this issue affects the installer only.
Simeji
Baidu Japan Inc. website
https://www.baidu.jp/info/press/report/170602.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2219
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#31236539
http://jvn.jp/en/jp/JVN31236539/index.html
National Vulnerability Database (NVD)
CVE-2017-2219
https://nvd.nist.gov/vuln/detail/CVE-2017-2219
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/21]\n Web page was published
2017-06-21T18:15:34+09:00
2017-06-21T18:15:34+09:00
2017-06-08T00:00:00+09:00
JVNDB-2017-000121
The installer of PatchJGD provided by Geospatial Information Authority of Japan (GSI) may insecurely load Dynamic Link Libraries
The installer of PatchJGD (PatchJGD101.EXE) provided by Geospatial Information Authority of Japan (GSI) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Geospatial Information Authority of Japan
PatchJGD
cpe:/a:gsi:patchjgd
(PatchJGD101.EXE) ver. 1.0.1
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installers.
[Do not use the installers] The developer has stated that the development and support of the software has been discontinued, thus recommends users to stop using the installers. Users who already have installed the software do not need to re-install the software, because this issue affects the installers only.
Geospatial Information Authority of Japan
Installers of "TKY2JGD", "SemiDynaEXE", "PatchJGD" and "PatchJGD(Hyoko)" may insecurely load Dynamic Link Libraries. Providing of these installers has ended.
http://www.gsi.go.jp/sokuchikijun/sokuchikijun41011.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2210
JVN
JVN#52691241
https://jvn.jp/en/jp/JVN52691241/index.html
National Vulnerability Database (NVD)
CVE-2017-2210
https://nvd.nist.gov/vuln/detail/CVE-2017-2210
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/08]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-06-08T15:31:03+09:00
2018-01-24T12:15:39+09:00
2017-06-08T00:00:00+09:00
JVNDB-2017-000122
The installer of PatchJGD(Hyoko) provided by Geospatial Information Authority of Japan (GSI) may insecurely load Dynamic Link Libraries
The installer of PatchJGD(Hyoko) (PatchJGDh101.EXE) provided by Geospatial Information Authority of Japan (GSI) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Geospatial Information Authority of Japan
PatchJGD(Hyoko)
cpe:/a:gsi:patchjgdh
(PatchJGDh101.EXE) ver. 1.0.1
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installers.
[Do not use the installers] The developer has stated that the development and support of the software has been discontinued, thus recommends users to stop using the installers. Users who already have installed the software do not need to re-install the software, because this issue affects the installers only.
Geospatial Information Authority of Japan
Installers of "TKY2JGD", "SemiDynaEXE", "PatchJGD" and "PatchJGD(Hyoko)" may insecurely load Dynamic Link Libraries. Providing of these installers has ended.
http://www.gsi.go.jp/sokuchikijun/sokuchikijun41011.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2211
JVN
JVN#52691241
https://jvn.jp/en/jp/JVN52691241/index.html
National Vulnerability Database (NVD)
CVE-2017-2211
https://nvd.nist.gov/vuln/detail/CVE-2017-2211
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/08]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-06-08T15:31:04+09:00
2018-01-24T12:15:41+09:00
2017-06-08T00:00:00+09:00
JVNDB-2017-000123
The installer of TKY2JGD provided by Geospatial Information Authority of Japan (GSI) may insecurely load Dynamic Link Libraries
The installer of TKY2JGD (TKY2JGD1379.EXE) provided by Geospatial Information Authority of Japan (GSI) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Geospatial Information Authority of Japan
TKY2JGD
cpe:/a:gsi:tky2jgd
(TKY2JGD1379.EXE) ver. 1.3.79
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installers.
[Do not use the installers] The developer has stated that the development and support of the software has been discontinued, thus recommends users to stop using the installers. Users who already have installed the software do not need to re-install the software, because this issue affects the installers only.
Geospatial Information Authority of Japan
Installers of "TKY2JGD", "SemiDynaEXE", "PatchJGD" and "PatchJGD(Hyoko)" may insecurely load Dynamic Link Libraries. Providing of these installers has ended.
http://www.gsi.go.jp/sokuchikijun/sokuchikijun41011.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2212
JVN
JVN#52691241
https://jvn.jp/en/jp/JVN52691241/index.html
National Vulnerability Database (NVD)
CVE-2017-2212
https://nvd.nist.gov/vuln/detail/CVE-2017-2212
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/08]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-06-08T15:31:06+09:00
2018-01-24T12:15:42+09:00
2017-06-08T00:00:00+09:00
JVNDB-2017-000124
The installer of SemiDynaEXE provided by Geospatial Information Authority of Japan (GSI) may insecurely load Dynamic Link Libraries
The installer of SemiDynaEXE (SemiDynaEXE2008.EXE) provided by Geospatial Information Authority of Japan (GSI) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Geospatial Information Authority of Japan
SemiDynaEXE
cpe:/a:gsi:semidynaexe
(SemiDynaEXE2008.EXE) ver. 1.0.2
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installers.
[Do not use the installers] The developer has stated that the development and support of the software has been discontinued, thus recommends users to stop using the installers. Users who already have installed the software do not need to re-install the software, because this issue affects the installers only.
Geospatial Information Authority of Japan
Installers of "TKY2JGD", "SemiDynaEXE", "PatchJGD" and "PatchJGD(Hyoko)" may insecurely load Dynamic Link Libraries. Providing of these installers has ended.
http://www.gsi.go.jp/sokuchikijun/sokuchikijun41011.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2213
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2213
JVN
JVN#52691241
https://jvn.jp/en/jp/JVN52691241/index.html
National Vulnerability Database (NVD)
CVE-2017-2213
https://nvd.nist.gov/vuln/detail/CVE-2017-2213
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/08]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-06-08T15:31:08+09:00
2018-01-24T12:15:44+09:00
2017-06-08T00:00:00+09:00
JVNDB-2017-000125
AppCheck may insecurely invoke an executable file
AppCheck provided by JIRANSOFT JAPAN, INC. is an anti-ransomware software. AppCheck and its installer contains an issue with the search path for executable files, which may lead to insecurely invoke an executable file (CWE-427). Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
JIRANSOFT JAPAN, INC.
AppCheck
cpe:/a:jiransoft:appcheck
prior to Version 2.0.1.15
JIRANSOFT JAPAN, INC.
AppCheck Pro
cpe:/a:jiransoft:appcheck_pro
prior to Version 2.0.1.15
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user running the AppCheck or the installer.
[Use the latest installer] For installation or re-installation, use the latest installer according to the information provided by the developer. [Apply the Patch] According to the developer, the appropriate patch is applied automatically. The version will become 2.0.1.15 or later after the patch is applied. The version number is displayed at the right lower corner of the startup screen.
Jiransoft
JIRANSOFT JAPAN, INC. website
https://www.jiransoft.co.jp/support/apc_1
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2214
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2214
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#99737748
https://jvn.jp/en/jp/JVN99737748/index.html
National Vulnerability Database (NVD)
CVE-2017-2214
https://nvd.nist.gov/vuln/detail/CVE-2017-2214
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/07]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-06-07T14:54:26+09:00
2018-01-24T12:15:46+09:00
2017-06-07T00:00:00+09:00
JVNDB-2017-000126
Installer of Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) may insecurely load Dynamic Link Libraries
Installer of Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Eili Masami of Tachibana Lab. and BlackWingCat of Pink Flying Whale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ministry of Agriculture, Forestry and Fisheries
Electronic Delivery Check System
cpe:/a:maff:electronic_delivery_check_system
(for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) 2014 March Edition (Ver.8.0.001.001) [Updated on 2016 May 31] and earlier installer
(for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) 2014 March Edition (Ver.9.0.001.001) [Updated on 2017 June 9] and earlier installer
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] The user who had downloaded the installer of Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) before 2017 June 12 but have not yet installed the Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) should follow the instructions below. * Step 1: Delete Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) obtained from the website before 2017 June 12. * Step 2: Download Installer of Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) 2014 March Edition (Ver.9.0.001.002) then install Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou). Also when installing Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou), be sure to check there are no suspicious files besides "setup.exe" in the folder which was extracted from the zip file. Note that this vulnerability affects the installer only, thus users who have already installed Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou) do not need to re-install the software using newer version (Ver.9.0.001.002).
MAFF
Denshinouhin Check System (for Ministry of Agriculture, Forestry and Fisheries Nouson Seibi Jigyou)
http://www.maff.go.jp/j/nousin/seko/nouhin_youryou/densi.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2188
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#65154137
http://jvn.jp/en/jp/JVN65154137/index.html
National Vulnerability Database (NVD)
CVE-2017-2188
https://nvd.nist.gov/vuln/detail/CVE-2017-2188
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/09]\n Web page was published\n[2017/06/16]\n Affected Products : Product was added \n Solution was modified\n[2017/07/31]\n Overview was modified\n Affected Products : Content was modified\n Solution was modified\n[2018/02/14]\n References : Content was added
2017-06-09T15:48:52+09:00
2018-02-14T14:00:59+09:00
2017-06-09T00:00:00+09:00
JVNDB-2017-000127
Cross-site scripting vulnerability in WordPress plugin "WordPress Download Manager"
The WordPress plugin "WordPress Download Manager" provided by W3 Eden, Inc. contains a cross-site scripting vulnerability (CWE-79). Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
W3 Eden, Inc.
WordPress Download Manager
cpe:/a:misc:w3_eden_wordpress_download_manager
prior to version 2.9.50
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser accessing the page generated by the plugin.
[Update the plugin] Update the plugin according to the information provided by the developer.
W3 Eden
WordPress Plugins - WordPress Download Manager - Changelog
https://wordpress.org/plugins/download-manager/#developers
W3 Eden
Changeset 1661953 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1661953
W3 Eden
Changeset 1650075 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1650075
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2216
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2216
JVN
JVN#79738260
https://jvn.jp/en/jp/JVN79738260/index.html
National Vulnerability Database (NVD)
CVE-2017-2216
https://nvd.nist.gov/vuln/detail/CVE-2017-2216
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/13]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-06-13T14:11:48+09:00
2018-01-24T12:24:13+09:00
2017-06-13T00:00:00+09:00
JVNDB-2017-000128
Open redirect vulnerability in WordPress plugin "WordPress Download Manager"
The WordPress plugin "WordPress Download Manager" provided by W3 Eden, Inc. contains an open redirect vulnerability (CWE-601). Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
W3 Eden, Inc.
WordPress Download Manager
cpe:/a:misc:w3_eden_wordpress_download_manager
prior to version 2.9.51
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
When accessing a specially crafted URL, the user may be redirected to an arbitrary website.
[Update the plugin] Update the plugin according to the information provided by the developer.
W3 Eden
WordPress Plugins - WordPress Download Manager - Changelog
https://wordpress.org/plugins/download-manager/#developers
W3 Eden
Changeset 1661953 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1661953
W3 Eden
Changeset 1650075 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1650075
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2217
JVN
JVN#79738260
https://jvn.jp/en/jp/JVN79738260/index.html
National Vulnerability Database (NVD)
CVE-2017-2217
https://nvd.nist.gov/vuln/detail/CVE-2017-2217
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/13]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-06-13T14:11:50+09:00
2018-01-24T12:21:46+09:00
2017-06-13T00:00:00+09:00
JVNDB-2017-000129
Installer of "Setup file of advance preparation" may insecurely load Dinamic Link Libraries
"Setup file of advance preparation" provided by National Tax Agency is software to setup the environment which is required to use "filing assistance on the NTA website". "Setup file of advance preparation"contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
National Tax Agency JAPAN
Setup file of advance preparation
cpe:/a:national_tax_agency:nta_advance_preparation_setup_file
(jizen_setup.exe) (The version which was available on the website prior to 2017 June 12) installer
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer.
National Tax Agency
About the download of "Setup file of advance preparation"
https://www.keisan.nta.go.jp/oshirase/h28info/201705.html
National Tax Agency
Notification -- Maintenance for the installers of the respective software has been finished
http://www.e-tax.nta.go.jp/topics/topics_290525.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2215
JVN
JVN#34508179
https://jvn.jp/en/jp/JVN34508179/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2017-2215
https://nvd.nist.gov/vuln/detail/CVE-2017-2215
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/09]\n Web page was published\n[2017/06/28]\n Affected Products : Product version was modified\n Vendor Information : Content was added\n Solution was modified\n[2018/02/14]\n References : Content was added
2017-06-09T15:59:11+09:00
2018-02-14T13:55:23+09:00
2017-06-09T00:00:00+09:00
JVNDB-2017-000130
Installer of electronic tendering and bid opening system provided by Acquisition, Technology & Logistics Agency may insecurely invoke an executable file
Installer of electronic tendering and bid opening system provided by Acquisition, Technology & Logistics Agency contains an issue with the search path for executable files, which may lead to insecurely invoking an executable file. Note that this vulnerability is different from JVN#75514460. DigiGnome reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Acquisition, Technology & Logistics Agency (ATLA)
Installer of electronic tendering and bid opening system
cpe:/a:atla:electronic_tendering_and_bid_opening_system
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
This vulnerability can be exploited when the following condition is met. If this vulnerability is exploited, arbitrary code may be executed with the privilege of the user invoking the installer. * A user is tricked into placing a malicious executable file prepared by an attacker in a specific folder.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have built the bidding environment by using the installer are not affected by this vulnerability.
ATLA
Regarding the electronic bidding (Important notice)
http://www.mod.go.jp/atla/souhon/cals/nyusatsu_top.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2208
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2208
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#27198823
http://jvn.jp/en/jp/JVN27198823/index.html
National Vulnerability Database (NVD)
CVE-2017-2208
https://nvd.nist.gov/vuln/detail/CVE-2017-2208
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/12]\n Web page was published\n[2017/06/13]\n Overview was modified\n[2018/02/14]\n References : Content was added
2017-06-12T14:49:11+09:00
2018-02-14T13:52:32+09:00
2017-06-12T00:00:00+09:00
JVNDB-2017-000131
Cybozu KUNAI for Android vulnerable to cross-site scripting
Cybozu KUNAI for Android is mobile client software for using Cybozu from an Android device. Cybozu KUNAI for Android contains a cross-site scripting vulnerability (CWE-79) due to an issue in mobile view mode. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu KUNAI
cpe:/a:cybozu:kunai
for Android 3.0.0 to 3.0.6
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1383]
https://support.cybozu.com/ja-jp/article/9909
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2172
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2172
JVN
JVN#56588965
http://jvn.jp/en/jp/JVN56588965/index.html
National Vulnerability Database (NVD)
CVE-2017-2172
https://nvd.nist.gov/vuln/detail/CVE-2017-2172
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/12]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-06-12T13:36:47+09:00
2018-01-24T12:34:18+09:00
2017-06-12T00:00:00+09:00
JVNDB-2017-000132
WordPress plugin "WP-Members" vulnerable to cross-site scripting
The WordPress plugin "WP-Members" contains a cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Chad Butler
WP-Members
cpe:/a:wp-members_project:wp-members
prior to version 3.1.8
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Chad Butler
Changeset 1667369 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1667369/#file12
Chad Butler
WordPress Plugins - WP-Members: Membership Framework - Changelog
https://wordpress.org/plugins/wp-members/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2222
JVN
JVN#51355647
http://jvn.jp/en/jp/JVN51355647/index.html
National Vulnerability Database (NVD)
CVE-2017-2222
https://nvd.nist.gov/vuln/detail/CVE-2017-2222
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/13]\n Web page was published\n[2018/02/07]\n References : Content was added
2017-06-13T14:50:09+09:00
2018-02-07T11:52:48+09:00
2017-06-13T00:00:00+09:00
JVNDB-2017-000133
Source code security studying tool iCodeChecker vulnerable to cross-site scripting
Source code security studying tool iCodeChecker provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) contains a cross-site scripting vulnerability (CWE-79). Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA)
Source code security studying tool iCodeChecker
cpe:/a:ipa:icodechecker
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
5
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Do not use Source code security studying tool iCodeChecker] The developer has stated that the development and support of Source code security studying tool iCodeChecker has been discontinued, thus recommends users to stop using it.
IPA
INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA) website
http://www.ipa.go.jp/security/vuln/iCodeChecker/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2194
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2194
JVN
JVN#25078144
http://jvn.jp/en/jp/JVN25078144/index.html
National Vulnerability Database (NVD)
CVE-2017-2194
https://nvd.nist.gov/vuln/detail/CVE-2017-2194
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/13]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-13T14:50:11+09:00
2018-02-14T13:48:33+09:00
2017-06-13T00:00:00+09:00
JVNDB-2017-000135
HOME SPOT CUBE2 vulnerable to OS command injection in clock settings
HOME SPOT CUBE2 provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE2 contains OS command injection in clock settings. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KDDI
HOME SPOT CUBE2 firmware
cpe:/o:kddi:home_spot_cube_2_firmware
V101 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
An arbitrary OS command may be executed by an attacker who can access the management screen of the product.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
KDDI CORPORATION
About Firmware update for HOME SPOT CUBE2
https://www.au.com/information/notice_mobile/update/update-20170612-01/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2183
JVN
JVN#24348065
http://jvn.jp/en/jp/JVN24348065/index.html
National Vulnerability Database (NVD)
CVE-2017-2183
https://nvd.nist.gov/vuln/detail/CVE-2017-2183
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/21]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-21T13:44:57+09:00
2018-02-14T11:54:05+09:00
2017-06-20T00:00:00+09:00
JVNDB-2017-000136
HOME SPOT CUBE2 vulnerable to buffer overflow in WebUI
HOME SPOT CUBE2 provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE2 contains buffer overflow in WebUI. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KDDI
HOME SPOT CUBE2 firmware
cpe:/o:kddi:home_spot_cube_2_firmware
V101 and earlier
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Arbitrary code may be executed by an attacker who can access the management screen of the product.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
KDDI CORPORATION
About Firmware update for HOME SPOT CUBE2
https://www.au.com/information/notice_mobile/update/update-20170612-01/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2184
JVN
JVN#24348065
http://jvn.jp/en/jp/JVN24348065/index.html
National Vulnerability Database (NVD)
CVE-2017-2184
https://nvd.nist.gov/vuln/detail/CVE-2017-2184
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/21]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-21T13:44:59+09:00
2018-02-14T11:59:09+09:00
2017-06-20T00:00:00+09:00
JVNDB-2017-000137
HOME SPOT CUBE2 vulnerable to OS command injection in WebUI
HOME SPOT CUBE2 provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE2 contains OS command injection in WebUI. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KDDI
HOME SPOT CUBE2 firmware
cpe:/o:kddi:home_spot_cube_2_firmware
V101 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
An arbitrary OS command may be executed by an attacker who can access the management screen of the product.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
KDDI CORPORATION
About Firmware update for HOME SPOT CUBE2
https://www.au.com/information/notice_mobile/update/update-20170612-01/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2185
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2185
JVN
JVN#24348065
http://jvn.jp/en/jp/JVN24348065/index.html
National Vulnerability Database (NVD)
CVE-2017-2185
https://nvd.nist.gov/vuln/detail/CVE-2017-2185
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/21]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-21T13:45:01+09:00
2018-02-14T11:59:11+09:00
2017-06-20T00:00:00+09:00
JVNDB-2017-000138
HOME SPOT CUBE2 vulnerable to improper authentication in WebUI
HOME SPOT CUBE2 provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE2 contains improper authentication in WebUI. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KDDI
HOME SPOT CUBE2 firmware
cpe:/o:kddi:home_spot_cube_2_firmware
V101 and earlier
Low
3.3
AV:A/AC:L/Au:N/C:N/I:P/A:N
Medium
6.5
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Firmware may be altered by an attacker who can access the management screen of the product.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
KDDI CORPORATION
About Firmware update for HOME SPOT CUBE2
https://www.au.com/information/notice_mobile/update/update-20170612-01/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2186
JVN
JVN#24348065
http://jvn.jp/en/jp/JVN24348065/index.html
National Vulnerability Database (NVD)
CVE-2017-2186
https://nvd.nist.gov/vuln/detail/CVE-2017-2186
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/21]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-21T13:45:02+09:00
2018-02-14T11:59:13+09:00
2017-06-20T00:00:00+09:00
JVNDB-2017-000139
WordPress plugin "WP Job Manager" fails to restrict access permissions
The WordPress plugin "WP Job Manager" provided by Automattic Inc. fails to restrict access permissions. Katsunori Kumagai of Kumasan, LLC. reported this issue to IPA under Information Security Early Warning Partnership.
Automattic Inc.
WP Job Manager
cpe:/a:automattic:wp_job_manager
prior to version 1.26.2
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
A remote unauthenticated attacker may upload an image file to the server.
[Update the plugin] According to developer, the update prevents uploading files from unauthenticated users.
Automattic Inc.
WordPress Plugins - WP Job Manager - Changelog
https://wordpress.org/plugins/wp-job-manager/#developers
IPA SECURITY ALERTS
Security Alert for Vulnerability in WordPress plugin "WP Job Manager" (JVN#56787058)
https://www.ipa.go.jp/security/ciadr/vul/20170615-jvn.html
JVN
JVN#56787058
http://jvn.jp/en/jp/JVN56787058/index.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/15]\n Web page was published
2017-06-15T14:32:55+09:00
2017-06-15T14:32:55+09:00
2017-06-15T00:00:00+09:00
JVNDB-2017-000140
WordPress plugin "Event Calendar WD" vulnerable to cross-site scripting
The WordPress plugin "Event Calendar WD" provided by Web-Dorado contains a cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Web-Dorado
Event Calendar WD
cpe:/a:web-dorado:event_calendar_wd
prior to version 1.0.94
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer
Web-Dorado
WordPress Plugins - Event Calendar WD - Responsive Event Calendar plugin - Changelog
https://wordpress.org/plugins/event-calendar-wd/#developers
Web-Dorado
Changeset 1671891 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1671891/#file313
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2224
JVN
JVN#73550134
http://jvn.jp/en/jp/JVN73550134/index.html
National Vulnerability Database (NVD)
CVE-2017-2224
https://nvd.nist.gov/vuln/detail/CVE-2017-2224
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/20]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-20T13:58:58+09:00
2018-02-14T12:10:01+09:00
2017-06-20T00:00:00+09:00
JVNDB-2017-000141
Multiple I-O DATA network camera products vulnerable to cross-site request forgery
Multiple network camera products provided by I-O DATA DEVICE, INC. contains a cross-site request forgery vulnerability (CWE-352). Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
TS-PTCAM firmware
cpe:/o:i-o_data_device:ts-ptcam_firmware
version 1.19 and earlier
I-O DATA DEVICE, INC.
TS-PTCAM/POE firmware
cpe:/o:i-o_data_device:ts-ptcam%2Fpoe_firmware
version 1.19 and earlier
I-O DATA DEVICE, INC.
TS-WLC2 firmware
cpe:/o:i-o_data_device:ts-wlc2_firmware
version 1.19 and earlier
I-O DATA DEVICE, INC.
TS-WLCE firmware
cpe:/o:i-o_data_device:ts-wlce_firmware
version 1.19 and earlier
I-O DATA DEVICE, INC.
TS-WPTCAM firmware
cpe:/o:i-o_data_device:ts-wptcam_firmware
version 1.19 and earlier
I-O DATA DEVICE, INC.
TS-WPTCAM2 firmware
cpe:/o:i-o_data_device:ts-wptcam2_firmware
version 1.01 and earlier
I-O DATA DEVICE, INC.
TS-WRLC firmware
cpe:/o:i-o_data_device:ts-wrlc_firmware
version 1.19 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
High
7.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
If a user views a malicious page while logged in, unintended operations may be performed.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2017/camera201706/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2223
JVN
JVN#65411235
http://jvn.jp/en/jp/JVN65411235/index.html
National Vulnerability Database (NVD)
CVE-2017-2223
https://nvd.nist.gov/vuln/detail/CVE-2017-2223
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/20]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-20T13:59:00+09:00
2018-02-14T12:10:03+09:00
2017-06-20T00:00:00+09:00
JVNDB-2017-000142
Installer of Charamin OMP may insecurely load Dynamic Link Libraries
The installer of Charamin OMP provided by Charamin steering committee contains an issue with the DLL search path, which may lead to insecurely load Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Charamin steering committee
Charamin OMP
cpe:/a:charamin:omp
Version 1.1.7.4 and earlier (installer)
Version 1.2.0.0 Beta and earlier (installer)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed Charamin OMP do not need to re-install the application, because this issue affects the installer only.
Charamin steering committee
Charamin steering committee website
http://www.charamin.jp/security_001.aspx
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2227
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#09293613
http://jvn.jp/en/jp/JVN09293613/index.html
National Vulnerability Database (NVD)
CVE-2017-2227
https://nvd.nist.gov/vuln/detail/CVE-2017-2227
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/23]\n Web page was published\n[2018/02/07]\n References : Content was added
2017-06-23T14:38:14+09:00
2018-02-07T12:32:28+09:00
2017-06-23T00:00:00+09:00
JVNDB-2017-000144
Denshi Nyusatsu Check Tool provided by Ministry of Education, Culture, Sports, Science and Technology may insecurely load Dynamic Link Libraries
Denshi Nyusatsu Check Tool provided by Ministry of Education, Culture, Sports, Science and Technology (MEXT) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ministry of Education, Culture, Sports, Science and Technology (MEXT)
EbidSettingChecker.exe
cpe:/a:mext:ebidsettingchecker
(version 1.0.0.0)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user running the application.
[Update the software] Update to the latest version according to the information provided by the developer. This vulnerability was addressed in Ver1.1.0.0.
