JVNDB-2018-000001
Lhaplus vulnerable to improper verification when expanding ZIP64 archives
Lhaplus is file compression/decompression software. Lhaplus does not treat ZIP64 archives properly when expanding. Koji Ando of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Schezo
Lhaplus
cpe:/a:lhaplus:lhaplus
Version 1.73 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Low
3.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
An unintended content may be extracted from a crafted ZIP64 archive.
[Update the Software] Update to the latest version according to the information provided by the developer.
Schezo
Schezo website
http://www7a.biglobe.ne.jp/~schezo/JVN57842148.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2158
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2158
JVN
JVN#57842148
http://jvn.jp/en/jp/JVN57842148/index.html
National Vulnerability Database (NVD)
CVE-2017-2158
https://nvd.nist.gov/vuln/detail/CVE-2017-2158
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/01/11]\n Web page was published
1
2018-04-04T09:56:00+09:00
[2018/04/04]\n References : Content was added
2018-01-11T14:18:29+09:00
2018-04-04T12:33:36+09:00
2018-01-11T00:00:00+09:00
JVNDB-2018-000002
Nootka App for Android vulnerable to OS command injection
Nootka App for Android provided by SeeLook contains an OS command injection vulnerability (CWE-78). Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SeeLook
Nootka
cpe:/a:nootka_project:nootka
1.4.4 and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
High
7.5
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
A remote attacker may execute an arbitrary OS command.
[Update the Application] Update to the latest version according to the information provided by the developer.
Google Play
Nootka - Android Apps on Google Play
https://play.google.com/store/apps/details?id=net.sf.nootka
SeeLook
Nootka downloads
https://nootka.sourceforge.io/index.php?L=en&C=down
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0506
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0506
JVN
JVN#10103841
http://jvn.jp/en/jp/JVN10103841/index.html
National Vulnerability Database (NVD)
CVE-2018-0506
https://nvd.nist.gov/vuln/detail/CVE-2018-0506
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/01/19]\n Web page was published
1
2018-04-11T10:38:43+09:00
[2018/04/11]\n References : Content was added
2018-01-19T14:19:24+09:00
2018-04-11T11:46:56+09:00
2018-01-19T00:00:00+09:00
JVNDB-2018-000003
GroupSession vulnerable to open redirect
GroupSession provided by Japan Total System Co.,Ltd. is an open source groupware. GroupSession contains an open redirect vulnerability (CWE-601). Norihiko Hirukawa of FiveDrive Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Japan Total System Co.,Ltd.
GroupSession
cpe:/a:groupsession:groupsession
version 4.7.0 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
When accessing a specially crafted page, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
[Update the Software] Update to the latest version according to the information provided by the developer. [Apply a Workaround] The following workaround may mitigate the effects of this vulnerability. * Do not access suspicious websites or hyperlinks
JVN
Information from Japan Total System Co.,Ltd.
http://jvn.jp/en/jp/JVN26200083/995424/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2017-2166
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2166
JVN
JVN#26200083
http://jvn.jp/en/jp/JVN26200083/index.html
National Vulnerability Database (NVD)
CVE-2017-2166
https://nvd.nist.gov/vuln/detail/CVE-2017-2166
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/01/19]\n Web page was published
1
2018-04-11T10:07:34+09:00
[2018/04/11]\n References : Content was added
2018-01-19T14:19:22+09:00
2018-04-11T11:37:28+09:00
2018-01-19T00:00:00+09:00
JVNDB-2018-000004
The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" may insecurely load Dynamic Link Libraries
The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
FLET'S VIRUS CLEAR Easy Setup & Application Tool
cpe:/a:ntt_east:flet%27s_virus_clear_easy_setup_%26_application_tool
ver.11 and earlier versions
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool
cpe:/a:ntt_east:flet%27s_virus_clear_v6_easy_setup_%26_application_tool
ver.11 and earlier versions
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] This vulnerability has been already addressed in the latest version