MEXT
E-bidding portal
http://portal.ebid.mext.go.jp/top/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2225
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#01775119
http://jvn.jp/en/jp/JVN01775119/index.html
National Vulnerability Database (NVD)
CVE-2017-2225
https://nvd.nist.gov/vuln/detail/CVE-2017-2225
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/26]\n Web page was published\n[2018/02/07]\n References : Content was added
2017-06-26T14:28:41+09:00
2018-02-07T13:40:06+09:00
2017-06-26T00:00:00+09:00
JVNDB-2017-000145
Installer of Setup file of advance preparation for e-Tax software (WEB version) may insecurely load Dynamic Link Libraries
Installer of Setup file of advance preparation for e-Tax software (WEB version) provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. BlackWingCat of Pink Flying Whale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
National Tax Agency JAPAN
e-Tax Software
cpe:/a:national_tax_agency:e-tax
(WEB version) setup file of advance preparation (all versions distributed on the NTA website prior to 2018 January 4)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer for the first-time installation or for updating the application] Users who have downloaded and obtained "Setup file of advance preparation for e-Tax software (WEB version)" distributed on the NTA website prior to 2018 January 4, be sure to delete it. When installing or updating "Setup file of advance preparation for e-Tax software (WEB version)", execute the installer by following the instructions below. * Download the latest "Setup file of advance preparation for e-Tax software (WEB version)" released on 2018 January 4 from the NTA website. * Check and see if there are no suspicious files in the folder where the installer resides before executing the installer. Users who already have installed Setup file of advance preparation for e-Tax software (WEB version) do not need to re-install the application, because this issue affects the installer only.
National Tax Agency
How to use Setup file of advance preparation for e-Tax software (WEB version) -- Step (4) Setup file of advance preparation for e-Tax software (WEB version)
http://www.e-tax.nta.go.jp/e-taxsoftweb/e-taxsoftweb1.htm#Link4
National Tax Agency
Steps and cautions when executing the installer
http://www.e-tax.nta.go.jp/manual/install_tejun.pdf
National Tax Agency
About the release of respective applications installers
http://www.e-tax.nta.go.jp/topics/topics_300104.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2226
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2226
JVN
JVN#79451345
http://jvn.jp/en/jp/JVN79451345/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2017-2226
https://nvd.nist.gov/vuln/detail/CVE-2017-2226
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/28]\n Web page was published\n[2017/07/05]\n Affected Products : Product version was modified\n Solution was modified\n Vendor Information : Content was added\n[2018/01/09]\n Affected Products : Product version was modified\n Solution was modified\n Vendor Information : Content was added\n[2018/02/07]\n References : Content was added
2017-06-28T16:40:05+09:00
2018-02-07T13:40:08+09:00
2017-06-28T00:00:00+09:00
JVNDB-2017-000146
Marp vulnerable to improper access control in JavaScript execution
Marp is a tool to create a presentation PDF with Markdown. Marp executes JavaScript inside the Markdown contents. Marp allows JavaScript to access local resources and files (CWE-284). Keitaro Yamazaki of Kyoto University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Yuki Hattori
Marp
cpe:/a:marp_project:marp
v0.0.10 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
5.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
When reading specially crafted Markdown contents, local files may be accessed and leaked to an external source.
[Update the software] Update to the latest version according to the information provided by the developer. Marp v0.0.11 restricts JavaScript from accessing local resources. Moreover, the developer recommends the following: * Do not use script tag and iframe tag inside the Markdown contents. * Do not open untrusted Markdown contents, e.g., mail attachments or donwloaded files.
GitHub
[Security issue] Remote script can read user local resource
https://github.com/yhatt/marp/issues/187
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2239
JVN
JVN#21174546
http://jvn.jp/en/jp/JVN21174546/index.html
National Vulnerability Database (NVD)
CVE-2017-2239
https://nvd.nist.gov/vuln/detail/CVE-2017-2239
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/09/29]\n Web page was published\n[2018/02/07]\n References : Content was added
2017-09-29T13:54:27+09:00
2018-02-07T11:52:50+09:00
2017-06-28T00:00:00+09:00
JVNDB-2017-000147
Non-documented developer's screen in Toshiba Lighting & Technology Corporation Home gateway
Home gateway provided by Toshiba Lighting & Technology Corporation contains non-documented developer's screen. Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW16A
cpe:/o:toshiba:hem-gw16a_firmware
firmware HEM-GW16A-FW-V1.2.0 and earlier
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW26A
cpe:/o:toshiba:hem-gw26a_firmware
firmware HEM-GW26A-FW-V1.2.0 and earlier
Low
2.7
AV:A/AC:L/Au:S/C:N/I:P/A:N
Low
2.4
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
The device is operated with the administrative privilege.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
Toshiba Lighting & Technology Corporation
Toshiba Lighting & Technology Corporation website
http://www.tlt.co.jp/tlt/information/seihin/notice/defect/20170626/20170626.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2234
JVN
JVN#85901441
http://jvn.jp/en/jp/JVN85901441/index.html
National Vulnerability Database (NVD)
CVE-2017-2234
https://nvd.nist.gov/vuln/detail/CVE-2017-2234
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/28]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-28T10:28:08+09:00
2018-02-14T12:10:04+09:00
2017-06-27T00:00:00+09:00
JVNDB-2017-000148
Improper access control vulnerability in Toshiba Lighting & Technology Corporation Home gateway
Home gateway provided by Toshiba Lighting & Technology Corporation contains improper access control. Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW16A
cpe:/o:toshiba:hem-gw16a_firmware
firmware HEM-GW16A-FW-V1.2.0 and earlier
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW26A
cpe:/o:toshiba:hem-gw26a_firmware
firmware HEM-GW26A-FW-V1.2.0 and earlier
Medium
4.8
AV:A/AC:L/Au:N/C:P/I:P/A:N
Medium
5.4
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
The administrator's password may be changed.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
Toshiba Lighting & Technology Corporation
Toshiba Lighting & Technology Corporation website
http://www.tlt.co.jp/tlt/information/seihin/notice/defect/20170626/20170626.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2235
JVN
JVN#85901441
http://jvn.jp/en/jp/JVN85901441/index.html
National Vulnerability Database (NVD)
CVE-2017-2235
https://nvd.nist.gov/vuln/detail/CVE-2017-2235
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/28]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-28T10:23:27+09:00
2018-02-14T12:10:06+09:00
2017-06-27T00:00:00+09:00
JVNDB-2017-000149
Hard-coded credentials vulnerability in Toshiba Lighting & Technology Corporation Home gateway
Home gateway provided by Toshiba Lighting & Technology Corporation contains hard-coded credentials. Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW16A
cpe:/o:toshiba:hem-gw16a_firmware
firmware HEM-GW16A-FW-V1.2.0 and earlier
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW26A
cpe:/o:toshiba:hem-gw26a_firmware
firmware HEM-GW26A-FW-V1.2.0 and earlier
High
8.3
AV:A/AC:L/Au:N/C:C/I:C/A:C
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The device is operated with the administrative privilege.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
Toshiba Lighting & Technology Corporation
Toshiba Lighting & Technology Corporation website
http://www.tlt.co.jp/tlt/information/seihin/notice/defect/20170626/20170626.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2236
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2236
JVN
JVN#85901441
http://jvn.jp/en/jp/JVN85901441/index.html
National Vulnerability Database (NVD)
CVE-2017-2236
https://nvd.nist.gov/vuln/detail/CVE-2017-2236
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/28]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-28T10:23:30+09:00
2018-02-14T12:10:08+09:00
2017-06-27T00:00:00+09:00
JVNDB-2017-000150
OS command injection vulnerability in Toshiba Lighting & Technology Corporation Home gateway
Home gateway provided by Toshiba Lighting & Technology Corporation contains OS command injection. Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW16A
cpe:/o:toshiba:hem-gw16a_firmware
firmware HEM-GW16A-FW-V1.2.0 and earlier
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW26A
cpe:/o:toshiba:hem-gw26a_firmware
firmware HEM-GW26A-FW-V1.2.0 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
An arbitrary OS command may be executed on the device.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
Toshiba Lighting & Technology Corporation
Toshiba Lighting & Technology Corporation website
http://www.tlt.co.jp/tlt/information/seihin/notice/defect/20170626/20170626.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2237
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2237
JVN
JVN#85901441
http://jvn.jp/en/jp/JVN85901441/index.html
National Vulnerability Database (NVD)
CVE-2017-2237
https://nvd.nist.gov/vuln/detail/CVE-2017-2237
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/28]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-28T10:28:06+09:00
2018-02-14T12:10:09+09:00
2017-06-27T00:00:00+09:00
JVNDB-2017-000151
Cross-site request forgery vulnerability in Toshiba Lighting & Technology Corporation Home gateway
Home gateway provided by Toshiba Lighting & Technology Corporation contains cross-site request forgery. Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW16A
cpe:/o:toshiba:hem-gw16a_firmware
firmware HEM-GW16A-FW-V1.2.0 and earlier
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW26A
cpe:/o:toshiba:hem-gw26a_firmware
firmware HEM-GW26A-FW-V1.2.0 and earlier
Medium
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
High
7.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
The user may be tricked to perform unintended operation on the device.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
Toshiba Lighting & Technology Corporation
Toshiba Lighting & Technology Corporation website
http://www.tlt.co.jp/tlt/information/seihin/notice/defect/20170626/20170626.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2238
JVN
JVN#85901441
http://jvn.jp/en/jp/JVN85901441/index.html
National Vulnerability Database (NVD)
CVE-2017-2238
https://nvd.nist.gov/vuln/detail/CVE-2017-2238
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/28]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-06-28T10:28:05+09:00
2018-02-14T12:10:11+09:00
2017-06-27T00:00:00+09:00
JVNDB-2017-000152
Installer of Shinseiyou Sougou Soft provided by The Ministry of Justice may insecurely load Dynamic Link Libraries
Installer of Shinseiyou Sougou Soft provided by The Ministry of Justice contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc., Yuji Tounai of NTT Communications Corporation, and Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The Ministry of Justice
Shinseiyo Sogo Soft
cpe:/a:moj:shinseiyo_sogo_soft
(4.8A) and earlier (installer)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the Latest Installer] Use the latest installer according to the information provided by the developer. Users who already have installed Shinseiyou Sougou Soft do not need to re-install the application, because this issue affects the installer only.
The Ministry of Justice
Download | Registration and deposits online application system
http://www.touki-kyoutaku-online.moj.go.jp/download.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2232
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#23389212
http://jvn.jp/en/jp/JVN23389212/index.html
National Vulnerability Database (NVD)
CVE-2017-2232
https://nvd.nist.gov/vuln/detail/CVE-2017-2232
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/30]\n Web page was published\n[2018/02/07]\n References : Content was added
2017-06-30T14:19:43+09:00
2018-02-07T12:22:08+09:00
2017-06-30T00:00:00+09:00
JVNDB-2017-000153
Installer of PDF Digital Signature Plugin provided by the Ministry of Justice may insecurely load Dynamic Link Libraries
Installer of PDF Digital Signature Plugin provided by the Ministry of Justice contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation and Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The Ministry of Justice
PDF Digital Signature Plugin
cpe:/a:moj:pdf_digital_signature
(G2.30) and earlier (installer), distributed till June 29, 2017
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the Latest Installer] Use the latest installer according to the information provided by the developer. Users who already have installed PDF Degital Signature Plugin do not need to re-install the application, because this issue affects the installer only.
The Ministry of Justice
Download | Registration and deposits online application system
http://www.touki-kyoutaku-online.moj.go.jp/download.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2233
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#45134765
http://jvn.jp/en/jp/JVN45134765/index.html
National Vulnerability Database (NVD)
CVE-2017-2233
https://nvd.nist.gov/vuln/detail/CVE-2017-2233
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/30]\n Web page was published\n[2017/07/04]\n Affected Products : Product version was modified\n[2018/02/07]\n References : Content was added
2017-06-30T14:18:40+09:00
2018-02-07T12:21:23+09:00
2017-06-30T00:00:00+09:00
JVNDB-2017-000154
Teikihoukokusho Sakuseishien Tool may insecurely load Dynamic Link Libraries
Teikihoukokusho Sakuseishien Tool provided by Agency for Natural Resources and Energy of METI contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). The tool is provided as a ZIP archive. It is assumed that a user extracts the tool (the executable file) to the home directory. If a malicious DLL file is placed in the same directory as the tool and the user invokes the tool, then the malicious DLL is loaded and executed. Takashi Yoshikawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Agency for Natural Resources and Energy of Ministry of Economy,Trade and Industry (METI)
Teikihoukokusho Sakuseishien Tool
cpe:/a:enecho.meti:teikihoukokusho_sakuseishien_tool
v4.0
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the tool.
[Use the latest software] Use the latest version according to the information provided by the developer. Teikihoukokusho Sakuseishien Tool v4.1 is installed on the system area of the computer. Therefore, the risk of a malicious DLL file being placed to the tool's directory by an attacker or by a tricked user, is decreased.
Agency for Natural Resources and Energy
Download the latest Teikihoukokusho Sakuseishien Tool
http://www.enecho.meti.go.jp/notice/topics/003/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2228
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#53292345
https://jvn.jp/en/jp/JVN53292345/index.html
National Vulnerability Database (NVD)
CVE-2017-2228
https://nvd.nist.gov/vuln/detail/CVE-2017-2228
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/17]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-08-17T15:31:24+09:00
2018-02-14T12:11:11+09:00
2017-08-17T00:00:00+09:00
JVNDB-2017-000155
Cybozu Garoon fails to restrict access permission
Cybozu Garoon provided by Cybozu, Inc. contains an improper access restriction. Jun Kokatsu of KDDI Singapore Dubai Branch reported vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.2.4
Medium
4
AV:N/AC:H/Au:N/C:N/I:P/A:P
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
When a logged-in user accesses a specially crafted page, the user may unintentionally lock other users' files.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
Cybozu, Inc. website
https://cs.cybozu.co.jp/2017/006402.html
Cybozu
[CyVDB-1252]
https://support.cybozu.com/ja-jp/article/9648
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2144
JVN
JVN#43534286
https://jvn.jp/en/jp/JVN43534286/index.html
National Vulnerability Database (NVD)
CVE-2017-2144
https://nvd.nist.gov/vuln/detail/CVE-2017-2144
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/03]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-07-03T15:22:26+09:00
2018-02-14T11:54:05+09:00
2017-07-03T00:00:00+09:00
JVNDB-2017-000156
Cybozu Garoon vulnerable to session fixation
Cybozu Garoon provided by Cybozu, Inc. contains a session fixation. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
4.0.0 to 4.2.4
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
A remote unauthenticated attacker may perform unintended operation with the logged-in user's privilege.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
Cybozu, Inc. website
https://cs.cybozu.co.jp/2017/006402.html
Cybozu
[CyVDB-1302][CyVDB-1303][CyVDB-1304]
https://support.cybozu.com/ja-jp/article/9695
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2145
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2145
JVN
JVN#43534286
https://jvn.jp/en/jp/JVN43534286/index.html
National Vulnerability Database (NVD)
CVE-2017-2145
https://nvd.nist.gov/vuln/detail/CVE-2017-2145
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/03]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-07-03T15:22:48+09:00
2018-02-14T11:54:04+09:00
2017-07-03T00:00:00+09:00
JVNDB-2017-000157
Cybozu Garoon vulnerable to cross-site scripting
Cybozu Garoon provided by Cybozu, Inc. contains a cross-site scripting in the application menu. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.2.4
Low
3.6
AV:N/AC:H/Au:S/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the logged-in user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
Cybozu, Inc. website
https://cs.cybozu.co.jp/2017/006402.html
Cybozu
[CyVDB-1313]
https://support.cybozu.com/ja-jp/article/9702
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2146
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2146
JVN
JVN#43534286
https://jvn.jp/en/jp/JVN43534286/index.html
National Vulnerability Database (NVD)
CVE-2017-2146
https://nvd.nist.gov/vuln/detail/CVE-2017-2146
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/03]\n Web page was published\n[2018/02/07]\n References : Content was added
2017-07-03T15:23:15+09:00
2018-02-07T11:52:47+09:00
2017-07-03T00:00:00+09:00
JVNDB-2017-000158
Installer and self-extracting archive containing the installer of MLIT DenshiSeikabutsuSakuseiShienKensa system may insecurely load Dynamic Link Libraries
The installer and the self-extracting archive including the installer of MLIT DenshiSeikabutsuSakuseiShienKensa system contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ministry of Land, Infrastructure, Transport and Tourism
MLIT DenshiSeikabutsuSakuseiShienKensa system
cpe:/a:mlit:denshiseikabutsusakuseishienkensa
Ver3.0.2 and earlier, distributed till June 20, 2017. (installer)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer or the self-extracting archive.
[Use the latest self-extracting archive and invoke the installer carefully] Use the latest self-extracting archive according to the information provided by the developer. New self-extracting archive has been created with the latest Lhaplus archiver which is not affected by this issue, and it was released on June 20, 2017. When invoking the installer extracted from the self-extracting archive, make sure that no malicious DLL exists in the same directory. Re-installation of the application is not necessary, because this issue affects the installer only.
Ministry of Land, Infrastructure, Transport and Tourism
Government Buildings Department, MLIT: DenshiSeikabutsuSakuseiShienKensa System ver3.0
http://www.mlit.go.jp/gobuild/gobuild_cals_sysv3.html
Ministry of Land, Infrastructure, Transport and Tourism
Vulnerability Announcement
http://www.mlit.go.jp/common/001189444.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2231
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2231
JVN
JVN#06337557
http://jvn.jp/en/jp/JVN06337557/index.html
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2017-2231
https://nvd.nist.gov/vuln/detail/CVE-2017-2231
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/03]\n Web page was published\n[2017/07/11]\n Affected Products : Product version was modified\n[2018/02/07]\n References : Content was added\n
2017-07-03T14:14:36+09:00
2018-02-07T12:20:35+09:00
2017-07-03T00:00:00+09:00
JVNDB-2017-000159
WordPress plugin "Responsive Lightbox" vulnerable to cross-site scripting
The WordPress plugin "Responsive Lightbox" provided by dFactory contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
dFactory
Responsive Lightbox
cpe:/a:dfactory:responsive_lightbox
prior to version 1.7.2
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
dFactory
Changeset 1685428 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1685428/#file1
dFactory
Responsive Lightbox by dFactory - WordPress Plugins - Changelog
https://wordpress.org/plugins/responsive-lightbox/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2243
JVN
JVN#39819446
http://jvn.jp/en/jp/JVN39819446/index.html
National Vulnerability Database (NVD)
CVE-2017-2243
https://nvd.nist.gov/vuln/detail/CVE-2017-2243
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/04]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-07-04T14:02:58+09:00
2018-02-14T12:10:13+09:00
2017-07-04T00:00:00+09:00
JVNDB-2017-000160
MFC-J960DWN vulnerable to cross-site request forgery
MFC-J960DWN provided by BROTHER INDUSTRIES, LTD. is a MultiFunction Printer. MFC-J960DWN contains a cross-site request forgery vulnerability (CWE-352). Taiga Asano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Brother Industries
MFC-J960DWN firmware
cpe:/o:brother:mfc-j960dwn_firmware
ver.D and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
If a user views a malicious page, unintended operations such as changing settings of the device may be performed.
[Apply a Workaround] The developer provides a tool to avoid this vulnerability. For more details, refer to the information provided by the developer.
BROTHER INDUSTRIES, LTD.
BROTHER INDUSTRIES, LTD. website
http://support.brother.co.jp/j/s/support/vul_info/JVN95996423/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2244
JVN
JVN#95996423
http://jvn.jp/en/jp/JVN95996423/index.html
National Vulnerability Database (NVD)
CVE-2017-2244
https://nvd.nist.gov/vuln/detail/CVE-2017-2244
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/04]\n Web page was published\n[2018/02/07]\n References : Content was added
2017-07-04T13:59:02+09:00
2018-02-07T11:52:52+09:00
2017-07-04T00:00:00+09:00
JVNDB-2017-000161
Installer of Douro Kouji Kanseizutou Check Program may insecurely load Dynamic Link Libraries
Installer of Douro Kouji Kanseizutou Check Program provided by National Institute for Land and Infrastructure Management contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. and BlackWingCat of Pink Flying Whale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ministry of Land, Infrastructure, Transport and Tourism
Douro Kouji Kanseizutou Check Program
cpe:/a:mlit:mlit_roadworks_completion_drawing_check_program
Ver3.1.2 (cdrw_checker_3.1.2.zip) and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer and apply the workarounds] Users who downloaded Douro Kouji Kanseizutou Check Program Ver3.1.2 (cdrw_checker_3.1.2.zip) before 2017 July 19 should delete the application immediately. When installing Douro Kouji Kanseizutou Check Program, be sure to download the latest version of Douro Kouji Kanseizutou Check Program Ver3.1.3 (cdrw_checker_3.1.3.zip) from the website. Also be sure confirming the followings before executing the installer. * Confirm there is no suspicious file besides "setup.exe" in "setup program" directory which is created when extracting the installer (cdrw_checker_3.1.3.zip) * Be sure to execute "setup.exe" in "setup program" directory. Note that this vulnerability affects the installer only, thus users who have already installed Douro Kouji Kanseizutou Check Program do not need to re-install the latest Douro Kouji Kanseizutou Check Program Ver3.1.3 (cdrw_checker_3.1.3.zip).
Ministry of Land, Infrastructure, Transport and Tourism
Douro kouji kannseizutou sakusei sien site
http://www.nilim-cdrw.jp/
Ministry of Land, Infrastructure, Transport and Tourism
Help desk
http://www.nilim-cdrw.jp/index_help.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2230
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2230
JVN
JVN#82120115
http://jvn.jp/en/jp/JVN82120115/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2017-2230
https://nvd.nist.gov/vuln/detail/CVE-2017-2230
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/04]\n Web page was published\n[2017/08/09]\n Overview was modified\n Affected Products : Product version was modified\n Solution was modified\n[2018/02/07]\n References : Content was added
2017-07-04T14:43:37+09:00
2018-02-07T12:32:30+09:00
2017-07-04T00:00:00+09:00
JVNDB-2017-000162
Installer of Douroshisetu Kihon Data Sakusei System may insecurely load Dynamic Link Libraries
The installer of Douroshisetu Kihon Data Sakusei System provided by National Institute for Land and Infrastructure Management contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ministry of Land, Infrastructure, Transport and Tourism
Douroshisetu Kihon Data Sakusei System
cpe:/a:mlit:mlit_road_infrastructure_basic_data_system
Ver1.0.2 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the use invoking the installer.
[Apply Workaround] Be sure to check no malicious file exists in the same directory where the installer is placed. According to the developer, the distributed archive file contains a directory and the installer (setup.exe) in it. When extracting the archive file, a clean directory which contains the installer is created. Be sure not to copy any files into this directory before executing the installer. Keep this directory clean.
Ministry of Land, Infrastructure, Transport and Tourism
Douro kouji kannseizutou sakusei sien site
http://www.nilim-cdrw.jp/
Ministry of Land, Infrastructure, Transport and Tourism
Help Desk
http://www.nilim-cdrw.jp/index_help.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2229
JVN
JVN#20409270
http://jvn.jp/en/jp/JVN20409270/index.html
JVN
JVNTA#91240916
https://jvn.jp/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2017-2229
https://nvd.nist.gov/vuln/detail/CVE-2017-2229
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/04]\n Web page was published\n[2018/02/07]\n References : Content was added
2017-07-04T14:43:35+09:00
2018-02-07T12:32:32+09:00
2017-07-04T00:00:00+09:00
JVNDB-2017-000164
WordPress plugin "Shortcodes Ultimate" vulnerable to directory traversal
The WordPress plugin "Shortcodes Ultimate" contains a directory traversal vulnerability (CWE-22) in the Examples page. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Vladimir Anokhin
Shortcodes Ultimate
cpe:/a:shortcodes_ultimate_project:shortcodes_ultimate
prior to version 4.10.0
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Arbitrary local files on the server may be accessed by a logged-in user.
[Update the Software] Update to the latest version according to the information provided by the developer.
Vladimir Anokhin
Shortcodes Ultimate - WordPress Plugins - Changelog
https://wordpress.org/plugins/shortcodes-ultimate/#developers
Vladimir Anokhin
Changeset 1684377 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1684377/#file217
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2245
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2245
JVN
JVN#63249051
https://jvn.jp/en/jp/JVN63249051/index.html
National Vulnerability Database (NVD)
CVE-2017-2245
https://nvd.nist.gov/vuln/detail/CVE-2017-2245
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/06]\n Web page was published\n[2018/02/07]\n References : Content was added
2017-07-06T13:41:39+09:00
2018-02-07T11:52:54+09:00
2017-07-06T00:00:00+09:00
JVNDB-2017-000169
Installers of Lhaz and Lhaz+, and Self-Extracting Archives created by Lhaz or Lhaz+ may insecurely load Dynamic Link Libraries
Lhaz and Lhaz+ provided by Chitora soft contain the following vulnerabilities. * Installers of Lhaz and Lhaz+ insecurely load Dynamic Link Libraries (CWE-427) - CVE-2017-2246, CVE-2017-2248 * Self-extracting archive files created by Lhaz or Lhaz+ insecurely load Dynamic Link Libraries (CWE-427) - CVE-2017-2247, CVE-2017-2249 Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
chitora
Lhaz
cpe:/a:chitora:lhaz
version 2.4.0 and earlier (installer) - CVE-2017-2246
version 2.4.0 and earlier (Self-extracting archive files created) - CVE-2017-2247
chitora
Lhaz+
cpe:/a:chitora:lhaz%2B
version 3.4.0 and earlier (installer) - CVE-2017-2248
version 3.4.0 and earlier (Self-extracting archive files created) - CVE-2017-2249
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer. - CVE-2017-2246, CVE-2017-2248 Arbitrary code may be executed with the privilege of the user invoking the self-extracting archive file. - CVE-2017-2247, CVE-2017-2249
[Update the software] Update to the latest version according to the information provided by the developer.
Chitora soft
Chitora soft website
http://chitora.com/jvn21369452.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2248
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2248
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2249
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2249
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2246
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2247
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#21369452
http://jvn.jp/en/jp/JVN21369452/index.html
National Vulnerability Database (NVD)
CVE-2017-2246
https://nvd.nist.gov/vuln/detail/CVE-2017-2246
National Vulnerability Database (NVD)
CVE-2017-2247
https://nvd.nist.gov/vuln/detail/CVE-2017-2247
National Vulnerability Database (NVD)
CVE-2017-2248
https://nvd.nist.gov/vuln/detail/CVE-2017-2248
National Vulnerability Database (NVD)
CVE-2017-2249
https://nvd.nist.gov/vuln/detail/CVE-2017-2249
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/07]\n Web page was published\n[2017/07/11]\n Affected Products : Product version was modified\n[2018/02/07]\n References : Contents were added\n
2017-07-07T14:18:21+09:00
2018-02-07T12:19:37+09:00
2017-07-07T00:00:00+09:00
JVNDB-2017-000170
Self-Extracting Archives created by File Compact may insecurely load Dynamic Link Libraries
File Compact provided by SOURCENEXT CORPORATION is compression/decompression software. It can also create self-extracting archive files. Self-extracting archive files created by File Compact contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. and BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SOURCENEXT CORPORATION
File Compact
cpe:/a:sourcenext:file_compact
Ver.5 version 5.10 and earlier
Ver.6 version 6.02 and earlier
Ver.7 version 7.02 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking a vulnerable self-extracting archive file.
[Update File Compact and Recreate Self-Extracting Archive files] Update to the latest version according to the information provided by the developer, and recreate self-extracting archive files. According to developer, self-extracting archives created by the following software versions are not affected. * File Compact Ver.5 version 5.11 * File Compact Ver.6 version 6.03 * File Compact Ver.7 version 7.03
SOURCENEXT CORPORATION
SOURCENEXT CORPORATION website
http://www.sourcenext.com/support/i/20170704_01
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2252
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2252
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#29939155
https://jvn.jp/en/jp/JVN29939155/index.html
National Vulnerability Database (NVD)
CVE-2017-2252
https://nvd.nist.gov/vuln/detail/CVE-2017-2252
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/10]\n Web page was published\n[2018/02/07]\n References : Content was added\n[2018/02/16]\n Overview was modified\n Affected Products : Product versions were modified\n Solution was modified
2017-07-10T13:57:38+09:00
2018-02-16T13:26:40+09:00
2017-07-10T00:00:00+09:00
JVNDB-2017-000171
Installers of Mozilla Firefox and Thunderbird for Windows may insecurely load Dynamic Link Libraries
Installers of Mozilla Firefox and Thunderbird for Windows provided by Mozilla Foundation contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
mozilla.org contributors
Mozilla Firefox
cpe:/a:mozilla:firefox
prior to version 54
mozilla.org contributors
Mozilla Firefox ESR
cpe:/a:mozilla:firefox_esr
prior to version 52.2
mozilla.org contributors
Mozilla Thunderbird
cpe:/a:mozilla:thunderbird
prior to version 52.2
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the Latest Installer] Use the latest installer according to the information provided by the developer. Users who already have installed Mozilla Firefox or Thunderbird do not need to re-install the application, because this issue affects the installer only.
Mozilla Foundation Security Advisory
Mozilla Foundation Security Advisory 2017-15
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7755
Mozilla Foundation Security Advisory
Mozilla Foundation Security Advisory 2017-16
https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7755
Mozilla Foundation Security Advisory
Mozilla Foundation Security Advisory 2017-17
https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7755
Common Vulnerabilities and Exposures (CVE)
CVE-2017-7755
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7755
JVN
JVN#81676004
https://jvn.jp/en/jp/JVN81676004/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2017-7755
https://nvd.nist.gov/vuln/detail/CVE-2017-7755
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/11]\n Web page was published
1
2018-08-30T18:02:45+09:00
[2018/08/30]\n References : Contents were added
2017-07-11T13:48:06+09:00
2018-08-30T18:03:02+09:00
2017-07-11T00:00:00+09:00
JVNDB-2017-000172
FileCapsule Deluxe Portable and Encrypted Files in Self-Decryption Format created by FileCapsule Deluxe Portable may insecurely load Dynamic Link Libraries
FileCapsule Deluxe Portable is a file encryption software. FileCapsule Deluxe Portable contains the following vulnerabilities. * FileCapsule Deluxe Portable insecurely load Dynamic Link Libraries (CWE-427) - CVE-2017-2265, CVE-2017-2267, CVE-2017-2269 * Encrypted files in self-decryption format created by FileCapsule Deluxe Portable insecurely load Dynamic Link Libraries (CWE-427) - CVE-2017-2266, CVE-2017-2268, CVE-2017-2270 Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SPIRIT
FileCapsule Deluxe Portable
cpe:/a:resume-next:filecapsule_deluxe_portable
Ver.1.0.4.1 and earlier (Encrypted files in self-decryption format created) - CVE-2017-2266
Ver.1.0.4.1 and earlier - CVE-2017-2265
Ver.1.0.5.1 and earlier (Encrypted files in self-decryption format created) - CVE-2017-2268
Ver.1.0.5.1 and earlier - CVE-2017-2267
Ver.2.0.9 and earlier (Encrypted files in self-decryption format created) - CVE-2017-2270
Ver.2.0.9 and earlier - CVE-2017-2269
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* Arbitrary code may be executed with the privilege of the user invoking the application. - CVE-2017-2265, CVE-2017-2267, CVE-2017-2269 * Arbitrary code may be executed with the privilege of the user invoking the Encrypted file in self-decryption format. - CVE-2017-2266, CVE-2017-2268, CVE-2017-2270
[Update the Software] Update to the latest version according to the information provided by the developer. Encrypted files in self-decryption format must be re-created using the latest version. According to the developer, following actions are necessary when using Windows OS prior to Windows 8. * In case of Windows Vista or 7, KB2533623 provided by Microsoft should be applied before using the latest version. * In case of Windows XP, users must take care where to place the application or the encrypted files in self-decryption format. Make sure no untrusted files exist in the same folder as the application or the encrypted file in self-decryption format. For more information, refer to the information provided by the developer.
ON ERROR RESUME NEXT
ON ERROR RESUME NEXT
http://www.resume-next.com/contents/fcdp.html
ON ERROR RESUME NEXT
[Important Notice] About FileCapsule Deluxe Portable Vulnerability
http://resumenext.blog.fc2.com/blog-entry-30.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2266
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2266
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2267
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2268
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2269
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2270
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2270
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2265
JVN
JVN#42031953
https://jvn.jp/en/jp/JVN42031953/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2017-2266
https://nvd.nist.gov/vuln/detail/CVE-2017-2266
National Vulnerability Database (NVD)
CVE-2017-2267
https://nvd.nist.gov/vuln/detail/CVE-2017-2267
National Vulnerability Database (NVD)
CVE-2017-2268
https://nvd.nist.gov/vuln/detail/CVE-2017-2268
National Vulnerability Database (NVD)
CVE-2017-2269
https://nvd.nist.gov/vuln/detail/CVE-2017-2269
National Vulnerability Database (NVD)
CVE-2017-2270
https://nvd.nist.gov/vuln/detail/CVE-2017-2270
National Vulnerability Database (NVD)
CVE-2017-2265
https://nvd.nist.gov/vuln/detail/CVE-2017-2265
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/13]\n Web page was published\n[2018/02/07]\n References : Contents were added
2017-07-13T14:35:29+09:00
2018-02-07T16:48:32+09:00
2017-07-13T00:00:00+09:00
JVNDB-2017-000173
Installer of Yahoo! Toolbar (for Internet explorer) may insecurely load Dynamic Link Libraries
Installer of Yahoo! Toolbar (for Internet explorer) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Yahoo Japan Corporation
Installer of Yahoo! Toolbar
cpe:/a:misc:yahoo_japan_yahoo_toolbar
(for Internet explorer) v8.0.0.6 and earlier, with its timestamp prior to June 13, 2017, 18:18:55
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the Latest Installer] Use the latest installer when installing Yahoo! Toolbar (for Internet explorer). Users who already have installed Yahoo! Toolbar (for Internet explorer) do not need to re-install the toolbar, because this issue affects the installer only.
Yahoo Japan Corporation
Yahoo! Toolbar
https://toolbar.yahoo.co.jp/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2253
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2253
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#02852421
https://jvn.jp/en/jp/JVN02852421/index.html
National Vulnerability Database (NVD)
CVE-2017-2253
https://nvd.nist.gov/vuln/detail/CVE-2017-2253
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/12]\n Web page was published\n[2018/02/07]\n References : Content was added
2017-07-12T14:42:57+09:00
2018-02-07T16:48:34+09:00
2017-07-12T00:00:00+09:00
JVNDB-2017-000174
Self-Extracting Encrypted Files created by AttacheCase may insecurely load Dynamic Link Libraries
AttacheCase is an open source file encryption software provided by HiBARA Software. It can also create self-extracting encrypted files. Self-extracting encrypted files created by AttacheCase contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
HiBARA Software
AttacheCase
cpe:/a:hibara:attachecase
ver.2.8.3.0 and earlier - CVE-2017-2271
ver.3.2.2.6 and earlier - CVE-2017-2272
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking a vulnerable self-extracting encrypted file.
[Update the Files] Update AttacheCase and re-encrypt the affected files according to the information by the developer. AttacheCase ver2.x are no longer supported. HiBARA Software recommends AttacheCase ver4.x as the successor to AttacheCase ver2.x to re-encrypt the affected files. Keep following the practice explained in the following workarounds to securely treat self-extracted encrypted files. [Apply Workarounds] * When invoking a self-extracting encrypted file, make sure no unrelated files exist within the same directory. It is best to copy the installer into a newly created directory and invoke it from that directory * Make sure no untrusted files exist within the directory where the self-extracting encrypted file is invoked. * If you have some shared directory within your organization to place self-extracting encrypted files, make sure that this shared directory is read-only for non-administrative users * Operate self-extracting encrypted files using a standard user (non-administrator) account. Administrator accounts should be used only when necessary.
HiBARA Software
HiBARA Software website
https://hibara.org/software/attachecase/?lang=ja
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2271
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2272
JVN
JVN#61502349
https://jvn.jp/en/jp/JVN61502349/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2017-2271
https://nvd.nist.gov/vuln/detail/CVE-2017-2271
National Vulnerability Database (NVD)
CVE-2017-2272
https://nvd.nist.gov/vuln/detail/CVE-2017-2272
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/14]\n Web page was published\n[2018/02/14]\n References : Contents were added
1
2022-03-31T14:44:05+09:00
[2022/03/31]\n Solution was modified
2017-07-14T13:38:14+09:00
2022-03-31T17:43:19+09:00
2017-07-14T00:00:00+09:00
JVNDB-2017-000175
Multiple vulnerabilities SONY Portable Wireless Server WG-C10
Portable Wireless Server WG-C10 provided by Sony Corporation contains multiple vulnerabilities listed below. * OS command injection (CWE-78) - CVE-2017-2275 * Buffer overflow (CWE-119) - CVE-2017-2276 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Corporation
WG-C10
cpe:/h:sony:wg-c10
v3.0.79 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
An attacker who can log in to the product as an administrator may execute arbitrary OS commands.
[Apply a Workaround] The following workarounds may mitigate the affects of this vulnerability. * Set up wireless LAN password and access password. For more information, please refer to the developer's website.
Sony
Security Notice for the WG-C10 Portable Wireless Server
https://esupport.sony.com/US/p/news-item.pl?news_id=527&mdl=WGC10
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2275
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2275
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2276
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2276
JVN
JVN#14151222
http://jvn.jp/en/jp/JVN14151222/index.html
National Vulnerability Database (NVD)
CVE-2017-2275
https://nvd.nist.gov/vuln/detail/CVE-2017-2275
National Vulnerability Database (NVD)
CVE-2017-2276
https://nvd.nist.gov/vuln/detail/CVE-2017-2276
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/19]\n Web page was published\n[2018/01/24]\n References : Contents were added
2017-07-19T15:07:38+09:00
2018-01-24T12:34:20+09:00
2017-07-19T00:00:00+09:00
JVNDB-2017-000176
SONY Portable Wireless Server WG-C10 fails to restrict access permissions
Portable Wireless Server WG-C10 provided by Sony Corporation fails to restrict access permissions (CWE-284). Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Corporation
WG-C10
cpe:/h:sony:wg-c10
v3.0.79 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
An authenticated attacker may obtain or alter information stored in the external storage connected to product.
[Apply a Workaround] The following workarounds may mitigate the affects of this vulnerability. * Avoid using public wireless LAN service For more information, please refer to the developer's website.
Sony
Security Notice for the WG-C10 Portable Wireless Server
https://esupport.sony.com/US/p/news-item.pl?news_id=527&mdl=WGC10
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2277
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2277
JVN
JVN#77412145
http://jvn.jp/en/jp/JVN77412145/index.html
National Vulnerability Database (NVD)
CVE-2017-2277
https://nvd.nist.gov/vuln/detail/CVE-2017-2277
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/19]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-07-19T15:07:39+09:00
2018-02-14T12:02:22+09:00
2017-07-19T00:00:00+09:00
JVNDB-2017-000177
RBB SPEED TEST App fails to verify SSL server certificates
RBB SPEED TEST App provided by IID, Inc. fails to verify SSL server certificates. DigiGnome reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
IID, Inc.
RBB SPEED TEST
cpe:/a:iid:rbb_speed_test
App for Android version 2.0.3 and earlier
App for iOS version 2.1.0 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
App store
RBB SPEED TEST
https://itunes.apple.com/jp/app/rbb-speed-test/id538725494
Google Play
RBB SPEED TEST
https://play.google.com/store/apps/details?id=com.rbbtoday.speedtest
IID, Inc.
Update to the latest version of RBB SPEED TEST App
http://www.iid.co.jp/information/170714.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2278
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2278
JVN
JVN#24238648
https://jvn.jp/en/jp/JVN24238648/index.html
National Vulnerability Database (NVD)
CVE-2017-2278
https://nvd.nist.gov/vuln/detail/CVE-2017-2278
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/24]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-07-24T15:08:16+09:00
2018-01-24T14:03:18+09:00
2017-07-24T00:00:00+09:00
JVNDB-2017-000179
Multiple Buffalo wireless LAN access point devices do not properly perform authentication
WAPM-1166D and WAPM-APG600H provided by BUFFALO INC. are wireless LAN access point devices. WAPM-1166D and WAPM-APG600H do not properly perform authentication (CWE-287). SASABE Tetsuro of The University of Tokyo reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BUFFALO INC.
WAPM-1166D firmware
cpe:/o:buffalo_inc:wapm-1166d_firmware
Ver.1.2.7 and earlier
BUFFALO INC.
WAPM-APG600H firmware
cpe:/o:buffalo_inc:wapm-apg600h_firmware
Ver.1.16.1 and earlier
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An attacker who can access the device may log in via telnet without authentication and access the configuration interface of the device.
[Update the Firmware] Apply the appropriate firmware update according to the information provided by the developer.
BUFFALO
BUFFALO INC. website
http://buffalo.jp/support_s/s20170718.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2126
JVN
JVN#48823557
http://jvn.jp/en/jp/JVN48823557/index.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/20]\n Web page was published
2017-07-20T14:12:30+09:00
2017-07-20T14:12:30+09:00
2017-07-20T00:00:00+09:00
JVNDB-2017-000180
Multiple vulnerabilities in multiple Buffalo wireless LAN routers
WMR-433 and WMR-433W provided by BUFFALO INC. are wireless LAN routers. WMR-433 and WMR-433W contain multiple vulnerabilities listed below. * Cross-site Request Forgery (CWE-352) - CVE-2017-2273 * Reflected Cross-site Scripting (CWE-79) - CVE-2017-2274 Manabu Kobayashi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BUFFALO INC.
WMR-433 firmware
cpe:/o:buffalo_inc:wmr-433_firmware
Ver.1.02 and earlier
BUFFALO INC.
WMR-433W firmware
cpe:/o:buffalo_inc:wmr-433w_firmware
Ver.1.40 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
The possible impact of each vulnerability is as follows: * If a logged-in user accesses a specially crafted page, configuration of the device may be changed or the device may be rebooted - CVE-2017-2273 * If a logged-in user accesses a specially crafted page, an arbitrary script may be executed on the user's web browser - CVE-2017-2274
[Update the Firmware] Apply the appropriate firmware update according to the information provided by the developer.
BUFFALO
BUFFALO INC. website
http://buffalo.jp/support_s/s20170606.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2273
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2273
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2274
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2274
JVN
JVN#48413726
http://jvn.jp/en/jp/JVN48413726/index.html
National Vulnerability Database (NVD)
CVE-2017-2273
https://nvd.nist.gov/vuln/detail/CVE-2017-2273
National Vulnerability Database (NVD)
CVE-2017-2274
https://nvd.nist.gov/vuln/detail/CVE-2017-2274
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/20]\n Web page was published\n[2018/01/24]\n References : Contents were added
2017-07-20T14:13:55+09:00
2018-01-24T12:34:22+09:00
2017-07-20T00:00:00+09:00
JVNDB-2017-000181
WordPress plugin "Popup Maker" vulnerable to cross-site scripting
The WordPress plugin "Popup Maker" provided by Popup Maker contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Popup Maker
Popup Maker
cpe:/a:wppopupmaker:popup_maker
prior to version 1.6.5
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Popup Maker
Changeset 1697216 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1697216/#file3
Popup Maker
Popup Maker - WordPress Plugins - Changelog
https://wordpress.org/plugins/popup-maker/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2284
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2284
JVN
JVN#92921024
https://jvn.jp/en/jp/JVN92921024/index.html
National Vulnerability Database (NVD)
CVE-2017-2284
https://nvd.nist.gov/vuln/detail/CVE-2017-2284
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/24]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-07-24T13:52:38+09:00
2018-01-24T14:03:20+09:00
2017-07-24T00:00:00+09:00
JVNDB-2017-000182
WordPress plugin "Simple Custom CSS and JS" vulnerable to cross-site scripting
The WordPress plugin "Simple Custom CSS and JS" provided by SilkyPress contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SilkyPress
Simple Custom CSS and JS
cpe:/a:silkypress:simple_custom_css_and_js
prior to version 3.4
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
SilkyPress
Simple Custom CSS and JS - WordPress Plugins - Changelog
https://wordpress.org/plugins/custom-css-js/#developers
SilkyPress
Changeset 1695440 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1695440/#file6
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2285
JVN
JVN#31459091
https://jvn.jp/en/jp/JVN31459091/index.html
National Vulnerability Database (NVD)
CVE-2017-2285
https://nvd.nist.gov/vuln/detail/CVE-2017-2285
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/24]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-07-24T13:52:40+09:00
2018-02-14T11:58:42+09:00
2017-07-24T00:00:00+09:00
JVNDB-2017-000183
Multiple cross-site scripting vulnerabilities in ScreenOS
ScreenOS provided by Juniper Networks contains multiple cross-site scripting vulnerabilities. Toshitsugu Yoneyama and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Juniper Networks, Inc.
ScreenOS
cpe:/o:juniper:screenos
versions prior to 6.3.0r24
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
High
8.4
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
An arbitrary script may be executed on the logged in user's web browser.
[Update the software] Update to the latest version according to the information provided by the developer.
Juniper Networks
2017-07 Security Bulletin: ScreenOS: Multiple XSS vulnerabilities in ScreenOS Firewall
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10782&actp=METADATA
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2337
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2337
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2338
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2338
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2339
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2339
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2335
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2335
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2336
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2336
JVN
JVN#74247807
https://jvn.jp/en/jp/JVN74247807/index.html
National Vulnerability Database (NVD)
CVE-2017-2339
https://nvd.nist.gov/vuln/detail/CVE-2017-2339
National Vulnerability Database (NVD)
CVE-2017-2335
https://nvd.nist.gov/vuln/detail/CVE-2017-2335
National Vulnerability Database (NVD)
CVE-2017-2336
https://nvd.nist.gov/vuln/detail/CVE-2017-2336
National Vulnerability Database (NVD)
CVE-2017-2337
https://nvd.nist.gov/vuln/detail/CVE-2017-2337
National Vulnerability Database (NVD)
CVE-2017-2338
https://nvd.nist.gov/vuln/detail/CVE-2017-2338
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/24]\n Web page was published\n[2017/08/03]\n Overview was modified\n[2017/08/09]\n References : Contents were added
2017-07-24T13:52:42+09:00
2017-08-09T11:23:32+09:00
2017-07-24T00:00:00+09:00
JVNDB-2017-000184
Installer of Tween may insecurely load Dynamic Link Libraries
Tween is a twitter client application. Installer of Tween contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Kiri
Tween
cpe:/a:kiri:tween
Ver1.6.6.0 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed Tween do not need to re-install the application, because this issue affects the installer only.
Kiri
Kiri website
https://sites.google.com/site/tweentwitterclient/project-updates/insutoraniokerucuiruoxing
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2279
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2279
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#17523256
https://jvn.jp/en/jp/JVN17523256/index.html
National Vulnerability Database (NVD)
CVE-2017-2279
https://nvd.nist.gov/vuln/detail/CVE-2017-2279
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/24]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-07-24T15:08:18+09:00
2018-01-24T14:03:22+09:00
2017-07-24T00:00:00+09:00
JVNDB-2017-000185
Multiple vulnerabilities in I-O DATA WN-AX1167GR
WN-AX1167GR provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-AX1167GR contains multiple vulnerabilities listed below. * Hard-coded credentials (CWE-798) - CVE-2017-2280 * OS command injection (CWE-78) - CVE-2017-2281 * Buffer overflow (CWE-119) - CVE-2017-2282 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
WN-AX1167GR
cpe:/h:i-o_data_device:wn-ax1167gr
firmware version 3.00 and earlier
High
8.3
AV:A/AC:L/Au:N/C:C/I:C/A:C
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The possible impact of each vulnerability is as follows: * A user with access to the network that is connected to the affected device may execute arbitrary code on the device - CVE-2017-2280 * A user with access to the affected device may execute an arbitrary command - CVE-2017-2281 * If a user views a specially crafted page while logged into the affected device, an arbitrary command may be executed - CVE-2017-2282
[Update the Firmware] Apply the appropriate firmware update according to the information provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2017/wn-ax1167gr/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2282
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2282
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2280
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2280
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2281
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2281
JVN
JVN#01312667
https://jvn.jp/en/jp/JVN01312667/index.html
National Vulnerability Database (NVD)
CVE-2017-2280
https://nvd.nist.gov/vuln/detail/CVE-2017-2280
National Vulnerability Database (NVD)
CVE-2017-2281
https://nvd.nist.gov/vuln/detail/CVE-2017-2281
National Vulnerability Database (NVD)
CVE-2017-2282
https://nvd.nist.gov/vuln/detail/CVE-2017-2282
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/27]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-07-27T14:26:43+09:00
2018-01-24T13:56:47+09:00
2017-07-27T00:00:00+09:00
JVNDB-2017-000186
NFC Port Software remover may insecurely load Dynamic Link Libraries
NFC Port Software remover provided by Sony Corporation is an application to remove NFC Port Software. NFC Port Software remover contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Corporation
NFC Port Software remover
cpe:/a:sony:nfc_port_software_remover
Ver.1.3.0.1 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user running the application.
[Use the latest version] Use the latest versin according to the information provided by the developer.
Sony
Sony Corporation website
https://www.sony.co.jp/Products/felica/consumer/info/170725.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2287
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2287
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#33797604
https://jvn.jp/en/jp/JVN33797604/index.html
National Vulnerability Database (NVD)
CVE-2017-2287
https://nvd.nist.gov/vuln/detail/CVE-2017-2287
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/27]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-07-27T15:38:47+09:00
2018-01-24T14:02:10+09:00
2017-07-27T00:00:00+09:00
JVNDB-2017-000187
Installer of LhaForge may insecurely load Dynamic Link Libraries
LhaForge is a file compression/decompression software. The installer of LhaForge contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Claybird
LhaForge
cpe:/a:lhaforge_project:lhaforge
Ver.1.6.5 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed LhaForge do not need to re-install the software, because this issue affects the installer only.
LhaForge
Claybird website
http://claybird.sakura.ne.jp/garage/lhaforge/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2288
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2288
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#74554973
http://jvn.jp/en/jp/JVN74554973/index.html
National Vulnerability Database (NVD)
CVE-2017-2288
https://nvd.nist.gov/vuln/detail/CVE-2017-2288
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/27]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-07-27T14:31:35+09:00
2018-01-24T13:59:34+09:00
2017-07-27T00:00:00+09:00
JVNDB-2017-000188
I-O DATA WN-G300R31 uses hard-coded credentials
WN-G300R31 provided by I-O DATA DEVICE, INC. is a wireless LAN router. WN-G300R3 uses hard-coded credentials (CWE-798). Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
WN-G300R3 firmware
cpe:/o:i-o_data_device:wn-g300r3_firmware
version 1.0.2 and earlier
High
8.3
AV:A/AC:L/Au:N/C:C/I:C/A:C
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
A user with access to the network that is connected to the affected device may execute arbitrary code on the device.
[Update the Firmware] Apply the appropriate firmware update according to the information provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2017/wn-g300r3_2/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2283
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2283
JVN
JVN#51410509
https://jvn.jp/en/jp/JVN51410509/index.html
National Vulnerability Database (NVD)
CVE-2017-2283
https://nvd.nist.gov/vuln/detail/CVE-2017-2283
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/27]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-07-27T14:13:50+09:00
2018-01-24T14:03:23+09:00
2017-07-27T00:00:00+09:00
JVNDB-2017-000189
Installers of Sony PaSoRi related software may insecurely load Dynamic Link Libraries
PaSoRi provided by Sony Corporation is contactless IC card reader/writer. Installers of PaSoRi driver and other related software for Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Corporation
NFC net installer
cpe:/a:sony:nfc_net_installer
Ver.1.1.0.0 and earlier
Sony Corporation
NFC Port Software (formerly FeliCa port software)
cpe:/a:sony:nfc_port_software_%28formerly_felica_port_software%29
Version 5.3.6.7 and earlier Products: RC-S320, RC-S310/J1C, RC-S310/ED4C
Version 5.5.0.6 and earlier Products: RC-S310, RC-S320, RC-S330, RC-S370, RC-S380, RC-S380/S
Sony Corporation
PC/SC activator for Type B
cpe:/a:sony:pc%2Fsc_activator_for_type_b
Ver.1.2.1.0 and earlier
Sony Corporation
SFCard Viewer 2
cpe:/a:sony:sfcard_viewer_2
Ver.2.5.0.0 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed the software do not need to re-install, because this issue affects the installers only. According to the developer, they have stopped distributing the NFC net installer since July 25th, 2017.
Sony
New installer with security fixes for users of the USB NFC reader for Windows
https://www.sony.net/Products/felica/business/information/170725.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2286
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2286
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#16136413
http://jvn.jp/en/jp/JVN16136413/index.html
National Vulnerability Database (NVD)
CVE-2017-2286
https://nvd.nist.gov/vuln/detail/CVE-2017-2286
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/27]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-07-27T15:38:45+09:00
2018-01-24T14:14:14+09:00
2017-07-27T00:00:00+09:00
JVNDB-2017-000191
Installer of Qua station connection tool for Windows may insecurely load Dynamic Link Libraries
Qua station provided KDDI CORPORATION is a 4G LTE photostrage. Qua station connection tool is used to view data saved on Qua station from a PC and/or save data on a PC. Installer of Qua station connection tool for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KDDI
Qua station connection tool
cpe:/h:kddi:qua_station
for Windows version 1.00.03
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. The developer states this vulnerability was addressed in the installer of Qua station connection tool for Windows released on 2017 June 22 at 16:00 JST (UTC/GMT + 9hours). Users who already have installed Qua station connection tool for Windows do not need to re-install the application, because this issue affects the installer only.
KDDI CORPORATION
Qua station
https://www.au.com/mobile/product/4glte-photostorage/quastation/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2289
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2289
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#81659403
http://jvn.jp/en/jp/JVN81659403/index.html
National Vulnerability Database (NVD)
CVE-2017-2289
https://nvd.nist.gov/vuln/detail/CVE-2017-2289
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/08]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-08-08T15:35:51+09:00
2018-02-14T12:14:10+09:00
2017-08-08T00:00:00+09:00
JVNDB-2017-000192
WCR-1166DS vulnerable to OS command injection
WCR-1166DS provided by BUFFALO INC.is a wireless LAN router. WCR-1166DS contains an OS command injection vulnerability (CWE-78). Masashi Shiraishi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BUFFALO INC.
WCR-1166DS
cpe:/h:buffalo_inc:wcr-1166ds
firmware 1.30 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
A user who can access the administrative console of the device may execute an arbitrary OS command.
[Update the Firmware] Apply the firmware update according to the information provided by the developer.
BUFFALO
BUFFALO INC. website
http://buffalo.jp/support_s/s20170804_1.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10811
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10811
JVN
JVN#05340005
http://jvn.jp/en/jp/JVN05340005/index.html
National Vulnerability Database (NVD)
CVE-2017-10811
https://nvd.nist.gov/vuln/detail/CVE-2017-10811
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/08]\n Web page was published\n[2018/02/14]\n References : Content was added \n \n\n
2017-08-08T18:06:33+09:00
2018-02-14T12:21:43+09:00
2017-08-08T00:00:00+09:00
JVNDB-2017-000194
WSR-300HP vulnerable to arbitrary code execution
WSR-300HP provided by BUFFALO INC. contains an arbitrary code execution vulnerability. WSR-300HP provided by BUFFALO INC. is a wireless LAN router. WSR-300HP contains an arbitrary code execution vulnerability.
BUFFALO INC.
WSR-300HP
cpe:/h:buffalo_inc:wsr-300hp
firmware 2.30 and earlier
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
By executing a specially crafted request prepared by a remote attacker, arbitrary code may be executed.
[Update the Firmware] Apply the firmware update according to the information provided by the developer.
BUFFALO
BUFFALO INC. website
http://buffalo.jp/support_s/s20170804_2.html
Common Vulnerabilities and Exposures (CVE)
CVE-2014-8361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361
JVN
JVN#74871939
http://jvn.jp/en/jp/JVN74871939/index.html
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/08]\n Web page was published
2017-08-08T18:07:03+09:00
2017-08-08T18:07:03+09:00
2017-08-08T00:00:00+09:00
JVNDB-2017-000195
Installer of Baidu IME may insecurely load Dynamic Link Libraries
Installer of Baidu IME contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Baidu, Inc.
Baidu IME
cpe:/a:baidu:baidu_ime
Ver3.6.1.6 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed Baidu IME do not need to re-install the application, because this issue affects the installer only.
Baidu
Baidu Japan Inc. website
http://ime.baidu.jp/type/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2221
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#17788774
http://jvn.jp/en/jp/JVN17788774/index.html
National Vulnerability Database (NVD)
CVE-2017-2221
https://nvd.nist.gov/vuln/detail/CVE-2017-2221
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/03]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-08-03T12:28:02+09:00
2018-01-24T14:34:05+09:00
2017-08-03T00:00:00+09:00
JVNDB-2017-000196
Installer of IP Messenger may insecurely load Dynamic Link Libraries
IP Messenger is a LAN Messenger based on TCP/IP. IP Messenger contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
H.Shirouzu
IP Messenger
cpe:/a:hiroaki_shirouzu:ip_messenger
for Win 4.60 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed IP Messenger do not need to re-install the application, because this issue affects the installer only.
IP Messenger
IP Messenger Installer vulnerability of DLL loading without intent
https://ipmsg.org/ipmsg_dll_vulnerability.html.en
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10820
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10820
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#86724730
http://jvn.jp/en/jp/JVN86724730/index.html
National Vulnerability Database (NVD)
CVE-2017-10820
https://nvd.nist.gov/vuln/detail/CVE-2017-10820
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/03]\n Web page was published\n[2018/01/24]\n References : Content was added
2017-08-03T14:35:59+09:00
2018-01-24T14:26:58+09:00
2017-08-03T00:00:00+09:00
JVNDB-2017-000197
Installer of Photo Collection PC Software provided by NTT DOCOMO, INC. may insecurely load Dynamic Link Libraries and invoke executable files
Photo Collection PC Software provided by NTT DOCOMO, INC. contains an issue with the search paths for DLL/executable files, which may lead to insecurely loading Dynamic Link Libraries and invoking executable files (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NTT DOCOMO, INC.
Photo Collection PC Software
cpe:/a:nttdocomo:photo_collection_pc_software
Ver.4.0.2 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
This vulnerability can be exploited when the following condition is met. If this vulnerability is exploited, an arbitrary code may be executed with the privilege of the user invoking the installer. * A user is tricked into placing a malicious DLL or an executable file prepared by an attacker in a specific folder.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed Photo Collection PC Software do not need to re-install the application, because this issue affects the installer only.
NTT docomo
NTT DOCOMO, INC. website
https://www.nttdocomo.co.jp/support/utilization/application/service/photo_collection/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10812
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#67954465
http://jvn.jp/en/jp/JVN67954465/index.html
National Vulnerability Database (NVD)
CVE-2017-10812
https://nvd.nist.gov/vuln/detail/CVE-2017-10812
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/22]\n Web page was published
1
2018-02-28T10:55:51+09:00
[2018/02/28]\n References : Content was added
2017-08-22T12:34:36+09:00
2018-02-28T12:13:40+09:00
2017-08-22T00:00:00+09:00
JVNDB-2017-000198
Installer and self-extracting archive containing the installer of TDB CA TypeA use software may insecurely load Dynamic Link Libraries
TDB CA TypeA use software provided by Teikoku Databank, Ltd. is a software which provides environment for using system and management function of TDB electronic authentication service TypeA. The installer and the self-extracting archive containing the installer of TDB CA TypeA use software contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
TEIKOKU DATABANK, LTD.
TDB CA TypeA use software
cpe:/a:teikoku_databank:type_a
version 5.2 and earlier, distributed until 10 August 2017
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer or the self-extracting archive.
[Use the latest self-extracting archive and invoke the installer carefully] Use the latest self-extracting archive according to the information provided by the developer. Re-installation of the application is not necessary, because this issue affects the installer only.
Teikoku Databank, Ltd.
TypeA maintenance
http://www.tdb.co.jp/typeA/news/news.html#20170810_TypeAmaintenance
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10824
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#18641169
https://jvn.jp/en/jp/JVN18641169/index.html
National Vulnerability Database (NVD)
CVE-2017-10824
https://nvd.nist.gov/vuln/detail/CVE-2017-10824
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/18]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-08-18T13:41:25+09:00
2018-02-14T12:16:52+09:00
2017-08-18T00:00:00+09:00
JVNDB-2017-000199
Installer of Shin Kikan Toukei Houkoku Data Nyuryokuyou Program may insecurely load Dynamic Link Libraries
Installer of Shin Kikan Toukei Houkoku Data Nyuryokuyou Program provided by Agency for Natural Resources and Energy of METI contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Agency for Natural Resources and Energy of Ministry of Economy,Trade and Industry (METI)
Installer of Shin Kikan Toukei Houkoku Data Nyuryokuyou Program
cpe:/a:enecho.meti:shin_kikan_toukei_houkoku_data_nyuryokuyou_program
(version released on 2013 September 30) distributed on the website till 2017 May 17
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. When installing Shin Kikan Toukei Houkoku Data Nyuryokuyou Program, be sure to check no malicious file exists in the same directory where the installer is placed. Note that this vulnerability affects the installer only, thus users who have already installed Shin Kikan Toukei Houkoku Data Nyuryokuyou Program do not need to re-install the software using the latest installer.
Agency for Natural Resources and Energy
"Shin Kikan Toukei Houkoku Data Nyuryokuyou Program" download page
http://www.enecho.meti.go.jp/statistics/petroleum_and_lpgas/oil_enterprise/001/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10821
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#73559859
http://jvn.jp/en/jp/JVN73559859/index.html
National Vulnerability Database (NVD)
CVE-2017-10821
https://nvd.nist.gov/vuln/detail/CVE-2017-10821
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/17]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-08-17T17:29:12+09:00
2018-02-14T12:19:15+09:00
2017-08-17T00:00:00+09:00
JVNDB-2017-000200
Installer of Shin Sekiyu Yunyu Chousa Houkoku Data Nyuryoku Program may insecurely load Dynamic Link Libraries
Installer of Shin Sekiyu Yunyu Chousa Houkoku Data Nyuryoku Program provided by Agency for Natural Resources and Energy of METI contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Agency for Natural Resources and Energy of Ministry of Economy,Trade and Industry (METI)
Installer of Shin Sekiyu Yunyu Chousa Houkoku Data Nyuryoku Program
cpe:/a:enecho.meti:shin_sekiyu_yunyu_chousa_houkoku_data_nyuryoku_program
(version released on 2013 September 30) distributed on the website till 2017 May 17
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. When installing Shin Sekiyu Yunyu Chousa Houkoku Data Nyuryoku Program, be sure to check no malicious file exists in the same directory where the installer is placed. Note that this vulnerability affects the installer only, thus users who have already installed Shin Sekiyu Yunyu Chousa Houkoku Data Nyuryoku Program do not need to re-install the software using the latest installer.
Agency for Natural Resources and Energy
"Shin Sekiyu Yunyu Chousa Houkoku Data Nyuryoku Program" download page
http://www.enecho.meti.go.jp/statistics/petroleum_and_lpgas/oil_enterprise/001/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10822
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#71104430
http://jvn.jp/en/jp/JVN71104430/index.html
National Vulnerability Database (NVD)
CVE-2017-10822
https://nvd.nist.gov/vuln/detail/CVE-2017-10822
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/17]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-08-17T17:29:14+09:00
2018-02-14T12:05:42+09:00
2017-08-17T00:00:00+09:00
JVNDB-2017-000201
Installer of Shin Kinkyuji Houkoku Data Nyuryoku Program may insecurely load Dynamic Link Libraries
Installer of Shin Kinkyuji Houkoku Data Nyuryoku Program provided by Agency for Natural Resources and Energy of METI contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Agency for Natural Resources and Energy of Ministry of Economy,Trade and Industry (METI)
Installer of Shin Kinkyuji Houkoku Data Nyuryoku Program
cpe:/a:enecho.meti:shin_kinkyuji_houkoku_data_nyuryoku_program
(version released on 2011 March 10) distributed on the website till 2017 May 17
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. When installing Shin Kinkyuji Houkoku Data Nyuryoku Program, be sure to check no malicious file exists in the same directory where the installer is placed. Note that this vulnerability affects the installer only, thus users who have already installed Shin Kinkyuji Houkoku Data Nyuryoku Program do not need to re-install the software using the latest installer.
Agency for Natural Resources and Energy
"Shin Kinkyuji Houkoku Data Nyuryoku Program" download page
http://www.enecho.meti.go.jp/statistics/petroleum_and_lpgas/oil_enterprise/002/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10823
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#23546631
http://jvn.jp/en/jp/JVN23546631/index.html
National Vulnerability Database (NVD)
CVE-2017-10823
https://nvd.nist.gov/vuln/detail/CVE-2017-10823
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/17]\n Web page was published\n[2018/02/14]\n References : Content was added
2017-08-17T17:29:15+09:00
2018-02-14T12:08:13+09:00
2017-08-17T00:00:00+09:00
JVNDB-2017-000202
Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. * Denial-of-service (DoS) vulnerability in the application menu's edit function (CWE-20) - CVE-2017-2254 * Stored cross-site scripting in the "Rich text" function of the application "Space" (CWE-79) - CVE-2017-2255 * Stored cross-site scripting in the "Rich text" function of the application "Memo" (CWE-79) - CVE-2017-2256 * Cross-site scripting in the mail function (CWE-79) - CVE-2017-2257 * Directory traversal in the Garoon SOAP API "WorkflowHandleApplications" (CWE-22) - CVE-2017-2258 Cybozu, Inc. reported CVE-2017-2258 vulnerability to JPCERT/CC to notify users of its solution through JVN. Jun Kokatsu reported CVE-2017-2254 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. Masato Kinugawa reported CVE-2017-2255, CVE-2017-2256 and CVE-2017-2257 vulnerabilities to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.2.5 (CVE-2017-2256, CVE-2017-2257)
3.5.0 to 4.2.5 (CVE-2017-2254)
3.7.0 to 4.2.5 (CVE-2017-2255)
4.2.4 to 4.2.5 (CVE-2017-2258)
Medium
5.5
AV:N/AC:L/Au:S/C:N/I:P/A:P
Medium
5.5
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
* An attacker may be able to cause a denial-of-service (DoS) - CVE-2017-2254 * An arbitrary script may be executed on the logged-in user's web browser - CVE-2017-2255, CVE-2017-2256, CVE-2017-2257 * An attacker may check the presence of a directory on the server - CVE-2017-2258
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1379]
https://support.cybozu.com/ja-jp/article/9846
Cybozu
[CyVDB-1330]
https://support.cybozu.com/ja-jp/article/9751
Cybozu
[CyVDB-1336]
https://support.cybozu.com/ja-jp/article/9746
Cybozu
[CyVDB-1337][CyVDB-1338][CyVDB-1412]
https://support.cybozu.com/ja-jp/article/9744
Cybozu
[CyVDB-1346][CyVDB-1347][CyVDB-1411]
https://support.cybozu.com/ja-jp/article/9765
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2254
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2254
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2255
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2255
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2256
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2256
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2257
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2257
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2258
JVN
JVN#63564682
http://jvn.jp/en/jp/JVN63564682/index.html
National Vulnerability Database (NVD)
CVE-2017-2254
https://nvd.nist.gov/vuln/detail/CVE-2017-2254
National Vulnerability Database (NVD)
CVE-2017-2255
https://nvd.nist.gov/vuln/detail/CVE-2017-2255
National Vulnerability Database (NVD)
CVE-2017-2256
https://nvd.nist.gov/vuln/detail/CVE-2017-2256
National Vulnerability Database (NVD)
CVE-2017-2257
https://nvd.nist.gov/vuln/detail/CVE-2017-2257
National Vulnerability Database (NVD)
CVE-2017-2258
https://nvd.nist.gov/vuln/detail/CVE-2017-2258
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/21]\n Web page was published\n[2018/02/14]\n References : Contents were added\n
2017-08-21T14:30:45+09:00
2018-02-14T12:25:55+09:00
2017-08-21T00:00:00+09:00
JVNDB-2017-000203
Multiple vulnerabilities in baserCMS
baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. * SQL injection (CWE-89) - CVE-2017-10842 * Arbitary files may be deleted - CVE-2017-10843 * Arbitary PHP code execution - CVE-2017-10844 Shoji Baba reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
baserCMS Users Community
baserCMS
cpe:/a:basercms:basercms
version 3.0.14 and earlier
version 4.0.5 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* A remote attacker may execute arbitrary SQL command to create files or obtain or alter information stored in the database. - CVE-2017-10842 * A remote attacker may obtain or delete arbitrary files on the system. - CVE-2017-10843 * A user may execute arbitrary PHP code on the server. - CVE-2017-10844
[Update the Software] Update to the latest version according to the information provided by the developer. [Apply the Patch] Patches have been released. For more information, refer to "How to Apply the Patches".
baserCMS Users Community
baserCMS Users Community website
https://basercms.net/security/JVN78151490
baserCMS Users Community
How to Apply the Patches
https://basercms.net/patch/20170823
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10843
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10844
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10842
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10842
JVN
JVN#78151490
http://jvn.jp/en/jp/JVN78151490/index.html
National Vulnerability Database (NVD)
CVE-2017-10842
https://nvd.nist.gov/vuln/detail/CVE-2017-10842
National Vulnerability Database (NVD)
CVE-2017-10843
https://nvd.nist.gov/vuln/detail/CVE-2017-10843
National Vulnerability Database (NVD)
CVE-2017-10844
https://nvd.nist.gov/vuln/detail/CVE-2017-10844
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/25]\n Web page was published
1
2018-02-28T10:39:04+09:00
[2018/02/28]\n References : Contents were added
2017-08-25T14:50:28+09:00
2018-02-28T11:45:13+09:00
2017-08-25T00:00:00+09:00
JVNDB-2017-000204
Multiple vulnerabilities in "Dokodemo eye Smart HD" SCR02HD
Wireless monitor "Dokodemo eye Smart HD" SCR02HD provided by NIPPON ANTENNA Co., Ltd contains multiple vulnerabilities listed below. * OS command injection (CWE-78) - CVE-2017-10832 * Improper access restriction (CWE-425) - CVE-2017-10833 * Directory traversal (CWE-22) - CVE-2017-10834 * Arbitrary PHP code execution (CWE-94) - CVE-2017-10835 Masashi Shiraishi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON ANNTENA Co.,Ltd.
"Dokodemo eye Smart HD" SCR02HD Firmware
cpe:/o:nippon-antenna:scr02hd_firmware
1.0.3.1000 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* An arbitrary OS command may be executed by a remote attacker - CVE-2017-10832 * Viewing information and modifying of configuration by a remote attacker - CVE-2017-10833 * An arbitrary local file on the product may be accessed by an authenticated attacker - CVE-2017-10834 * Arbitrary PHP code on the product may be executed by an authenticated attacker - CVE-2017-10835
[Apply a Workaround] The following workarounds may mitigate the affects of the vulnerabilities. * Change the factory default password. * Do not use the product when connected to a public wireless LAN. * Restrict direct access to the product by placing a broadband router between the product and external network.
NIPPON ANTENNA Co., Ltd
NIPPON ANTENNA Co., Ltd website
http://www.nippon-antenna.co.jp/product/ine/pdf/scr02hd_about_security.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10834
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10835
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10832
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10833
JVN
JVN#87410770
http://jvn.jp/en/jp/JVN87410770/index.html
National Vulnerability Database (NVD)
CVE-2017-10832
https://nvd.nist.gov/vuln/detail/CVE-2017-10832
National Vulnerability Database (NVD)
CVE-2017-10833
https://nvd.nist.gov/vuln/detail/CVE-2017-10833
National Vulnerability Database (NVD)
CVE-2017-10834
https://nvd.nist.gov/vuln/detail/CVE-2017-10834
National Vulnerability Database (NVD)
CVE-2017-10835
https://nvd.nist.gov/vuln/detail/CVE-2017-10835
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-28T14:06:27+09:00
[2017/08/23]\n Web page was published
1
2018-02-28T14:06:35+09:00
[2018/02/28]\n References : Contents were added
2017-08-23T15:36:01+09:00
2018-02-28T14:28:51+09:00
2017-08-23T00:00:00+09:00
JVNDB-2017-000205
The installer of the Ministry of Justice [The electronic authentication system based on the commercial registration system "The CRCA user's Software"] may insecurely load Dynamic Link Libraries
The electronic authentication system based on the commercial registration system "The CRCA user's Software" provided by the Ministry of Justice contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). DigiGnome and BlackWingCat of Pink Flying Whale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The Ministry of Justice
The electronic authentication system based on the commercial registration system "The CRCA user's Software"
cpe:/a:moj:touki_denshi
Ver1.8 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed The electronic authentication system based on the commercial registration system "The CRCA user's Software" do not need to re-install the application, because this issue affects the installer only.
The Ministry of Justice
The electronic authentication system based on the commercial registration system "The CRCA user's Software" download page
http://www.moj.go.jp/MINJI/minji06_00027.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10831
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10831
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#30866130
http://jvn.jp/en/jp/JVN30866130/index.html
National Vulnerability Database (NVD)
CVE-2017-10831
https://nvd.nist.gov/vuln/detail/CVE-2017-10831
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-28T13:59:07+09:00
[2017/08/23]\n Web page was published
1
2018-02-28T13:59:13+09:00
[2018/02/28]\n References : Content was added
2017-08-23T15:24:44+09:00
2018-02-28T14:04:07+09:00
2017-08-23T00:00:00+09:00
JVNDB-2017-000206
Multiple vulnerabilities in WebCalendar
WebCalendar provided by k5n.us contains multiple vulnerabilities listed below. * Cross-site scripting (CWE-79) - CVE-2017-10840 * Directory traversal (CWE-22) - CVE-2017-10841 The following researchers reported vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2017-10840 Yuji Tounai of NTT Communications Corporation and ASAI Ken CVE-2017-10841 ASAI Ken
k5n.us
WebCalendar
cpe:/a:k5n:webcalendar
1.2.7 and earlier
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
4.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
* An arbitrary script may be executed on a logged in user's web browser - CVE-2017-10840 * Arbitrary local files on the server may be accessed by a user logged in as an administrator - CVE-2017-10841
[Update the Software] Update to the latest version according to the information provided by the developer.
k5n.us
XSS fixes for admin.php - GitHub
https://github.com/craigk5n/webcalendar/commit/9e5b06f4d1c55ff4faa6da5df5254511df7a586a
k5n.us
Release 1.2.8 - craigk5n/webcalendar - GitHub
https://github.com/craigk5n/webcalendar/releases/tag/v1.2.8
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10841
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10841
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10840
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10840
JVN
JVN#23340457
http://jvn.jp/en/jp/JVN23340457/index.html
National Vulnerability Database (NVD)
CVE-2017-10840
https://nvd.nist.gov/vuln/detail/CVE-2017-10840
National Vulnerability Database (NVD)
CVE-2017-10841
https://nvd.nist.gov/vuln/detail/CVE-2017-10841
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/24]\n Web page was published
1
2018-02-28T10:43:39+09:00
[2018/02/28]\n References : Contents were added
2017-08-24T14:03:48+09:00
2018-02-28T12:07:58+09:00
2017-08-24T00:00:00+09:00
JVNDB-2017-000207
Multiple vulnerabilities in SEO Panel
SEO Panel provided by SEO Panel contains multiple vulnerabilities listed below. * Cross-site scripting (CWE-79) - CVE-2017-10838 * SQL injection (CWE-89) - CVE-2017-10839 ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Seo Panel
Seo Panel
cpe:/a:seopanel:seo_panel
prior to version 3.11.0
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
* An arbitrary script may be executed on a logged in user's web browser - CVE-2017-10838 * An authenticated attacker may obtain or alter information stored in the database - CVE-2017-10839
[Update the Software] Update to the latest version according to the information provided by the developer.
Seo Panel
Seo Panel 3.11.0 Released
http://blog.seopanel.in/2017/07/seo-panel-3-11-0-released/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10838
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10839
JVN
JVN#39628662
http://jvn.jp/en/jp/JVN39628662/index.html
National Vulnerability Database (NVD)
CVE-2017-10838
https://nvd.nist.gov/vuln/detail/CVE-2017-10838
National Vulnerability Database (NVD)
CVE-2017-10839
https://nvd.nist.gov/vuln/detail/CVE-2017-10839
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/24]\n Web page was published
1
2018-02-28T11:01:59+09:00
[2018/02/28]\n References : Contents were added
2017-08-24T14:03:46+09:00
2018-02-28T12:19:14+09:00
2017-08-24T00:00:00+09:00
JVNDB-2017-000208
WordPress plugin "BackupGuard" vulnerable to cross-site scripting
The WordPress plugin "BackupGuard" provided by BackupGuard contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BackupGuard
BackupGuard
cpe:/a:backup-guard:backupguard
prior to version 1.1.47
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
BackupGuard
BackupGuard - WordPress Plugins - Changelog
https://wordpress.org/plugins/backup/#developers
BackupGuard
Changeset 1712201 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1712201/#file9
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10837
JVN
JVN#58559719
http://jvn.jp/en/jp/JVN58559719/index.html
National Vulnerability Database (NVD)
CVE-2017-10837
https://nvd.nist.gov/vuln/detail/CVE-2017-10837
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/24]\n Web page was published
1
2018-02-28T11:52:55+09:00
[2018/02/28]\n References : Content was added
2017-08-24T14:03:45+09:00
2018-02-28T12:26:47+09:00
2017-08-24T00:00:00+09:00
JVNDB-2017-000209
Installer of Optimal Guard may insecurely load Dynamic Link Libraries
Installer of Optimal Guard provided by OPTiM Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
OPTiM Corporation
Optimal Guard
cpe:/a:optim:optimal_guard
1.1.21 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. When installing Optimal Guard, be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only, thus users who have already installed Optimal Guard do not need to re-install the software using the latest installer.
OPTiM Corporation
Notification to the users of "Optimal Guard"
https://www.optim.co.jp/contents/23246
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10836
JVN
JVN#87540575
http://jvn.jp/en/jp/JVN87540575/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2017-10836
https://nvd.nist.gov/vuln/detail/CVE-2017-10836
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/25]\n Web page was published
1
2018-02-28T11:11:50+09:00
[2018/02/28]\n References : Content was added
2017-08-25T14:50:26+09:00
2018-02-28T12:23:19+09:00
2017-08-25T00:00:00+09:00
JVNDB-2017-000210
Installer of "Security Kinou Mihariban" may insecurely load Dynamic Link Libraries
Installer of "Security Kinou Mihariban" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Security Kinou Mihariban
cpe:/a:ntt_west:security_kinou_mihariban
v1.0.21 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer ("Security Kinou Mihariban" v1.0.22 or upper version) according to the information provided by the developer. When installing "Security Kinou Mihariban", be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only, thus users who have already installed "Security Kinou Mihariban" do not need to re-install the software using the latest installer.
Nippon Telegraph and Telephone West Corporation
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION website
http://flets-w.com/topics/mihariban_vulnerability/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10826
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10826
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#11601216
http://jvn.jp/en/jp/JVN11601216/index.html
National Vulnerability Database (NVD)
CVE-2017-10826
https://nvd.nist.gov/vuln/detail/CVE-2017-10826
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-28T14:16:01+09:00
[2017/08/25]\n Web page was published
1
2018-02-28T14:16:09+09:00
[2018/02/28]\n References : Content was added
2017-08-25T14:50:23+09:00
2018-02-28T14:04:06+09:00
2017-08-25T00:00:00+09:00
JVNDB-2017-000211
Installer of "Remote Support Tool (Enkaku Support Tool)" may insecurely load Dynamic Link Libraries
Installer of "Remote Support Tool (Enkaku Support Tool)" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
Remote Support Tool (Enkaku Support Tool)
cpe:/a:ntt_east:remote_support_tool
all versions distributed through the website till 2017 August 10
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Remote Support Tool (Enkaku Support Tool)
cpe:/a:ntt_west:remote_support_tool
all versions distributed through the website till 2017 August 10
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] When installing "Remote Support Tool (Enkaku Support Tool)", use the latest installer according to the information provided by the developer. Note that this vulnerability affects the installer only, thus users who have already installed "Remote Support Tool (Enkaku Support Tool)" do not need to re-install the software using the latest installer. However if the old "Remote Support Tool (Enkaku Support Tool)" obtained from the website before 2017 August 10 resides in your computer, delete it immediately. For details, refer to the information provided by the developer. * NTT EAST Important : To the users of "Remote Support Tool (Enkaku Support Tool)" * NTT WEST About a vulnerability in "Remote Support Tool for Windows"
Nippon Telegraph and Telephone East Corporation
Important : To the users of "Remote Support Tool (Enkaku Support Tool)"
https://flets.com/osa/remote/pc_tool.html
Nippon Telegraph and Telephone West Corporation
About a vulnerability in "Remote Support Tool for Windows"
http://flets-w.com/topics/remote_support_vulnerability/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10829
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10829
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#26115441
http://jvn.jp/en/jp/JVN26115441/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/30]\n Web page was published
2017-08-30T15:10:41+09:00
2017-08-30T15:10:41+09:00
2017-08-30T00:00:00+09:00
JVNDB-2017-000212
Installer of "Flets Azukeru for Windows Auto Backup Tool" may insecurely load Dynamic Link Libraries
Installer of "Flets Azukeru for Windows Auto Backup Tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Flets Azukeru Auto Backup Tool
cpe:/a:ntt_west:flet%27s_azukeru_pc_autobackup_tool
for Windows v1.0.3.0 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. When installing "Flets Azukeru for Windows Auto Backup Tool", be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only, thus users who have already installed "Flets Azukeru for Windows Auto Backup Tool" do not need to re-install the software using the latest installer.
Nippon Telegraph and Telephone West Corporation
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION website
http://flets-w.com/topics/azukeru_vulnerability/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10827
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#14658714
http://jvn.jp/en/jp/JVN14658714/index.html
National Vulnerability Database (NVD)
CVE-2017-10827
https://nvd.nist.gov/vuln/detail/CVE-2017-10827
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-28T14:01:30+09:00
[2017/08/25]\n Web page was published
1
2018-02-28T14:01:37+09:00
[2018/02/28]\n References : Content was added
2017-08-25T15:02:21+09:00
2018-02-28T14:07:28+09:00
2017-08-25T00:00:00+09:00
JVNDB-2017-000213
Installer of "Flets Easy Setup Tool" may insecurely load Dynamic Link Libraries
Installer of "Flets Easy Setup Tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Flets Easy Setup Tool
cpe:/a:ntt_west:flet%27s_kantan_setup_tool
Ver1.2.0 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] When installing "Flets Easy Setup Tool", use the latest installer according to the information provided by the developer. Note that this vulnerability affects the installer only, thus users who have already installed "Flets Easy Setup Tool" do not need to re-install the software using the latest installer. However if the older version of "Flets Easy Setup Tool" resides in your computer, delete it immediately. For details, refer to the information provided by the developer.
Nippon Telegraph and Telephone West Corporation
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION website
http://flets-w.com/topics/setup_tool_vulnerability/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10825
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#97243511
http://jvn.jp/en/jp/JVN97243511/index.html
National Vulnerability Database (NVD)
CVE-2017-10825
https://nvd.nist.gov/vuln/detail/CVE-2017-10825
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/02]\n Web page was published
1
2018-03-14T11:33:52+09:00
[2018/03/14]\n References : Content was added
2017-11-02T13:57:43+09:00
2018-03-14T13:48:28+09:00
2017-11-02T00:00:00+09:00
JVNDB-2017-000214
Installer of "Flets Install Tool" may insecurely load Dynamic Link Libraries
Installer of "Flets Install Tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Flets Install Tool
cpe:/a:ntt_west:flet%27s_install_tool
All versions distributed through the website till 2017 August 8
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Note that this vulnerability affects the installer only, thus users who have already installed "Flets Install Tool" do not need to re-install the software using the latest installer.
Nippon Telegraph and Telephone West Corporation
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION website
http://flets-w.com/topics/inst_tool_vulnerability/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10828
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10828
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#14926025
http://jvn.jp/en/jp/JVN14926025/index.html
National Vulnerability Database (NVD)
CVE-2017-10828
https://nvd.nist.gov/vuln/detail/CVE-2017-10828
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-28T14:03:03+09:00
[2017/08/25]\n Web page was published
1
2018-02-28T14:03:08+09:00
[2018/02/28]\n References : Content was added
2017-08-25T15:02:22+09:00
2018-02-28T14:07:26+09:00
2017-08-25T00:00:00+09:00
JVNDB-2017-000215
Installer and self-extracting archive containing the installer of "Security Setup Tool" may insecurely load Dynamic Link Libraries
The installer and the self-extracting archive containing the installer of "Security Setup Tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Security Setup Tool
cpe:/a:ntt_west:secutity_setup_tool
all versions
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer or the self-extracting archive.
[Do not invoke either the installer or the self-extracting archive] If the installer or the self-extracting archive containing the installer of "Security Setup Tool" still resides in your computer and "Security Setup Tool" has not yet been installed, do not install it. Delete the executable file immediately. Note that this issue only affects the installer or the self-extracting archive only, thus users who have already installed "Security Setup Tool" are not affected. For details, refer to the information provided by the developer.
Nippon Telegraph and Telephone West Corporation
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION website
http://f-security.jp/v6/support/information/100161.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10830
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10830
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#36303528
http://jvn.jp/en/jp/JVN36303528/index.html
National Vulnerability Database (NVD)
CVE-2017-10830
https://nvd.nist.gov/vuln/detail/CVE-2017-10830
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-28T14:04:43+09:00
[2017/08/25]\n Web page was published
1
2018-02-28T14:04:52+09:00
[2018/02/28]\n References : Content was added
2017-08-25T14:50:24+09:00
2018-02-28T14:28:49+09:00
2017-08-25T00:00:00+09:00
JVNDB-2017-000216
Installer of "Flets Setsuzoku Tool" may insecurely load Dynamic Link Libraries
Installer of "Flets Setsuzoku Tool"provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Flets Setsuzoku Tool
cpe:/a:ntt_west:flet%27s_connection_tool
for Windows all versions
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Do not use "Flets Setsuzoku Tool"] Developer states that they have stopped providing "Flets Setsuzoku Tool" on the website since 2017 June 30. Do not use "Flets Setsuzoku Tool" because there are no countermeasures provided by the developer against this vulnerability. For details, refer to the information provided by the developer.
Nippon Telegraph and Telephone West Corporation
Installer of "Flets Setsuzoku Tool" may insecurely load Dynamic Link Libraries
http://flets-w.com/topics/setsuzoku_tool_vulnerability/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2242
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2242
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#22272314
https://jvn.jp/en/jp/JVN22272314/index.html
National Vulnerability Database (NVD)
CVE-2017-2242
https://nvd.nist.gov/vuln/detail/CVE-2017-2242
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/25]\n Web page was published
1
2018-02-28T10:24:43+09:00
[2018/02/28]\n References : Content was added
2017-08-25T14:52:13+09:00
2018-02-28T11:39:40+09:00
2017-08-25T00:00:00+09:00
JVNDB-2017-000217
Backdoor access issue in Wi-Fi STATION L-02F
Wi-Fi STATION L-02F provided by NTT DOCOMO, INC. contains a backdoor access issue. Japan Computer Emergency Response Team Coordination Center Global Coordination Division Cyber Metrics Line Information Security Analyst Keisuke Shikano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NTT DOCOMO, INC.
Wi-Fi STATION L-02F
cpe:/h:nttdocomo:wi-fi_station_l-02f
Software version V10g and earlier
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An unauthenticated remote attacker may access the device with the administrative privilege and perform an unintended operation. The reporter has conducted a test and confirmed that an attacker can log in to the device through internet by using an ID and a password, and execute arbitrary command.
[Apply an Update] Apply the update according to the information provided by the provider.
NTT docomo
NTT DOCOMO, INC. website
https://www.nttdocomo.co.jp/info/notice/page/170710_01_m.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10845
IPA SECURITY ALERTS
Security Alert for Vulnerability in Wi-Fi STATION L-02F (JVN#68922465)
https://www.ipa.go.jp/security/ciadr/vul/20170912-jvn.html
JPCERT
JPCERT-AT-2017-0034
https://www.jpcert.or.jp/at/2017/at170034.html
JVN
JVN#68922465
https://jvn.jp/en/jp/JVN68922465/index.html
National Vulnerability Database (NVD)
CVE-2017-10845
https://nvd.nist.gov/vuln/detail/CVE-2017-10845
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/09/12]\n Web page was published \n
1
2018-02-28T12:06:34+09:00
[2018/02/28]\n References : Content was added
2017-09-12T14:34:41+09:00
2018-02-28T14:11:11+09:00
2017-09-12T00:00:00+09:00
JVNDB-2017-000218
Wi-Fi STATION L-02F fails to restrict access permissions
Wi-Fi STATION L-02F provided by NTT DOCOMO, INC. fails to restrict access permissions. Japan Computer Emergency Response Team Coordination Center Global Coordination Division Cyber Metrics Line Information Security Analyst Keisuke Shikano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NTT DOCOMO, INC.
Wi-Fi STATION L-02F
cpe:/h:nttdocomo:wi-fi_station_l-02f
Software version V10b and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
High
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
An unauthenticated remote attacker may access the web interface of the device through internet and obtain the stored setting information.
[Apply an Update] Apply the update according to the information provided by the provider.
NTT docomo
NTT DOCOMO, INC. website
https://www.nttdocomo.co.jp/info/notice/page/170710_01_m.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10846
JVN
JVN#03044183
https://jvn.jp/en/jp/JVN03044183/index.html
National Vulnerability Database (NVD)
CVE-2017-10846
https://nvd.nist.gov/vuln/detail/CVE-2017-10846
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/09/12]\n Web page was published \n\n
1
2018-02-28T12:03:27+09:00
[2018/02/28]\n References : Content was added
2017-09-12T14:35:05+09:00
2018-02-28T14:09:11+09:00
2017-09-12T00:00:00+09:00
JVNDB-2017-000219
Multiple Fuji Xerox products may insecurely load Dynamic Link Libraries
Installers of multiple products, and DocuWorks self-extracting documents provided by Fuji Xerox Co.,Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)
ApeosPort-VI
cpe:/h:fuji_xerox:apeosport-vi
C7771/C6671/C5571/C4471/C3371/C2271 (Installer of ART EX Direct FAX Driver) (Timestamp of code signing is before 26 May 2017 07:44 UTC.) (CVE-2017-10850)
C7771/C6671/C5571/C4471/C3371/C2271 (Installer of ART EX Driver) (Timestamp of code signing is before 12 Apr 2017 02:04 UTC.) (CVE-2017-10850)
C7771/C6671/C5571/C4471/C3371/C2271 (Installer of PostScript Driver + Additional Feature Plug-in + PPD File) (Timestamp of code signing is before 12 Apr 2017 02:10 UTC.) (CVE-2017-10850)
C7771/C6671/C5571/C4471/C3371/C2271 (Installer of Setting Restore Tool) (Timestamp of code signing is before 25 Aug 2015 08:51 UTC.) (CVE-2017-10850)
C7771/C6671/C5571/C4471/C3371/C2271 (Installer of XPS Print Driver) (Timestamp of code signing is before 3 Nov 2017 23:48 UTC.) (CVE-2017-10850)
FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)
ContentsBridge Utility
cpe:/a:fuji_xerox:contentsbridge_utility
for Windows (Installer) 7.4.0 and earlier (CVE-2017-10851)
FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)
DocuCentre-VI
cpe:/h:fuji_xerox:docucentre-vi
C7771/C6671/C5571/C4471/C3371/C2271 (Installer of ART EX Direct FAX Driver) (Timestamp of code signing is before 26 May 2017 07:44 UTC.) (CVE-2017-10850)
C7771/C6671/C5571/C4471/C3371/C2271 (Installer of ART EX Driver) (Timestamp of code signing is before 12 Apr 2017 02:04 UTC.) (CVE-2017-10850)
C7771/C6671/C5571/C4471/C3371/C2271 (Installer of PostScript Driver + Additional Feature Plug-in + PPD File) (Timestamp of code signing is before 12 Apr 2017 02:10 UTC.) (CVE-2017-10850)
C7771/C6671/C5571/C4471/C3371/C2271 (Installer of Setting Restore Tool) (Timestamp of code signing is before 25 Aug 2015 08:51 UTC.) (CVE-2017-10850)
C7771/C6671/C5571/C4471/C3371/C2271 (Installer of XPS Print Driver) (Timestamp of code signing is before 3 Nov 2017 23:48 UTC.) (CVE-2017-10850)
FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)
DocuWorks
cpe:/a:fuji_xerox:docuworks
(Installer) 8.0.7 and earlier (CVE-2017-10848)
8.0.7 and earlier (Documents generated by Self-extracting) (CVE-2017-10849)
FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)
DocuWorks Viewer Light
cpe:/a:fuji_xerox:docuworks_viewer_light
(Installer) published in Jul 2017 and earlier (CVE-2017-10848)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* Arbitrary code may be executed with the privilege of the administrative user invoking the installer - CVE-2017-10848, CVE-2017-10850, CVE-2017-10851 * Arbitrary code may be executed with the privilege of the user invoking the self-extracting document generated by DocuWorks - CVE-2017-10849
CVE-2017-10848, CVE-2017-10850, CVE-2017-10851 [Use the latest installer] Use the latest installer according to the information provided by the developer. CVE-2017-10849 [Update the Software] Update to the latest version according to the information provided by the developer. [Apply a Workaround] The self-extracting document generator function is not included in the latest version of the software. When invoking the DocuWorks self-extracting document file, place the document (.exe) file in a newly created empty folder. For more information, refer to the information provided by the developer.
Fuji Xerox
Fuji Xerox Co.,Ltd. website
https://www.fujifilm.com/fb/company/news/notice/2017/0831_rectification_work.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10850
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10851
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10851
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10848
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10849
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10849
JVN
JVN#09769017
http://jvn.jp/en/jp/JVN09769017/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2017-10848
https://nvd.nist.gov/vuln/detail/CVE-2017-10848
National Vulnerability Database (NVD)
CVE-2017-10849
https://nvd.nist.gov/vuln/detail/CVE-2017-10849
National Vulnerability Database (NVD)
CVE-2017-10850
https://nvd.nist.gov/vuln/detail/CVE-2017-10850
National Vulnerability Database (NVD)
CVE-2017-10851
https://nvd.nist.gov/vuln/detail/CVE-2017-10851
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/31]\n Web page was published
1
2018-02-28T11:47:02+09:00
[2018/02/28]\n References : Contents were added
2
2021-04-12T12:18:53+09:00
[2021/04/12]\n Vendor Information : The hyperlink URL was updated
2017-08-31T16:35:36+09:00
2021-04-12T13:30:22+09:00
2017-08-31T00:00:00+09:00
JVNDB-2017-000220
Multiple vulnerabilities in CG-WLR300NM
CG-WLR300NM provided by Corega Inc. is a wireless LAN router. CG-WLR300NM contains multiple vulnerabilities listed below. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Corega Inc
CG-WLR300NM firmware
cpe:/o:corega:cg-wlr300nm_firmware
version 1.90 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* A user who can access the administrative console of the device may execute an arbitrary OS command - CVE-2017-10813 * A user who can access the administrative console of the device may execute arbitrary code - CVE-2017-10814
[Do not use CG-WLR300NM] Stop using CG-WLR300NM. According to the developer, there is no plan to provide fix for these vulnerabilities since CG-WLR300NM is no longer supported.
corega
About vulnerabilities in CG-WLR300NM
http://www.corega.jp/support/security/20170908_wlr300nm.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10813
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10814
JVN
JVN#00719891
http://jvn.jp/en/jp/JVN00719891/index.html
National Vulnerability Database (NVD)
CVE-2017-10813
https://nvd.nist.gov/vuln/detail/CVE-2017-10813
National Vulnerability Database (NVD)
CVE-2017-10814
https://nvd.nist.gov/vuln/detail/CVE-2017-10814
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/09/08]\n Web page was published
1
2018-02-28T11:50:05+09:00
[2018/02/28]\n References : Contents were added
2017-09-08T14:14:32+09:00
2018-02-28T12:21:12+09:00
2017-09-08T00:00:00+09:00
JVNDB-2017-000221
Installer of FENCE-Explorer may insecurely load Dynamic Link Libraries and invoke executable files
FENCE-Explorer provided by FUJITSU BROAD SOLUTION & CONSULTING Inc. is a tool to view and edit a file in "FENCE Briefcase" which is created by FENCE-Pro and other FENCE series software. Installer of FENCE-Explorer contains an issue with the search path for DLL/executable files, which may lead to insecurely loading Dynamic Link Libraries and invoking executable files (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
FUJITSU BROAD SOLUTION & CONSULTING INC.
FENCE-Explorer
cpe:/a:fujitsu:fence-explorer
for Windows V8.4.1 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed FENCE-Explorer do not need to re-install the application, because this issue affects the installer only. Also note that a user who uses FENCE-Explorer with Portable Application is not affected by this vulnerability because in that case a user can specify a directory to place files before executing FENCE-Explorer. However, the executable file itself contains a DLL preloading vulnerability, therefore a user should be careful not to place a suspicious file sent by the third party in the directory.
FUJITSU BROAD SOLUTION & CONSULTING INC.
Installer of FENCE-Explorer may insecurely load Dynamic Link Libraries
http://www.fujitsu.com/jp/group/bsc/services/fence/info-2017080101.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10855
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10855
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#57205588
http://jvn.jp/en/jp/JVN57205588/index.html
National Vulnerability Database (NVD)
CVE-2017-10855
https://nvd.nist.gov/vuln/detail/CVE-2017-10855
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/09/11]\n Web page was published
1
2018-02-28T11:23:15+09:00
[2018/02/28]\n References : Content was added
2017-09-11T14:55:58+09:00
2018-02-28T13:58:23+09:00
2017-09-11T00:00:00+09:00
JVNDB-2017-000222
SEIL Series routers vulnerable to denial-of-service (DoS)
The IPsec/IKE function in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service (DoS) vulnerability due to a flaw in processing certain packets. Internet Initiative Japan Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Internet Initiative Japan Inc. coordinated under the Information Security Early Warning Partnership.
Internet Initiative Japan Inc.
SEIL/B1
cpe:/h:iij:seil%2Fb1
4.60 to 5.72
Internet Initiative Japan Inc.
SEIL/BPV4
cpe:/h:iij:seil%2Fbpv4
5.00 to 5.72
Internet Initiative Japan Inc.
SEIL/X
cpe:/h:iij:seil%2Fx
4.60 to 5.72
Internet Initiative Japan Inc.
SEIL/x86
cpe:/h:iij:seil%2Fx86
3.20 to 5.72
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Receiving a specially crafted packet may result in a temporary failure of the device's encrypted communication.
[Update the Firmware] Apply the appropriate firmware update provided by the developer.
IIJ
Internet Initiative Japan Inc.
http://www.seil.jp/support/security/a01811.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10856
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10856
JVN
JVN#76692689
http://jvn.jp/en/jp/JVN76692689/index.html
National Vulnerability Database (NVD)
CVE-2017-10856
https://nvd.nist.gov/vuln/detail/CVE-2017-10856
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/09/11]\n Web page was published
1
2018-02-28T13:40:30+09:00
[2018/02/28]\n References : Content was added
2017-09-11T15:19:52+09:00
2018-02-28T14:12:44+09:00
2017-09-11T00:00:00+09:00
JVNDB-2017-000223
Install program and Installer of i-filter 6.0 may insecurely load Dynamic Link Libraries and invoke executable files
i-filter 6.0 provided by Digital Arts Inc. is web filtering and parental control software. The install program is designed to download the installer via the internet and execute it. The i-filter 6.0 install program and installer contain the following vulnerabilities. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Digital Arts Inc.
i-filter
cpe:/a:daj:i-filter_installer
6.0 install program" file version 1.0.8.1 and earlier
6.0 installer" timestamp of code signing is before 23 Aug 2017 (JST)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user running the install program or the installer.
[Use the latest install program or installer] Use the latest install prgram or installer according to the information provided by the developer. Note that the vulnerabilities affect the install program and the installer only, thus users who have already installed i-filter 6.0 do not need to re-install the software.
Digital Arts Inc.
Digital Arts Inc. website
http://www.daj.jp/cs/info/2017/0912/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10860
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10858
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10858
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10859
JVN
JVN#75929834
http://jvn.jp/en/jp/JVN75929834/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2017-10858
https://nvd.nist.gov/vuln/detail/CVE-2017-10858
National Vulnerability Database (NVD)
CVE-2017-10859
https://nvd.nist.gov/vuln/detail/CVE-2017-10859
National Vulnerability Database (NVD)
CVE-2017-10860
https://nvd.nist.gov/vuln/detail/CVE-2017-10860
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/09/29]\n Web page was published \n
2017-09-29T13:54:48+09:00
2017-09-29T13:54:48+09:00
2017-09-14T00:00:00+09:00
JVNDB-2017-000225
Cybozu Office fails to restrict access permissions
Cybozu Office fails to restrict access permissions. Cybozu Office provided by Cybozu, Inc. fails to restrict access permissions (CWE-284) due to an issue in "Cabinet" function. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Office
cpe:/a:cybozu:office
10.0.0 to 10.6.1
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
A user who can login to Cybozu Office may perform arbitrary operations to the folder where the user does not have acces with its privilege.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1353]
https://support.cybozu.com/ja-jp/article/9811
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10857
JVN
JVN#14658424
http://jvn.jp/en/jp/JVN14658424/index.html
National Vulnerability Database (NVD)
CVE-2017-10857
https://nvd.nist.gov/vuln/detail/CVE-2017-10857
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/10/11]\n Web page was published
1
2018-03-07T11:27:30+09:00
[2018/03/07]\n References : Content was added
2017-10-11T14:28:17+09:00
2018-03-07T12:21:12+09:00
2017-10-11T00:00:00+09:00
JVNDB-2017-000226
HIBUN Confidential File Decryption program may insecurely load Dynamic Link Libraries
HIBUN Confidential File Decryption program provided by Hitachi Solutions, Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Note that this vulnerability is different from JVN#58909026. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hitachi Solutions, Ltd.
HIBUN Confidential File Decryption program
cpe:/a:hitachi-solutions:confidential_file_decryption
prior to version 10.50.0.5
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privileges of the user running HIBUN Confidential File Decryption program.
[Use the latest HIBUN Confidential File Decryption program] Use the latest HIBUN Confidential File Decryption program according to the information provided by the developer.
Hitachi Solutions
HIBUN Insecure DLL Loading Vulnerablity
http://www.hitachi-solutions.co.jp/hibun/sp/support/importance/20170929.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10865
JVN
JVN#55516206
http://jvn.jp/en/jp/JVN55516206/index.html
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2017-10865
https://nvd.nist.gov/vuln/detail/CVE-2017-10865
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/10/11]\n Web page was published
1
2018-03-07T11:43:23+09:00
[2018/03/07]\n References : Content was added
2017-10-11T16:43:48+09:00
2018-03-07T12:12:59+09:00
2017-10-11T00:00:00+09:00
JVNDB-2017-000227
HIBUN Confidential File Decryption program may insecurely load Dynamic Link Libraries
HIBUN Confidential File Decryption program provided by Hitachi Solutions, Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Note that this vulnerability is different from JVN#55516206. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hitachi Solutions, Ltd.
HIBUN Confidential File Decryption program
cpe:/a:hitachi-solutions:confidential_file_decryption
prior to version 10.50.0.5
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privileges of the user running HIBUN Confidential File Decryption program.
[Use the latest HIBUN Confidential File Decryption program] Use the latest HIBUN Confidential File Decryption program according to the information provided by the developer.
Hitachi Solutions
HIBUN Insecure DLL Loading Vulnerablity
http://www.hitachi-solutions.co.jp/hibun/sp/support/importance/20170929.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10863
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10863
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#58909026
http://jvn.jp/en/jp/JVN58909026/index.html
National Vulnerability Database (NVD)
CVE-2017-10863
https://nvd.nist.gov/vuln/detail/CVE-2017-10863
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/10/11]\n Web page was published
1
2018-03-07T10:44:16+09:00
[2018/03/07]\n References : Content was added
2017-10-11T16:43:44+09:00
2018-03-07T12:06:46+09:00
2017-10-11T00:00:00+09:00
JVNDB-2017-000228
Installer of HIBUN Confidential File Viewer may insecurely load Dynamic Link Libraries and invoke executable files
Installer of HIBUN Confidential File Viewer provided by Hitachi Solutions, Ltd. contains an issue with the search path for DLL/executable files, which may lead to insecurely loading Dynamic Link Libraries and invoking executable files (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hitachi Solutions, Ltd.
Hibun confidential file viewer
cpe:/a:hitachi-solutions:confidential_file_viewer
prior to version 11.20.0001
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed HIBUN Confidential File Viewer do not need to re-install the application, because this issue affects the installer only.
Hitachi Solutions
HIBUN Insecure DLL Loading Vulnerablity
http://www.hitachi-solutions.co.jp/hibun/sp/support/importance/20170929.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10864
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10864
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#94056834
http://jvn.jp/en/jp/JVN94056834/index.html
National Vulnerability Database (NVD)
CVE-2017-10864
https://nvd.nist.gov/vuln/detail/CVE-2017-10864
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/10/11]\n Web page was published
1
2018-03-07T11:02:58+09:00
[2018/03/07]\n References : Content was added
2017-10-11T16:43:46+09:00
2018-03-07T12:09:40+09:00
2017-10-11T00:00:00+09:00
JVNDB-2017-000229
Home unit KX-HJB1000 contains multiple vulnerabilities
Home unit KX-HJB1000 provided by Panasonic Corporation is a control system for home network. Home unit KX-HJB1000 contains multiple vulnerabilities listed below. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Panasonic Corporation
Home unit KX-HJB1000 firmware
cpe:/o:panasonic:kx-hjb1000_firmware
GHX1YG 14.50
HJB1000_4.47
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
* A user with access to the affected product may view the configuration menu - CVE-2017-2131 * A user with access to the affected product may delete arbitrary files in the specific directory - CVE-2017-2132 * A user who can log in to the affected product may obtain or alter information on the product - CVE-2017-2133
[Update the Firmware] Apply the appropriate firmware update according to the information provided by the developer.
Panasonic
Panasonic Corporation website
http://www.panasonic.com/jp/support/consumer/com/hns/homeunit/releasenote
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2133
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2131
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2132
JVN
JVN#54795166
http://jvn.jp/en/jp/JVN54795166/index.html
National Vulnerability Database (NVD)
CVE-2017-2131
https://nvd.nist.gov/vuln/detail/CVE-2017-2131
National Vulnerability Database (NVD)
CVE-2017-2132
https://nvd.nist.gov/vuln/detail/CVE-2017-2132
National Vulnerability Database (NVD)
CVE-2017-2133
https://nvd.nist.gov/vuln/detail/CVE-2017-2133
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/10/17]\n Web page was published
1
2018-03-07T11:32:21+09:00
[2018/03/07]\n References : Contents were added
2017-10-17T17:22:57+09:00
2018-03-07T14:24:05+09:00
2017-10-17T00:00:00+09:00
JVNDB-2017-000231
OpenAM (Open Source Edition) vulnerable to authentication bypass
OpenAM (Open Source Edition) contains an authentication bypass vulnerability. Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Open Source Solution Technology Corporation
OpenAM
cpe:/a:open_source_solution_technology:openam
(Open Source Edition)
Medium
6
AV:N/AC:M/Au:S/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
A user may bypass login authentication and access contents for which permissions are not granted.
[Apply the Patch] Patch for this vulnerabiity has been released by Open Source Solution Technology Corporation. Apply the patch according to the information provided by Open Source Solution Technology Corporation.
GitHub
Fix Session Upgrade bypass at SAML IdP
https://github.com/osstech-jp/openam/commit/3a27ed18e2b3e468a85a0ff7965d2c1f769ea9c6
OGIS-RI Co.,Ltd.
Information from OGIS-RI Co.,Ltd.
http://jvn.jp/en/jp/JVN79546124/996125/index.html
Open Source Solution Technology Corporation
Notice of OpenAM security vulnerability and product updates [AM20171101-1]
https://www.osstech.co.jp/support/am2017-2-1-en
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10873
JVN
JVN#79546124
http://jvn.jp/en/jp/JVN79546124/index.html
National Vulnerability Database (NVD)
CVE-2017-10873
https://nvd.nist.gov/vuln/detail/CVE-2017-10873
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/01]\n Web page was published
1
2018-03-14T11:18:25+09:00
[2018/03/14]\n References : Content was added
2017-11-01T15:36:34+09:00
2018-03-14T14:03:53+09:00
2017-11-01T00:00:00+09:00
JVNDB-2017-000232
Wi-Fi STATION L-02F vulnerable to buffer overflow
Wi-Fi STATION L-02F provided by NTT DOCOMO, INC. contains a buffer overflow vulnerability. Daisuke Makita and Hayato Ushimaru of National Institute of Information and Communications Technology, Jumpei Shimamura of clwit, Inc. and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NTT DOCOMO, INC.
Wi-Fi STATION L-02F
cpe:/h:nttdocomo:wi-fi_station_l-02f
Software version L02F-MDM9625-V10h-JUN-23-2017-DCM-JP and earlier
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Receiving crafted packets sent by a remote attacker may cause a buffer overflow condition. As a result, the attacker may execute arbitrary code with the root previlege.
[Apply an Update] Apply the update according to the information provided by the provider.
NTT docomo
NTT DOCOMO, INC. website
https://www.nttdocomo.co.jp/info/notice/page/170710_01_m.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10871
IPA SECURITY ALERTS
Security Alert for Vulnerability in Wi-Fi STATION L-02F (JVN#23367475)
https://www.ipa.go.jp/security/ciadr/vul/20171106-jvn.html
JVN
JVN#23367475
https://jvn.jp/en/jp/JVN23367475/index.html
National Vulnerability Database (NVD)
CVE-2017-10871
https://nvd.nist.gov/vuln/detail/CVE-2017-10871
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/06]\n Web page was published
1
2018-03-07T13:58:59+09:00
[2018/03/07]\n References : Content was added
2017-11-06T13:48:02+09:00
2018-03-07T14:00:59+09:00
2017-11-06T00:00:00+09:00
JVNDB-2017-000233
I-O DATA LAN DISK Connect vulnerable to denial-of-service (DoS)
LAN DISK Connect provided by I-O DATA DEVICE, INC. contains a denial-of-service (DoS) vulnerability (CWE-119) due to a flaw in processing certain packets. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
LAN DISK Connect
cpe:/h:i-o_data_device:lan_disk_connect
Ver2.02 and earlier
Low
3.3
AV:A/AC:L/Au:N/C:N/I:N/A:P
Low
3.5
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Receiving a specially crafted packet may result in a denial-of-service (DoS) condition.
[Update the Firmware] Apply the latest firmware update according to the information provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2017/ld-connect/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10875
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10875
JVN
JVN#87886530
https://jvn.jp/en/jp/JVN87886530/index.html
National Vulnerability Database (NVD)
CVE-2017-10875
https://nvd.nist.gov/vuln/detail/CVE-2017-10875
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/06]\n Web page was published
1
2018-03-07T11:29:15+09:00
[2018/03/07]\n References : Content was added
2017-11-06T13:48:04+09:00
2018-03-07T14:01:00+09:00
2017-11-06T00:00:00+09:00
JVNDB-2017-000234
Installer of HYPER SBI may insecurely load Dynamic Link Libraries
HYPER SBI provided by SBI SECURITIES Co.,Ltd. is a trading tool. Installer of HYPER SBI contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Yuto Iso of NTT Security (Japan) KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SBI SECURITIES Co.,Ltd.
HYPER SBI
cpe:/a:sbisec:hyper_sbi
Ver. 2.2 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Users who already have installed HYPER SBI do not need to re-install the application, because this issue affects the installer only. According to the developer, existing users who update using the newest installer will need to perform data migration in advance. For more information, refer to the information provided by the developer.
SBI
SBI SECURITIES Co.,Ltd. website
http://search.sbisec.co.jp/v2/popwin/tools/hyper/pop4040_hedownlord.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10885
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10885
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#71284826
https://jvn.jp/en/jp/JVN71284826/index.html
National Vulnerability Database (NVD)
CVE-2017-10885
https://nvd.nist.gov/vuln/detail/CVE-2017-10885
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/09]\n Web page was published
1
2018-03-07T11:24:01+09:00
[2018/03/07]\n References : Content was added
2017-11-09T12:29:49+09:00
2018-03-07T14:01:02+09:00
2017-11-09T00:00:00+09:00
JVNDB-2017-000235
CS-Cart Japanese Edition vulnerable to cross-site scripting
CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition contains a cross-site scripting vulnerabulity (CWE-79). Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Simtech Ltd.
CS-Cart
cpe:/a:misc:simtech_ltd_cs-cart
Japanese Edition v4.3.10 and earlier (excluding v2 and v3)
Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3)
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Frogman Office
Frogman Office Inc. website
http://tips.cs-cart.jp/fix-jvn-29602086.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10886
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10886
JVN
JVN#29602086
https://jvn.jp/en/jp/JVN29602086/index.html
National Vulnerability Database (NVD)
CVE-2017-10886
https://nvd.nist.gov/vuln/detail/CVE-2017-10886
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/13]\n Web page was published
2017-11-13T15:30:00+09:00
2018-03-07T13:36:12+09:00
2017-11-13T00:00:00+09:00
JVNDB-2017-000236
WordPress plugin "TablePress" vulnerable to improper restriction of XML external entity (XXE) references
The WordPress plugin "TablePress" is a plugin to create and manage tables on WordPress site. TablePress contains a vulnerability where XML external entity (XXE) references are not properly restricted (CWE-611). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
tablepress.org
TablePress
cpe:/a:tablepress:tablepress
prior to version 1.8.1
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
An arbitrary file on the server may be accessed by users who can access the configuration page of the plugin (users with Author or higher role).
[Update the plugin] Update the plugin according to the information provided by the developer.
TablePress
TablePress - WordPress Plugins - Changelog
https://wordpress.org/plugins/tablepress/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10889
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10889
JVN
JVN#05398317
https://jvn.jp/en/jp/JVN05398317/index.html
National Vulnerability Database (NVD)
CVE-2017-10889
https://nvd.nist.gov/vuln/detail/CVE-2017-10889
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/14]\n Web page published
1
2018-03-07T10:53:28+09:00
[2018/03/07]\n References : Content was added
2017-11-14T13:26:45+09:00
2018-03-07T13:36:11+09:00
2017-11-14T00:00:00+09:00
JVNDB-2017-000237
Multiple vulnerabilities in BOOK WALKER for Windows/Mac
BOOK WALKER for Windows/Mac provided by BOOK WALKER Co.,Ltd. are applications to view e-books. Installer of BOOK WALKER for Windows contains a vulnerabirity, which may lead to insecurely loading Dynamic Link Libraries. Also BOOK WALKER for Windows/Mac contain a vulnerability which may lead to information disclosure as a result of reading a specially crafted file. * DLL preloading vulnerability (CWE-427) - CVE-2017-10887 * Information disclosure vulnerability (CWE-200) - CVE-2017-10888 Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BOOK WALKER Co.,Ltd.
BOOK WALKER
cpe:/a:bookwalker:book_walker
for Mac Ver.1.2.5 and earlier (CVE-2017-10888)
for Windows Ver.1.2.9 and earlier (CVE-2017-10887, CVE-2017-10888)
High
7.1
AV:N/AC:M/Au:N/C:P/I:N/A:N
Medium
5.5
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
* Arbitrary code may be executed with the privilege of the user invoking the installer. - CVE-2017-10887 * An arbitrary local file may be read by an attacker, which may result in information disclosure. - CVE-2017-10888
Solution for CVE-2017-10887: [Use the latest installer] When installing BOOK WALKER for Windows for the first time, be sure to use the latest installer according to the information provided by the developer. Solution for CVE-2017-10888: [Update the software] Update to the latest version according to the information provided by the developer.
BOOK WALKER
BOOK WALKER Co.,Ltd. website
https://bookwalker.jp/info/message20171113_pc_app/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10887
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10887
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10888
JVN
JVN#18420340
http://jvn.jp/en/jp/JVN18420340/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2017-10887
https://nvd.nist.gov/vuln/detail/CVE-2017-10887
National Vulnerability Database (NVD)
CVE-2017-10888
https://nvd.nist.gov/vuln/detail/CVE-2017-10888
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/14]\n Web page was published
1
2018-03-07T10:43:37+09:00
[2018/03/07]\n References : Content was added
2017-11-14T15:19:38+09:00
2018-03-07T13:36:09+09:00
2017-11-14T00:00:00+09:00
JVNDB-2017-000238
Robotic appliance COCOROBO vulnerable to session management
Robotic appliance COCOROBO provided by Sharp Corporation is a robot with cleaning function. Robotic appliance COCOROBO contains a vulnerability in session management (CWE-639). Kiyotaka ATSUMI of IoT Technology Laboratory, Cyber Grid Japan, LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sharp Corporation
RX-CLV1-P firmware
cpe:/o:sharp:rx-clv1-p_firmware
versions prior to 79.17.17.09
Sharp Corporation
RX-CLV2-B firmware
cpe:/o:sharp:rx-clv2-b_firmware
versions prior to 89.07.17.09
Sharp Corporation
RX-CLV3-N firmware
cpe:/o:sharp:rx-clv3-n_firmware
versions prior to 91.09.17.10
Sharp Corporation
RX-V100 firmware
cpe:/o:sharp:rx-v100_firmware
versions prior to 03.29.17.09
Sharp Corporation
RX-V200 firmware
cpe:/o:sharp:rx-v200_firmware
versions prior to 09.87.17.09
Medium
4.3
AV:A/AC:M/Au:N/C:P/I:P/A:N
Medium
4.6
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
An attacker on the same LAN may impersonate a user to accessing product. As a result, there is a possibility that an arbitrary operation may be conducted or information may be altered/disclosed.
[Update the Firmware] Apply the appropriate firmware update according to the information provided by the developer.
Sharp Corporation
Sharp Corporation website
http://www.sharp.co.jp/cocorobo/manual/firmware.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10890
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10890
JVN
JVN#76382932
http://jvn.jp/en/jp/JVN76382932/index.html
National Vulnerability Database (NVD)
CVE-2017-10890
https://nvd.nist.gov/vuln/detail/CVE-2017-10890
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/16]\n Web page was published
1
2018-03-14T10:23:50+09:00
[2018/03/14]\n References : Content was added
2017-11-16T14:03:31+09:00
2018-03-14T14:09:17+09:00
2017-11-16T00:00:00+09:00
JVNDB-2017-000239
The installer of Media Go and Music Center for PC may insecurely load Dynamic Link Libraries
Media Go and Music Center for PC provided by Sony Group are file management tools. The installer of Media Go and Music Center for PC contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. and Shun Suzaki reported CVE-2017-10891 vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Video & Sound Products Inc.
Media Go
cpe:/a:sony:media-go
version 3.2.0.191 and earlier (CVE-2017-10891)
Sony Video & Sound Products Inc.
Music Center
cpe:/a:sony:music_center
for PC version 1.0.00 (CVE-2017-10892)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
Solution for Media Go: [Do not install Media Go] Do not install Media Go because there are no countermeasures provided by the developer against this vulnerability. According to the developer, existing users are not affected by this vulnerability. However the developer states that it is recommended to use Media Center for PC instead because distribution of Media Go will be ended at the end of December 2017. Solution for Music Center for PC: [Use the latest installer] Use the latest installer according to the information provided by the developer. When installing "Music Center for PC", be sure to check there are no suspicious files in the directory where the installer resides. According to the developer, existing users are not affected by this vulnerability. However the developer states that users are recommended to update Music Center for PC to the latest version using the latest installer because the updated version also contains fixes for other bugs.
Sony Video & Sound Products Inc.
Sony Video & Sound Products Inc. website (in japanese)
http://www.sony.net/smc4pc/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10891
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10891
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10892
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10892
JVN
JVN#08517069
http://jvn.jp/en/jp/JVN08517069/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2017-10891
https://nvd.nist.gov/vuln/detail/CVE-2017-10891
National Vulnerability Database (NVD)
CVE-2017-10892
https://nvd.nist.gov/vuln/detail/CVE-2017-10892
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/21]\n Web page was published\n[2017/12/13]\n Solution was modified
1
2018-03-14T12:30:33+09:00
[2018/03/14]\n References : Contents were added
2017-11-21T15:40:04+09:00
2018-03-14T14:25:18+09:00
2017-11-21T00:00:00+09:00
JVNDB-2017-000240
PWR-Q200 vulnerable to DNS cache poisoning attacks
PWR-Q200 provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION is a mobile WiFi router. PWR-Q200 is vulnerable to DNS cache poisoning attacks as DNS queries are done with a fixed source port (CWE-330). Toshifumi Sakaguchi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
PWR-Q200
cpe:/a:ntt_east:pwr-q200
all firmware versions
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
The DNS responses spoofed by a remote attacker may result in any device on the LAN being led to a malicious server.
[Do not use PWR-Q200] Stop using PWR-Q200 since PWR-Q200 is no longer supported. The developer recommends to configure devices in the LAN to use the upstream ISP's DNS server. For details, refer to the information provided by the developer.
Nippon Telegraph and Telephone East Corporation
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION website
http://web116.jp/shop/hikari_p/q200/q200_00.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10874
JVN
JVN#73141967
https://jvn.jp/en/jp/JVN73141967/index.html
National Vulnerability Database (NVD)
CVE-2017-10874
https://nvd.nist.gov/vuln/detail/CVE-2017-10874
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/22]\n Web page was published
1
2018-03-14T11:09:01+09:00
[2018/03/14]\n References : Content was added
2017-11-22T13:51:15+09:00
2018-03-14T14:19:52+09:00
2017-11-22T00:00:00+09:00
JVNDB-2017-000241
Multiple vulnerabilities in Wireless mobile storage "Digizo ShAirDisk" PTW-WMS1
Wireless mobile storage "Digizo ShAirDisk" PTW-WMS1 provided by Princeton Ltd. is a Wi-Fi storage. Wireless mobile storage "Digizo ShAirDisk" PTW-WMS1 contains multiple vulnerabilities listed below. * Improper Access Restriction (CWE-284) - CVE-2017-10900 * Buffer Overflow (CWE-119) - CVE-2017-10901 * OS Command Injection (CWE-78) - CVE-2017-10902 * Improper Authentication (CWE-287) - CVE-2017-10903 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Princeton Ltd.
PTW-WMS1 firmware
cpe:/o:princeton:ptw-wms1_firmware
version 2.000.012
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* A remote attacker may access the shared disk connected to the device, and then obtain or delete information in the disk. - CVE-2017-10900 * Receiving a specially crafted packet from a remote attacker may result in a denial-of-service (DoS) condition. - CVE-2017-10901 * A remote attacker may log in the device and execute an arbitrary OS command. - CVE-2017-10902 * A remote attacker may log in the device with the root privilege and conduct arbitrary operations. - CVE-2017-10903
[Update the Firmware] Apply the latest firmware update to the information provided by the developer.
Princeton
Princeton Ltd. website
http://www.princeton.co.jp/news/2016/12/201612271100.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10902
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10902
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10903
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10903
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10900
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10901
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10901
IPA SECURITY ALERTS
Security Alert for Vulnerability in Digizo ShAirDisk (JVN#98295787)
https://www.ipa.go.jp/security/ciadr/vul/20171130-1-jvn.html
JVN
JVN#98295787
https://jvn.jp/en/jp/JVN98295787/index.html
National Vulnerability Database (NVD)
CVE-2017-10900
https://nvd.nist.gov/vuln/detail/CVE-2017-10900
National Vulnerability Database (NVD)
CVE-2017-10901
https://nvd.nist.gov/vuln/detail/CVE-2017-10901
National Vulnerability Database (NVD)
CVE-2017-10902
https://nvd.nist.gov/vuln/detail/CVE-2017-10902
National Vulnerability Database (NVD)
CVE-2017-10903
https://nvd.nist.gov/vuln/detail/CVE-2017-10903
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/30]\n Web page was published
1
2018-03-14T09:55:51+09:00
[2018/03/14]\n References : Contents were added
2017-11-30T15:45:17+09:00
2018-03-14T14:13:52+09:00
2017-11-30T00:00:00+09:00
JVNDB-2017-000242
StreamRelay.net.exe and sDNSProxy.exe vulnerable to denial-of-service (DoS)
StreamRelay.net.exe and sDNSProxy.exe fail to properly process ICMP Port Unreachable message (CWE-703). Tomoki Sanaki reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Tomoki Sanaki coordinated under the Information Security Early Warning Partnership.
Tomoki Sanaki
sDNSProxy.exe
cpe:/a:rocketeer.dip:sdnsproxy
ver1.1.0.0 and earlier (CVE-2017-10895)
Tomoki Sanaki
StreamRelay.NET.exe
cpe:/a:rocketeer.dip:streamrelay_net
ver2.14.0.7 and earlier (CVE-2017-10894)
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
High
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A remote attacker may be able to cause a denial-of-service (DoS) condition.
[Update the Software] Update to the latest version according to the information provided by the developer.
sanaki's Freesoft
StreamRelay.Net.exe
http://rocketeer.dip.jp/sanaki/free/free119.htm
sanaki's Freesoft
sDnsProxy.exe
http://rocketeer.dip.jp/sanaki/free/free135.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10895
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10895
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10894
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10894
JVN
JVN#71291160
https://jvn.jp/en/jp/JVN71291160/index.html
National Vulnerability Database (NVD)
CVE-2017-10894
https://nvd.nist.gov/vuln/detail/CVE-2017-10894
National Vulnerability Database (NVD)
CVE-2017-10895
https://nvd.nist.gov/vuln/detail/CVE-2017-10895
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/29]\n Web page was published
1
2018-03-14T10:37:15+09:00
[2018/03/14]\n References : Contents were added
2017-11-29T14:54:28+09:00
2018-03-14T14:26:09+09:00
2017-11-29T00:00:00+09:00
JVNDB-2017-000243
Movable Type plugin A-Member and A-Reserve vulnerable to SQL injection
A-Member and A-Reserve provided by ARK-Web co., ltd. are plugins for Movable Type which provide functions to build a membership website or a reservation website. A-Member and A-Reserve contain SQL injection (CWE-89) vulnerability due to the issue in processing cookie values. Yuuta Watanabe of STNet, Incorporated reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ARK-Web co., ltd
A-Member
cpe:/a:ark-web:a-member
3.8.6 and earlier (CVE-2017-10898)
for MT cloud 3.8.6 and earlier (CVE-2017-10898)
ARK-Web co., ltd
A-Reserve
cpe:/a:ark-web:a-reserve
3.8.6 and earlier (CVE-2017-10899)
for MT cloud 3.8.6 and earlier (CVE-2017-10899)
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
An attacker who can access the web page created by using either A-Member or A-Reserve may obtain or alter information stored in the database.
[Update the Software] Apply the latest version for the appropriate plugin according to the information provided by the developer.
Movable Type
ARK-Web co., ltd. website
https://www.ark-web.jp/movabletype/blog/2017/11/a-member_387_a-reserve_387.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10898
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10899
IPA SECURITY ALERTS
Security Alert for Vulnerability in Movable Type plugin A-Member and A-Reserve (JVN#78501037)
https://www.ipa.go.jp/security/ciadr/vul/20171130-2-jvn.html
JVN
JVN#78501037
https://jvn.jp/en/jp/JVN78501037/index.html
National Vulnerability Database (NVD)
CVE-2017-10898
https://nvd.nist.gov/vuln/detail/CVE-2017-10898
National Vulnerability Database (NVD)
CVE-2017-10899
https://nvd.nist.gov/vuln/detail/CVE-2017-10899
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/30]\n Web page was published
1
2018-03-14T10:09:30+09:00
[2018/03/14]\n References : Contents were added
2017-11-30T15:50:07+09:00
2018-03-14T14:20:48+09:00
2017-11-30T00:00:00+09:00
JVNDB-2017-000244
Multiple vulnerabilities in multiple Buffalo broadband routers
BBR-4HG and BBR-4MG provided by BUFFALO INC. are wireless LAN routers. BBR-4HG and BBR-4MG contain multiple vulnerabilities listed below. * Cross-site Scripting (CWE-79) - CVE-2017-10896 * Improper Input Validation (CWE-20) - CVE-2017-10897 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BUFFALO INC.
BUFFALO BBR-4HG
cpe:/h:buffalo_inc:bbr-4hg
firmware 1.00 to 1.48
firmware 2.00 to 2.07
BUFFALO INC.
BUFFALO BBR-4MG
cpe:/h:buffalo_inc:bbr-4mg
firmware 1.00 to 1.48
firmware 2.00 to 2.07
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
The possible impact of each vulnerability is as follows: * An arbitrary script may be executed on the user's web browser If a logged-in user accesses a specially crafted page - CVE-2017-10896 * The device may become unresponsive if an improper input value is set in the administrative page - CVE-2017-10897
[Update the Firmware] Apply the appropriate firmware update according to the information provided by the developer.
BUFFALO
BUFFALO INC. website
http://buffalo.jp/support_s/s20171201.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10896
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10896
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10897
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10897
JVN
JVN#65994435
https://jvn.jp/en/jp/JVN65994435/index.html
National Vulnerability Database (NVD)
CVE-2017-10896
https://nvd.nist.gov/vuln/detail/CVE-2017-10896
National Vulnerability Database (NVD)
CVE-2017-10897
https://nvd.nist.gov/vuln/detail/CVE-2017-10897
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/01]\n Web page was published
1
2018-03-14T12:22:16+09:00
[2018/03/14]\n References : Contents were added
2017-12-01T16:17:55+09:00
2018-03-14T14:15:14+09:00
2017-12-01T00:00:00+09:00
JVNDB-2017-000245
The installer of The Public Certification Service for Individuals "The JPKI user's software" may insecurely load Dynamic Link Libraries
The installer of The Public Certification Service for Individuals "The JPKI user's software" provided by Japan Agency for Local Authority Information Systems (J-LIS) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Note that this vulnerability is different from JVN#91002412 and JVN#39605485. BlackWingCat of Pink Flying Whale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Japan Agency for Local Authority Information Systems
The Public Certification Service for Individuals "The JPKI user's software"
cpe:/a:j-lis:the_public_certification_service_for_individuals
Ver3.1 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer of The Public Certification Service for Individuals "The JPKI user's software"] Apply the patch "KB2533623" on Windows 7 and then use the latest installer of The Public Certification Service for Individuals "The JPKI user's software", according to the information provided by the developer. Users who already have installed The Public Certification Service for Individuals "The JPKI user's software" do not need to re-install the application, because this issue affects the installer only.
J-LIS
JPKI Client Software for Windows download
https://www.jpki.go.jp/download/win.html#dl
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10893
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10893
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#30352845
http://jvn.jp/en/jp/JVN30352845/index.html
National Vulnerability Database (NVD)
CVE-2017-10893
https://nvd.nist.gov/vuln/detail/CVE-2017-10893
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/06]\n Web page was published
1
2018-03-14T12:20:24+09:00
[2018/03/14]\n References : Content was added
2017-12-06T14:42:03+09:00
2018-03-14T14:07:55+09:00
2017-12-06T00:00:00+09:00
JVNDB-2017-000246
Qt for Android vulnerable to OS command injection
Qt for Android provided by The Qt Company contains an OS command injection vulnerability (CWE-78). Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The Qt Company
Qt
cpe:/a:qt:qt
for Android prior to 5.9.0
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
High
7.5
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
A remote attacker may execute an arbitrary OS command.
[Update the Software] Update to the latest version of software according to the information provided by the developer. [Apply the Patch] Patches have been released for Qt for Android 5.7 and 5.8. For more information, refer to the information provided by the developer.
Qt
Security advisory about Qt for Android
https://blog.qt.io/blog/2017/11/22/security-advisory-qt-android/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10904
JVN
JVN#67389262
https://jvn.jp/en/jp/JVN67389262/index.html
National Vulnerability Database (NVD)
CVE-2017-10904
https://nvd.nist.gov/vuln/detail/CVE-2017-10904
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/11]\n Web page was published
1
2018-03-14T12:16:12+09:00
[2018/03/14]\n References : Content was added
2017-12-11T13:40:00+09:00
2018-03-14T13:48:52+09:00
2017-12-11T00:00:00+09:00
JVNDB-2017-000247
Qt for Android environment variables alteration
Qt for Android contains an information alteration vulnerability. Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
The Qt Company
Qt
cpe:/a:qt:qt
for Android prior to 5.9.3
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
Medium
5.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
A remote attacker may alter environemt variables of the apps created using Qt. As a result, arbitrary code may be executed.
[Update the Software] Update to the latest version of software according to the information provided by the developer. [Apply the Patch] Patches have been released for Qt for Android 5.7 and 5.8. For more information, refer to the information provided by the developer.
Qt
Security advisory about Qt for Android
https://blog.qt.io/blog/2017/11/22/security-advisory-qt-android/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10905
JVN
JVN#27342829
https://jvn.jp/en/jp/JVN27342829/index.html
National Vulnerability Database (NVD)
CVE-2017-10905
https://nvd.nist.gov/vuln/detail/CVE-2017-10905
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/11]\n Web page was published
1
2018-03-14T12:11:30+09:00
[2018/03/14]\n References : Content was added
2017-12-11T13:40:02+09:00
2018-03-14T13:44:43+09:00
2017-12-11T00:00:00+09:00
JVNDB-2017-000248
OneThird CMS vulnerable to directory traversal
OneThird CMS provided by SpiQe Software is a Contents Management System (CMS). OneThird CMS contains a directory traversal vulnerability (CWE-22). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SpiQe Software
OneThird CMS
cpe:/a:spiqe:onethird
Show Off v1.85 and earlier
Show Off v1.85 en and earlier
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
An authenticated atacker with editing privileges may delete arbitrary files on the server.
[Update the Software] Update to the latest version of software according to the information provided by the developer.
SpiQe Software
SpiQe Software website
https://onethird.net/en/p1307.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10907
JVN
JVN#93333702
http://jvn.jp/en/jp/JVN93333702/index.html
National Vulnerability Database (NVD)
CVE-2017-10907
https://nvd.nist.gov/vuln/detail/CVE-2017-10907
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/19]\n Web page was published
1
2018-04-04T11:01:59+09:00
[2018/04/04]\n References : Content was added
2017-12-19T13:48:37+09:00
2018-04-04T13:58:51+09:00
2017-12-19T00:00:00+09:00
JVNDB-2017-000249
Multiple vulnerabilities in H2O
H2O is an open source web server software. H2O contains multiple vulnerabilities listed below. * A Denial-of-service (DoS) due to a flaw in processing HTTP/1 header (CWE-20) - CVE-2017-10868 * Stack-based buffer overflow (CWE-121) - CVE-2017-10869 * A Denial-of-service (DoS) due to a flaw in outputting of the access log (CWE-118) - CVE-2017-10872 * A Denial-of-service (DoS) due to a flaw in processing HTTP/2 header (CWE-20) - CVE-2017-10908 Kazuho Oku reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Kazuho Oku coordinated under the Information Security Early Warning Partnership.
Kazuho Oku
H2O
cpe:/a:h2o_project:h2o
version 2.2.2 and earlier (CVE-2017-10868, CVE-2017-10869)
version 2.2.3 and earlier (CVE-2017-10872, CVE-2017-10908)
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
A denial-of-service (DoS) attack to a server may be conducted by an unauthenticated remote attacker.
[Update the Software] Update to the latest version according to the information provided by the developer.
GitHub
fix crash when handling malformed HTTP/2 request (CVE-2017-10908) #1544
https://github.com/h2o/h2o/issues/1544
GitHub
fix crash when receiving request with invalid framing (CVE-2017-10868) #1459
https://github.com/h2o/h2o/issues/1459
GitHub
fix stack overflow when sending huge request body to upstream (CVE-2017-10869) #1460
https://github.com/h2o/h2o/issues/1460
GitHub
fix crash when logging TLS 1.3 properties (CVE-2017-10872) #1543
https://github.com/h2o/h2o/issues/1543
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10868
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10868
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10869
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10869
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10872
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10908
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10908
JVN
JVN#84182676
http://jvn.jp/en/jp/JVN84182676/index.html
National Vulnerability Database (NVD)
CVE-2017-10872
https://nvd.nist.gov/vuln/detail/CVE-2017-10872
National Vulnerability Database (NVD)
CVE-2017-10908
https://nvd.nist.gov/vuln/detail/CVE-2017-10908
National Vulnerability Database (NVD)
CVE-2017-10868
https://nvd.nist.gov/vuln/detail/CVE-2017-10868
National Vulnerability Database (NVD)
CVE-2017-10869
https://nvd.nist.gov/vuln/detail/CVE-2017-10869
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/18]\n Web page was published
1
2018-04-04T10:23:42+09:00
[2018/04/04]\n References : Contents were added
2017-12-18T15:17:46+09:00
2018-04-04T13:49:44+09:00
2017-12-18T00:00:00+09:00
JVNDB-2017-000250
The installer of Music Center for PC may insecurely load Dynamic Link Libraries
Music Center for PC provided by Sony Video & Sound Products Inc. is a file management tool. The installer of Music Center for PC contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Note that this vulnerability is different from JVN#08517069. DigiGnome(@biz4g) reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Video & Sound Products Inc.
Music Center
cpe:/a:sony:music_center
for PC version 1.0.01 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Windows 7 users who intend to install Music Center for PC should use the latest installer according to the information provided by the developer. Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides. According to the developer, existing users are not affected by this vulnerability. However the developer states that users are recommended to update Music Center for PC to the latest version using the latest installer because the updated version also contains fixes for other bugs.
Sony Video & Sound Products Inc.
Sony Video & Sound Products Inc. website
http://www.sony.net/smc4pc/
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10909
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#60695371
http://jvn.jp/en/jp/JVN60695371/index.html
National Vulnerability Database (NVD)
CVE-2017-10909
https://nvd.nist.gov/vuln/detail/CVE-2017-10909
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/22]\n Web page was published
1
2018-04-04T10:46:06+09:00
[2018/04/04]\n References : Content was added
2017-12-22T15:50:12+09:00
2018-04-04T13:53:53+09:00
2017-12-22T00:00:00+09:00
JVNDB-2017-000251
The installer of Content Manager Assistant for PlayStation may insecurely load Dynamic Link Libraries
Content Manager Assistant for PlayStation provided by Sony Interactive Entertainment Inc. is a data transfer tool. The installer of Content Manager Assistant for PlayStation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Shun Suzaki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Interactive Entertainment inc.
Content Manager Assistant
cpe:/a:sony:content_manager_assistant
for PlayStation version 3.55.7671.0901 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. When executing the installer, be sure to check there are no suspicious files in the directory where the installer resides. Users who already have installed Content Manager Assistant for PlayStation do not need to re-install the application, because this issue affects the installer only.
Sony Interactive Entertainment Inc.
Sony Interactive Entertainment Inc. website
http://cma.dl.playstation.net/cma/win/en/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-17010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17010
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#95423049
http://jvn.jp/en/jp/JVN95423049/index.html
National Vulnerability Database (NVD)
CVE-2017-17010
https://nvd.nist.gov/vuln/detail/CVE-2017-17010
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/22]\n Web page was published
1
2018-04-04T11:28:11+09:00
[2018/04/04]\n References : Content was added
2017-12-22T15:50:10+09:00
2018-04-04T14:04:29+09:00
2017-12-22T00:00:00+09:00
JVNDB-2017-000252
MQTT.js issue in handling PUBLISH packets
MQTT.js is a client library for MQTT. MQTT.js contains an issue in handling PUBLISH packets sent from an MQTT Broker. Masataka Sakaguchi, Bintatsu Noda and Hisashi Kojima of Fujitsu Laboratories Ltd.reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
MQTT.js
MQTT.js
cpe:/a:mqtt.js_project:mqtt.js
2.x.x prior to 2.15.0
Medium
4
AV:N/AC:L/Au:S/C:N/I:N/A:P
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Receiving a large number of packets from an MQTT broker may result in a denial-of-service (DoS) condition.
[Update MQTT.js and rebuild the application] Developers of applications that use MQTT.js should update MQTT.js and re-build the application.
GitHub
Release v2.15.0
https://github.com/mqttjs/MQTT.js/releases/tag/v2.15.0
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10910
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10910
JVN
JVN#45494523
http://jvn.jp/en/jp/JVN45494523/index.html
National Vulnerability Database (NVD)
CVE-2017-10910
https://nvd.nist.gov/vuln/detail/CVE-2017-10910
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/25]\n Web page was published
1
2018-04-04T11:08:53+09:00
[2018/04/04]\n References : Content was added\n
2017-12-25T14:00:28+09:00
2018-04-04T14:02:15+09:00
2017-12-25T00:00:00+09:00
JVNDB-2017-001053
Mis-configuration of Apache Velocity template engine used to send emails in GigaCC OFFICE
GigaCC OFFICE provided by WAM!NET Japan K.K. contains mis-configuration of Apache Velocity template engine which is used to send emails. WAM!NET Japan K.K. and the following people reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and WAM!NET Japan K.K. coordinated under the Information Security Early Warning Partnership. Dongjoo Ha and Heaeun Moon of NSHC Pre., Ltd. Masaki Yoshikawa of Recruit Technologies Co.,Ltd.
WAM!NET Japan K.K.
GigaCC OFFICE
cpe:/a:gigaccsecure:gigacc_office
ver.2.3 and earlier
Medium
6
AV:N/AC:M/Au:S/C:P/I:P/A:P
Medium
5.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Sending emails using a specially crafted mail template may result in an arbitrary OS command executed on the server.
[Update to the latest version and then apply a patch] Update to GigaCC OFFICE ver.2.3 and then apply an appropriate patch according to the information provided by the developer.
Apache Velocity
SecureUberspector (Apache Velocity 2.0-SNAPSHOT API)
https://velocity.apache.org/engine/devel/apidocs/org/apache/velocity/util/introspection/SecureUberspector.html
WAM!NET Japan K.K.
Notification of vulnerabilities in GigaCC OFFICE
https://asp.gigacc.com/user/~pg/9qbnmp2qetc5u9vc8crqbl804s
Common Vulnerabilities and Exposures (CVE)
CVE-2016-7844
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7844
JVN
JVNVU#91417143
http://jvn.jp/en/vu/JVNVU91417143
National Vulnerability Database (NVD)
CVE-2016-7844
https://nvd.nist.gov/vuln/detail/CVE-2016-7844
0
2018-02-17T10:37:53+09:00
[2017/01/23]\n Web page was published
1
2018-02-28T10:29:37+09:00
[2018/02/28]\n References : Content was added
2017-01-23T17:57:15+09:00
2018-02-28T11:35:03+09:00
2017-01-19T00:00:00+09:00
JVNDB-2017-001054
Arbitrary file upload vulnerability in GigaCC OFFICE
GigaCC OFFICE provided by WAM!NET Japan K.K. contains a vulnerability where arbitrary files may be uploaded. WAM!NET Japan K.K. and the following people reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and WAM!NET Japan K.K. coordinated under the Information Security Early Warning Partnership. Dongjoo Ha and Heaeun Moon of NSHC Pre., Ltd. Masaki Yoshikawa of Recruit Technologies Co.,Ltd.
WAM!NET Japan K.K.
GigaCC OFFICE
cpe:/a:gigaccsecure:gigacc_office
ver.2.3 and earlier
Medium
5.5
AV:N/AC:L/Au:S/C:P/I:N/A:P
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
An arbitrary file can be uploaded as a profile image file by a user, which may be used for unauthorized file sharing.
[Update to the latest version and apply Patch 1, and then apply an update module] Update to Giga CC OFFICE ver.2.4 and apply Patch 1, and then apply an update module according to the information provided by the developer.
WAM!NET Japan K.K.
Notification of vulnerabilities in GigaCC OFFICE
https://asp.gigacc.com/user/~pg/9qbnmp2qetc5u9vc8crqbl804s
Common Vulnerabilities and Exposures (CVE)
CVE-2016-7845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7845
JVN
JVNVU#91417143
http://jvn.jp/en/vu/JVNVU91417143/
National Vulnerability Database (NVD)
CVE-2016-7845
https://nvd.nist.gov/vuln/detail/CVE-2016-7845
0
2018-02-17T10:37:53+09:00
[2017/01/23]\n Web page was published\n[2017/03/16]\n Solution was modified
1
2018-02-28T10:28:31+09:00
[2018/02/28]\n References : Content was added
2017-01-23T17:57:34+09:00
2018-02-28T11:25:37+09:00
2017-01-19T00:00:00+09:00
JVNDB-2017-002225
Cross-site Scripting Vulnerability in multiple Hitachi products
A cross-site scripting vulnerability was found in uCosminexus Portal Framework, Groupmax Collaboration, Hitachi Navigation Platform and JP1/Navigation Platform.
Hitachi, Ltd
Groupmax Collaboration Portal
cpe:/a:hitachi:groupmax_collaboration_portal
Hitachi, Ltd
Groupmax Collaboration Web Client
cpe:/a:hitachi:groupmax_collaboration_web_client
- Forum/File Sharing
Hitachi, Ltd
Groupmax Collaboration Web Client - Mail/Schedule
cpe:/a:hitachi:groupmax_collaboration_web_client_mail_schedule
Hitachi, Ltd
Hitachi Navigation Platform
cpe:/a:hitachi:hitachi_navigation_platform
for Developers
Hitachi, Ltd
JP1/Integrated Management
cpe:/a:hitachi:jp1_integrated_management
- Navigation Platform
Hitachi, Ltd
JP1/Navigation Platform
cpe:/a:hitachi:jp1_navigation_platform
for Developers
Hitachi, Ltd
uCosminexus Collaboration Portal
cpe:/a:hitachi:ucosminexus_collaboration_portal
- Forum/File Sharing
Hitachi, Ltd
uCosminexus Navigation
cpe:/a:hitachi:ucosminexus_navigation
Developer
Hitachi, Ltd
uCosminexus Navigation Platform
cpe:/a:hitachi:ucosminexus_navigation_platform
- Authoring License
- User License
Hitachi, Ltd
uCosminexus Portal Framework
cpe:/a:hitachi:ucosminexus_portal_framework
- Light
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Remote users can exploit this vulnerability to execute malicious scripts.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-104
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-104/index.html
0
2018-02-17T10:37:53+09:00
[2017/06/30]\n Web page was published
2017-06-30T15:56:53+09:00
2017-06-30T15:56:53+09:00
2017-02-17T00:00:00+09:00
JVNDB-2017-002290
Trend Micro Control Manager vulnerable to SQL injection
Trend Micro Control Manager contains multiple SQL injection vulnerabilities. This advisory refers to the vulnerabilities that are disclosed on the TippingPoint Zero Day Initiative advisories listed below. TippingPoint Zero Day Initiative http://www.zerodayinitiative.com/advisories/published/ ZDI-17-180, ZDI-17-181, ZDI-17-182, ZDI-17-183, ZDI-17-184, ZDI-17-185, ZDI-17-186
Trend Micro, Inc.
Trend Micro Control Manager
cpe:/a:trendmicro:control_manager
Version 6.0 prior to build 3506
* An unauthenticated user may access and read files stored on the server * A remote attacker may execute arbitrary code, escalate privilege or perform directory traversal attacks * A remote attacker may cause SQL injection attacks and upload/execute arbitrary code
[Apply the Patch] Apply the patch according to the information provided by the developer. The developer has released Trend Micro Control Manager 6.0 Service Pack 3 Patch 2 Critical Patch (build 3506) to address these vulnerabilities.
TrendMicro Solution
Solution Id: 1116863
https://success.trendmicro.com/solution/1116863
JVN
JVNVU#91290407
http://jvn.jp/en/vu/JVNVU91290407/index.html
Related Information
ZDI-17-180
http://www.zerodayinitiative.com/advisories/ZDI-17-180/
Related Information
ZDI-17-181
http://www.zerodayinitiative.com/advisories/ZDI-17-181/
Related Information
ZDI-17-182
http://www.zerodayinitiative.com/advisories/ZDI-17-182/
Related Information
ZDI-17-183
http://www.zerodayinitiative.com/advisories/ZDI-17-183/
Related Information
ZDI-17-184
http://www.zerodayinitiative.com/advisories/ZDI-17-184/
Related Information
ZDI-17-185
http://www.zerodayinitiative.com/advisories/ZDI-17-185/
Related Information
ZDI-17-186
http://www.zerodayinitiative.com/advisories/ZDI-17-186/
Related Information
Zero Day Initiative
http://www.zerodayinitiative.com/advisories/published/
0
2018-02-17T10:37:53+09:00
[2018/01/17]\n Web page was published
2018-01-17T16:15:54+09:00
2018-01-17T16:15:54+09:00
2017-04-07T00:00:00+09:00
JVNDB-2017-003108
Multiple Vulnerabilities in Hitachi IT Operations Director and JP1/IT Desktop Management
A cross-site scripting and an XML external entity (XXE) vulnerability have been found in Hitachi IT Operations Director, JP1/IT Desktop Management - Manager and JP1/IT Desktop Management 2 - Manager.
Hitachi, Ltd
Hitachi IT Operations Director
cpe:/a:hitachi:it_operations_director
Hitachi, Ltd
Job Management Partner 1/IT Desktop Management
cpe:/a:hitachi:job_management_partner_1%2Fit_desktop_management
2 - Manager
Hitachi, Ltd
Job Management Partner 1/IT Desktop Management - Manager
cpe:/a:hitachi:job_management_partner_1%2Fit_desktop_management-manager
Hitachi, Ltd
JP1/IT Desktop Management
cpe:/a:hitachi:jp1_it_desktop_management
2 - Manager
2 - Operations Director
Hitachi, Ltd
JP1/IT Desktop Management - Manager
cpe:/a:hitachi:jp1%2Fit_desktop_management-manager
High
7.5
AV:N/AC:L/Au:S/C:P/I:N/A:C
High
8.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
An attacker may conduct a cross-site scripting attack and a XML external entity (XXE) attack.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-112
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-112/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/06/30]\n Web page was published
2017-06-30T15:55:13+09:00
2017-06-30T15:55:13+09:00
2017-05-15T00:00:00+09:00
JVNDB-2017-004607
Deep Discovery Email Inspector vulnerable to arbitrary code execution
Deep Discovery Email Inspector provided by Trend Micro Incorporated contains an arbitrary code execution vulnerability due to an issue in uploading files. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Trend Micro, Inc.
Deep Discovery
cpe:/a:trendmicro:deep_discovery
Email Inspector Version 2.5.1 prior to Critical Patch b1182
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An unauthenticated remote attacker may upload an arbitrary file to the system where the product resides. As a result, arbitrary code may be executed with the root privilege.
[Apply the Patch] Apply the appropriate patch according to the information provided by the developer. The developer has released the patch listed below to fix this vulnerability. * Deep Discovery Email Inspector 2.5.1 Critical Patch b1182
Trend Micro
SECURITY BULLETIN: Trend Micro Deep Discovery Email Inspector (DDEI) 2.5.1 Arbitrary File Upload Remote Code Execution Vulnerability(ZDI-CAN-4427)
https://success.trendmicro.com/solution/1117093
JVN
JVNVU#95587881
http://jvn.jp/en/vu/JVNVU95587881/
Related document
Zero Day Initiative
http://www.zerodayinitiative.com/advisories/published/
Related document
ZDI-17-283
http://zerodayinitiative.com/advisories/ZDI-17-283/
0
2018-02-17T10:37:53+09:00
[2018/01/31]\n Web page was published
2018-01-31T13:43:52+09:00
2018-01-31T13:43:52+09:00
2017-04-11T00:00:00+09:00
JVNDB-2017-004687
Cross-site Scripting Vulnerability in Fujitsu Interstage List Works
A cross-suite scripting vulnerability has been found in web functionality of Fujitsu Interstage List Works.
FUJITSU
Interstage List Works
cpe:/a:fujitsu:interstage_list_works
Enterprise Edition
Standard Edition
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
By creating a malicious webpage that exploits this vulnerability, an attacker could execute arbitrary code on the user's computer used to access the malicious webpage.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
FUJITSU Security Information
interstage-lw-201701
http://www.fujitsu.com/jp/products/software/resources/condition/security/products-fujitsu/solution/interstage-lw-201701.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/01/12]\n Web page was published\n
2018-01-12T14:58:59+09:00
2018-01-12T14:58:59+09:00
2017-07-03T00:00:00+09:00
JVNDB-2017-005137
Multiple Vulnerabilities in Hitachi Automation Director and Hitachi Infrastructure Analytics Advisor
Multiple vulnerabilities have been found in Hitachi Automation Director and Hitachi Infrastructure Analytics Advisor.
Hitachi, Ltd
Hitachi Automation Director
cpe:/a:hitachi:automation_director
Hitachi, Ltd
Hitachi Infrastructure Analytics Advisor
cpe:/a:hitachi:infrastructure_analytics_advisor
They may conduct the attacks listed below. * Cross-site Scripting * XXE (XML External Entity) * Open Redirect
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-118
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-118/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/07/19]\n Web page was published
2017-07-19T15:44:33+09:00
2017-07-19T15:44:33+09:00
2017-07-18T00:00:00+09:00
JVNDB-2017-005208
gSOAP vulnerable to stack-based buffer overflow
gSOAP library provided by Genivia contains a stack-based buffer overflow(CWE-121). Processing a crafted SOAP message sent by a remote attacker may result in code execution.
Genivia
gSOAP
cpe:/a:genivia:gsoap
versions prior to 2.8.48
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Processing a crafted SOAP message sent by a remote attacker may result in code execution.
[Update to the latest version] Update to the latest version according to the information provided by the developer. The developer released gSOAP version 2.8.48 on June 21th, 2017, to fix this vulnerability.
Bugzilla
Bug 1049348
https://bugzilla.suse.com/show_bug.cgi?id=1049348
Genivia
Version 2.8.48 upd (06/21/2017)
https://www.genivia.com/changelog.html#Version_2.8.48_upd_%2806/21/2017%29
Genivia
Security advisory: CVE-2017-9765 bug in certain versions of gSOAP 2.7 up to 2.8.47 (June 21, 2017)
https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_(June_21,_2017)
Red Hat Bugzilla
Bug 1472807
https://bugzilla.redhat.com/show_bug.cgi?id=1472807
Common Vulnerabilities and Exposures (CVE)
CVE-2017-9765
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9765
JVN
JVNVU#98807587
http://jvn.jp/en/vu/JVNVU98807587/index.html
National Vulnerability Database (NVD)
CVE-2017-9765
https://nvd.nist.gov/vuln/detail/CVE-2017-9765
Related document
Senrio Blog - Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions
http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
Related document
Devil's Ivy
http://blog.senr.io/devilsivy.html
0
2018-02-17T10:37:53+09:00
[2017/07/21]\n Web page was published\n[2018/02/14]\n References : Content was added\n Vendor Information : Content was added
2017-07-21T13:39:16+09:00
2018-02-14T13:44:01+09:00
2017-06-21T00:00:00+09:00
JVNDB-2017-005606
Multiple vulnerabilities in Deep Discovery Email Inspector
Deep Discovery Email Inspector provided by Trend Micro Incorporated contains multiple vulnerabilities. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Trend Micro, Inc.
Deep Discovery Email Inspector
cpe:/a:trendmicro:deep_discovery_email_inspector
Version 2.5.1 prior to Critcal Patch 1178
The possible impacts are as follows: * A user may execute arbitrary code * A user may be able to cause a denial-of-service (DoS) condition
[Apply the Patch] Apply the appropriate patch according to the information provided by the developer. The developer has released the patch listed below to fix these vulnerabilities. * Deep Discovery Email Inspector Version 2.5.1 Critcal Patch 1178
TrendMicro Solution
Solution Id: 1116750
https://success.trendmicro.com/solution/1116750
JVN
JVNVU#95303354
http://jvn.jp/en/vu/JVNVU95303354/index.html
Related Information
ZDI-17-152
http://www.zerodayinitiative.com/advisories/ZDI-17-152
Related Information
ZDI-17-153
http://www.zerodayinitiative.com/advisories/ZDI-17-153
Related Information
ZDI-17-154
http://www.zerodayinitiative.com/advisories/ZDI-17-154
Related Information
ZDI-17-155
http://www.zerodayinitiative.com/advisories/ZDI-17-155
Related Information
ZDI-17-156
http://www.zerodayinitiative.com/advisories/ZDI-17-156
Related Information
ZDI-17-157
http://www.zerodayinitiative.com/advisories/ZDI-17-157
Related Information
ZDI-17-158
http://www.zerodayinitiative.com/advisories/ZDI-17-158
Related Information
ZDI-17-151
http://www.zerodayinitiative.com/advisories/ZDI-17-151
Related Information
ZDI-17-159
http://www.zerodayinitiative.com/advisories/ZDI-17-159
0
2018-02-17T10:37:53+09:00
[2018/01/17]\n Web page was published
2018-01-17T16:15:56+09:00
2018-01-17T16:15:56+09:00
2017-06-29T00:00:00+09:00
JVNDB-2017-006466
Denial-of-service (DoS) Vulnerability in HiRDB
A vulnerability to denial-of-service attacks was found in HiRDB.
Hitachi, Ltd
HiRDB
cpe:/a:hitachi:hirdb
Server Version 9
Server Version 9(32)
Server with Additional Function Version 9
Server with Additional Function Version 9(32)
Hitachi, Ltd
HiRDB/Parallel Server
cpe:/a:hitachi:hirdb_parallel_server
Plus Version 8
Plus Version 8(64)
Version 8
Version 8(64)
Hitachi, Ltd
HiRDB/Single Server
cpe:/a:hitachi:hirdb_single_server
Plus Version 8
Plus Version 8(64)
Version 8
Version 8(64)
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
A vulnerability to denial-of-service attacks was found in HiRDB.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-121
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-121/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/08/28]\n Web page was published\n[2017/09/05]\n CVSS Severity was modified
2017-08-28T13:46:16+09:00
2017-09-05T10:46:45+09:00
2017-08-25T00:00:00+09:00
JVNDB-2017-006769
Denial-of-service (DoS) Vulnerability in JP1 and Hitachi IT Operations Director
A vulnerability to denial-of-service attacks was found in JP1 and Hitachi IT Operations Director.
Hitachi, Ltd
Hitachi IT Operations Director
cpe:/a:hitachi:it_operations_director
Hitachi, Ltd
Job Management Partner 1/Asset Information Manager
cpe:/a:hitachi:job_management_partner_1_asset_information_manager
Embedded RDB Edition
Hitachi, Ltd
Job Management Partner 1/Automatic Job Management System 2
cpe:/a:hitachi:job_management_partner_1_automatic_job_management_system_2
- Advanced Manager
- Manager
Hitachi, Ltd
Job Management Partner 1/Automatic Job Management System 3
cpe:/a:hitachi:job_management_partner_1_automatic_job_management_system_3
- Manager
Hitachi, Ltd
Job Management Partner 1/Integrated Management
cpe:/a:hitachi:job_management_partner_1_integrated_management
- Manager
- Service Support
- Service Support Advanced Edition
Hitachi, Ltd
Job Management Partner 1/IT Desktop Management
cpe:/a:hitachi:job_management_partner_1%2Fit_desktop_management
2 - Manager
2 - Smart Device Manager
Hitachi, Ltd
Job Management Partner 1/IT Desktop Management - Manager
cpe:/a:hitachi:job_management_partner_1%2Fit_desktop_management-manager
Hitachi, Ltd
Job Management Partner 1/IT Service Level Management
cpe:/a:hitachi:job_management_partner_1_it_service_level_management
- Manager
Hitachi, Ltd
Job Management Partner 1/Software Distribution Manager
cpe:/a:hitachi:job_management_partner_1_software_distribution_manager
Embedded RDB Edition
Hitachi, Ltd
JP1/Automatic Job Management System 2
cpe:/a:hitachi:jp1_automatic_job_management_system_2
- Advanced Manager
- Manager
Hitachi, Ltd
JP1/Automatic Job Management System 3
cpe:/a:hitachi:jp1_automatic_job_management_system_3
- Manager
Hitachi, Ltd
JP1/Automatic Operation
cpe:/a:hitachi:jp1_automatic_operation
Hitachi, Ltd
JP1/Integrated Management
cpe:/a:hitachi:jp1_integrated_management
- Manager
- Service Support
- Service Support Advanced Edition
- Service Support Starter Edition
Hitachi, Ltd
JP1/Integrated Manager
cpe:/a:hitachi:jp1_integrated_manager
- Incident Master
Hitachi, Ltd
JP1/IT Desktop Management
cpe:/a:hitachi:jp1_it_desktop_management
2 - Manager
2 - Operations Director
2 - Smart Device Manager
Hitachi, Ltd
JP1/IT Desktop Management - Manager
cpe:/a:hitachi:jp1%2Fit_desktop_management-manager
Hitachi, Ltd
JP1/IT Service Level Management
cpe:/a:hitachi:jp1_it_service_level_management
- Manager
Hitachi, Ltd
JP1/NETM/Asset Information Manager
cpe:/a:hitachi:jp1_netm_asset_information_manager
Embedded RDB Edition
for Blade PC
Hitachi, Ltd
JP1/NETM/DM
cpe:/a:hitachi:jp1_netm_dm
Manager
Manager Embedded RDB Edition
Hitachi, Ltd
JP1/Operations Analytics
cpe:/a:hitachi:jp1_operation_analytics
Hitachi, Ltd
JP1/Performance Analysis
cpe:/a:hitachi:jp1_performance_analysis
- Manager
Hitachi, Ltd
JP1/Performance Management
cpe:/a:hitachi:jp1_performance_management
- Analysis Manager
Hitachi, Ltd
JP1/ServerConductor/Control Manager
cpe:/a:hitachi:jp1_serverconductor_control_manager
Hitachi, Ltd
JP1/Service Level Management
cpe:/a:hitachi:jp1_service_level_management
- Manager
Hitachi, Ltd
JP1/Service Support
cpe:/a:hitachi:jp1_service_support
Starter Edition
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
An attacker may conduct denial-of-service attacks.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-122
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-122/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/09/04]\n Web page was published\n[2017/09/05]\n CVSS Severity was modified
2017-09-04T12:14:04+09:00
2017-09-05T10:46:47+09:00
2017-09-01T00:00:00+09:00
JVNDB-2017-007422
InterScan Web Security Virtual Appliance vulnerable to code injection
InterScan Web Security Virtual Appliance provided by Trend Micro Incorporated contains code injection vulnerability.
Trend Micro, Inc.
TrendMicro InterScan Web Security Virtual Appliance
cpe:/a:trendmicro:interscan_web_security_virtual_appliance
6.5 and earlier
Critical
9
AV:N/AC:L/Au:S/C:C/I:C/A:C
High
7.2
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Arbitrary code may be executed by a user who logged-in to the management screen of the product as an administrator.
[Apply the Patch] Apply the patch according to the information provided by the developer.
Trend Micro
SECURITY BULLETIN: Trend Micro InterScan Web Security Virtual Appliance 6.5 Multiple Vulnerabilities
https://success.trendmicro.com/solution/1117412
Common Vulnerabilities and Exposures (CVE)
CVE-2017-11396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11396
JVN
JVNVU#90447827
http://jvn.jp/en/vu/JVNVU90447827/index.html
National Vulnerability Database (NVD)
CVE-2017-11396
https://nvd.nist.gov/vuln/detail/CVE-2017-11396
0
2018-02-17T10:37:53+09:00
[2017/09/21]\n Web page was published
1
2018-03-07T10:12:33+09:00
[2018/03/07]\n References : Content was added
2017-09-21T15:58:21+09:00
2018-03-07T14:32:45+09:00
2017-05-22T00:00:00+09:00
JVNDB-2017-007582
jwt-scala fails to verify token signatures
jwt-scala contains a vulnerability where it fails to verify token signatures correctly. jwt-scala is a Scala library to handle JSON Web Token (JWT). jwt-scala contains a vulnerability where it fails to verify token signatures correctly due to improper processing of JWT headers. Toshiharu Sugiyama of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to the developer and JPCERT/CC and directly coordinated with the developer. JPCERT/CC published this advisory as the developer agreed with the publication on JVN.
jwt-scala project
jwt-scala
cpe:/a:really:jwt-scala
1.2.2 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Specially crafted tokens may be verified successfully, whereas the verification should be failed.
[Use the Latest Source Code] The source code patch is applied on the github repository on September 11, 2017. applied https://github.com/reallylabs/jwt-scala/commit/093a9891471608623c715abd08ab0c237489b05a [Apply a Workaround] Check that alg field value in the JWT header is appropriate.
GitHub
Fixed signature verification bypass issue.
https://github.com/reallylabs/jwt-scala/commit/093a9891471608623c715abd08ab0c237489b05a
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10862
JVN
JVNVU#90916766
http://jvn.jp/en/vu/JVNVU90916766/index.html
National Vulnerability Database (NVD)
CVE-2017-10862
https://nvd.nist.gov/vuln/detail/CVE-2017-10862
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/09/26]\n Web page was published
1
2018-03-07T11:41:01+09:00
[2018/03/07]\n References : Content was added
2017-09-26T15:37:33+09:00
2018-03-07T12:23:50+09:00
2017-09-25T00:00:00+09:00
JVNDB-2017-007767
Self-Decrypting Confidential Files created by JP1/HIBUN may insecurely load Dynamic Link Libraries
Self-decrypting confidential files created by JP1/HIBUN contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.
Hitachi, Ltd
JP1/Hibun
cpe:/a:hitachi:jp1_hibun
Advanced Edition Development Kit - Encrypted File Distribution License
Advanced Edition Development Kit HIBUN Confidential File Create Runtime
Advanced Edition Development Kit Self-Decrypting Confidential File Create Runtime
Advanced Edition Development Kit Server
Advanced Edition File Encryption
Advanced Edition Information Cypher
Advanced Edition MailGuard
Advanced Edition Optical Disc Encryption
Data Encryption
Data Encryption - Subscription Type
Data Encryption - Subscription Type - 24 Hours Support
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi
HWS17-005
http://www.hitachi-support.com/alert/us/HWS17-005/index.htm
Hitachi
Hibun support 20170929
http://www.hitachi-solutions.co.jp/hibun/sp/support/importance/20170929.html
Hitachi Incdent Response Team
HIRT-PUB17011
http://www.hitachi.co.jp/hirt/publications/hirt-pub17011/index.html
Hitachi Software Vulnerability Information
hitachi-sec-2017-124
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-124/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/10/03]\n Web page was published\n[2017/10/06]\n CVSS Severity was modified
2017-10-03T11:18:39+09:00
2017-10-06T11:36:33+09:00
2017-09-29T00:00:00+09:00
JVNDB-2017-008363
Information Disclosure Vulnerability in Hitachi Global Link Manager
An Information Disclosure Vulnerability was found in Hitachi Global Link Manager.
Hitachi, Ltd
Hitachi Global Link Manager
cpe:/a:hitachi:global_link_manager
6.3.0-00 or more and less than 8.5.3-00
Low
3.5
AV:N/AC:M/Au:S/C:P/I:N/A:N
Low
3.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Information might be disclosed.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-130
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-130/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/10/17]\n Web page was published\n[2017/10/18]\n CVSS Severity was modified
2017-10-17T16:26:01+09:00
2017-10-18T12:31:28+09:00
2017-10-16T00:00:00+09:00
JVNDB-2017-008364
RMI Vulnerability in Hitachi Tuning Manager
A RMI Vulnerability was found in Hitachi Tuning Manager.
Hitachi, Ltd
Hitachi Tuning Manager
cpe:/a:hitachi:tuning_manager
less than 8.5.3-00
Software less than 8.0.0-00
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-129
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-129/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/10/17]\n Web page was published\n[2017/10/18]\n CVSS Severity was modified
2017-10-17T16:26:03+09:00
2017-10-18T12:31:26+09:00
2017-10-16T00:00:00+09:00
JVNDB-2017-008369
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor. * Cross-site Scripting * Access Control For Access Control, Hitachi Data Center Analytics v8.0.0, v8.0.2, v8.1.0, and v8.1.3 will be affected.
Hitachi, Ltd
Hitachi Infrastructure Analytics Advisor
cpe:/a:hitachi:infrastructure_analytics_advisor
less than 3.2.0-00
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-125
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-125/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/10/17]\n Web page was published\n[2017/10/18]\n CVSS Severity was modified
2017-10-17T16:58:31+09:00
2017-10-18T12:31:24+09:00
2017-10-16T00:00:00+09:00
JVNDB-2017-008370
Information Disclosure Vulnerability in Hitachi Automation Director
An Information Disclosure Vulnerability was found in Hitachi Automation Director.
Hitachi, Ltd
Hitachi Automation Director
cpe:/a:hitachi:automation_director
(English version) less than 8.5.3-00
Low
3.5
AV:N/AC:M/Au:S/C:P/I:N/A:N
Low
3.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Information might be disclosed.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-126
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-126/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/10/17]\n Web page was published\n[2017/10/18]\n CVSS Severity was modified
2017-10-17T17:01:37+09:00
2017-10-18T12:31:23+09:00
2017-10-16T00:00:00+09:00
JVNDB-2017-008411
XXE Vulnerability in Hitachi Command Suite
An XXE (XML External Entity) Vulnerability was found in Hitachi Command Suite.
Hitachi, Ltd
Hitachi Device Manager
cpe:/a:hitachi:device_manager
less than 8.5.3-00
Software less than 8.0.0-00
Hitachi, Ltd
Hitachi Dynamic Link Manager
cpe:/a:hitachi:dynamic_link_manager
less than 8.5.1-04 (VMware)
less than 8.5.3-00 (Windows/Linux/Solaris/AIX)
Software less than 8.0.0-00
Hitachi, Ltd
Hitachi Replication Manager
cpe:/a:hitachi:replication_manager
less than 8.5.3-00
Software less than 8.0.0-00
High
7.5
AV:N/AC:L/Au:S/C:P/I:N/A:C
High
8.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-128
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-128/index.html
JVNDB
CWE-611
Improper Restriction of XML External Entity Reference
https://cwe.mitre.org/data/definitions/611.html
0
2018-02-17T10:37:53+09:00
[2017/10/18]\n Web page was published\n[2017/11/07]\n Affected Products : Content was added
2017-10-18T14:22:45+09:00
2017-11-07T15:06:53+09:00
2017-10-16T00:00:00+09:00
JVNDB-2017-008629
Memory corruption vulnerability in Rakuraku Hagaki and Rakuraku Hagaki Select for Ichitaro
Rakuraku Hagaki and Rakuraku Hagaki Select for Ichitaro contain a memory corruption vulnerability.
JustSystems Corporation
Ichitaro
cpe:/a:justsystems:ichitaro
2011
2015
2016
2017
2017 Trial version
JustSystems Corporation
Ichitaro Government
cpe:/a:justsystems:ichitaro_government
6
7
8
JustSystems Corporation
Ichitaro Pro
cpe:/a:justsystems:ichitaro_pro
2
3
JustSystems Corporation
Rakuraku Hagaki
cpe:/a:justsystems:rakuraku_hagaki
2016
2017
2018
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Medium
5.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
If a user opens a specially crafted Rakuraku Hagaki file or Rakuraku Hagaki Select for Ichitaro file, arbitrary code may be executed with the privilege of running the application.
[Update the software] Update the softwawre according to the information provided by the developer.
justsystems
[JS17003] About a code execution vulnerability found in Rakuraku Hagaki and Rakuraku Hagaki Select for Ichitaro
https://www.justsystems.com/jp/info/js17003.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10870
JVN
JVNVU#93703434
http://jvn.jp/en/vu/JVNVU93703434/index.html
National Vulnerability Database (NVD)
CVE-2017-10870
https://nvd.nist.gov/vuln/detail/CVE-2017-10870
0
2018-02-17T10:37:53+09:00
[2017/10/25]\n Web page was published
1
2018-03-14T11:09:37+09:00
[2018/03/14]\n References : Content was added
2017-10-25T12:17:23+09:00
2018-03-14T14:01:38+09:00
2017-10-24T00:00:00+09:00
JVNDB-2017-009884
QND Advance/Standard vulnerable to directory traversal
QND Advance/Standard provided by QualitySoft Corporation contains a directory traversal vulnerability. QND Advance/Standard provided by QualitySoft Corporation contains a directory traversal vulnerability (CWE-22) in an administrative server due to the issue in processing input from an agent program. An administrative server does not require authentication in the communication between a server and an agent program either, therefore an arbitrary request from an arbitrary device with access to an administrative server can be sent and processed. Muneaki Nishimura of of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
QualitySoft Corporation
QND Advance/Standard
cpe:/a:qualitysoft:qnd_advance%2Fstandard
all versions
Critical
9.4
AV:N/AC:L/Au:N/C:C/I:C/A:N
Critical
9.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
If an administrative server processes a specially crafted command, an arbitrary file in the administrative server may be obtained or altered.
[Update the Software] Apply the latest update according to the information provided by the developer.
QualitySoft Corporation
About a vulnerability found in QND Advance/Standard
http://www.qualitysoft.com/qnd_vulnerabilities
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10861
JVN
JVNVU#94198685
http://jvn.jp/en/vu/JVNVU94198685/index.html
National Vulnerability Database (NVD)
CVE-2017-10861
https://nvd.nist.gov/vuln/detail/CVE-2017-10861
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/11/28]\n Web page was published
1
2018-03-14T12:11:21+09:00
[2018/03/14]\n References : Content was added
2017-11-28T11:26:34+09:00
2018-03-14T14:17:51+09:00
2017-11-27T00:00:00+09:00
JVNDB-2017-010043
Cross-site Scripting Vulnerability in JP1/Operations Analytics
A cross-site scripting vulnerability was found in JP1/Operations Analytics.
Hitachi, Ltd
JP1/Operations Analytics
cpe:/a:hitachi:jp1_operation_analytics
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
4.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Remote users can exploit this vulnerability to execute malicious scripts.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-132
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-132/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/01]\n Web page was published\n[2017/12/20]\n CVSS Severity was modified
2017-12-01T14:59:52+09:00
2017-12-20T11:09:17+09:00
2017-11-30T00:00:00+09:00
JVNDB-2017-010236
Cross-site Scripting Vulnerability in Fujitsu NetCOBOL
A cross-site scripting vulnerability was found in MeFt/Web Service manager function in Fujitsu NetCOBOL.
FUJITSU
NetCOBOL
cpe:/a:fujitsu:netcobol
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
By creating a malicious webpage that exploits this vulnerability, an attacker could execute arbitrary code on the user's computer used to access the malicious webpage.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
FUJITSU Security Information
netcobol-201701
http://www.fujitsu.com/jp/products/software/resources/condition/security/products-fujitsu/solution/netcobol-201701.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/01/12]\n Web page was published
2018-01-12T15:07:39+09:00
2018-01-12T15:07:39+09:00
2017-12-07T00:00:00+09:00
JVNDB-2017-010275
Cross-site Scripting Vulnerability in JP1/Service Support and JP1/Integrated Management - Service Support
A cross-site scripting vulnerability was found in JP1/Service Support and JP1/Integrated Management - Service Support.
Hitachi, Ltd
Job Management Partner 1/Integrated Management
cpe:/a:hitachi:job_management_partner_1_integrated_management
- Service Support
- Service Support Advanced Edition
Hitachi, Ltd
JP1/Integrated Management
cpe:/a:hitachi:jp1_integrated_management
- Service Support
- Service Support Advanced Edition
- Service Support Starter Edition
Hitachi, Ltd
JP1/Service Support
cpe:/a:hitachi:jp1_service_support
Starter Edition
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
4.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Remote users can exploit this vulnerability to execute malicious scripts.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2017-133
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-133/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2017/12/11]\n Web page was published\n[2017/12/20]\n CVSS Severity was modified
2017-12-11T11:46:22+09:00
2017-12-20T11:09:15+09:00
2017-12-08T00:00:00+09:00
JVNDB-2017-010280
Fluentd vulenrable to escape sequence injection
Fluentd provided by Cloud Native Computing Foundation (CNCF) contains an escape sequence injection vulnerability. Fluentd is an open source data collector provided by Cloud Native Computing Foundation (CNCF). The parse Filter Plugin for Fluentd contains an escape sequence injection vulnerability (CWE-150) due to a flaw in processing logs. Teppei Fukuda reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
Cloud Native Computing Foundation (CNCF)
Fluentd
cpe:/a:fluentd:fluentd
version 0.12.29 through 0.12.40
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Processing a specially crafted log may change the terminal UI or possibly execute arbitrary command on the device collecting logs.
[Update the Software] Update to the latest version according to the information provided by the developer.
GitHub
Release 0.12.41 - 2017/11/15
https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes
GitHub
filter_parser: Fix dumpped result for avoiding escape sequence injection #1733
https://github.com/fluent/fluentd/pull/1733
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10906
JVN
JVNVU#95124098
http://jvn.jp/en/vu/JVNVU95124098/index.html
National Vulnerability Database (NVD)
CVE-2017-10906
https://nvd.nist.gov/vuln/detail/CVE-2017-10906
JVNDB
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
https://cwe.mitre.org/data/definitions/150.html
0
2018-02-17T10:37:53+09:00
[2017/12/11]\n Web page was published
1
2018-04-11T13:47:59+09:00
[2018/04/11]\n References : Content was added
2017-12-11T14:13:35+09:00
2017-12-11T14:13:35+09:00
2017-12-08T00:00:00+09:00
JVNDB-2017-010584
AssetView and AssetView PLATINUM contain multiple vulnerabilities
AssetView and AssetView PLATINUM provided by Hammock Corporation contain 2 vulnerabilities listed below. * Use of Hard-coded Cryptographic Key (CWE-321) - CVE-2017-10866 * Improper Input Validation (CWE-20) - CVE-2017-10867 Muneaki Nishimura of of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
Hammock Corporation
AssetView
cpe:/a:hammock:assetview
PLATINUM Ver. 1.1.0 to 6.2.2
Ver.7.0.0 to Ver. 9.2.3
Medium
6.8
AV:L/AC:L/Au:S/C:C/I:C/A:C
High
8.8
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
A user who knows the cryptographic key used in the system can conduct followings: * Perform an arbitrary operation to an arbitrary client terminal when Remote Control function is enabled - CVE-2017-10866 * Alter information that is temporarily saved on a client terminal before being sent to the server, and then execute an arbitray SQL query to the server of AssetView or the server of AssetView PLATINUM - CVE-2017-10867
[Update the Software] Update the software to the latest version according to the information provided by the developer. [Apply the Patch] Apply the security patch "AssetView Encryption Module Hotfix" in the case updating the software is not an option. For more information, refer to the information provided by the developer.
HAMMOCK
JVNVU#91625548: Two vulnerabilities in AssetView Encryption Module
https://www.hammock.jp/assetview/info/171013.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10866
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10866
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10867
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10867
JVN
JVNVU#91625548
http://jvn.jp/en/vu/JVNVU91625548/
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-321
Use of Hard-coded Cryptographic Key
https://cwe.mitre.org/data/definitions/321.html
0
2018-02-17T10:37:53+09:00
[2018/01/12]\n Web page was published
2018-01-12T15:32:18+09:00
2018-01-12T15:32:18+09:00
2017-10-16T00:00:00+09:00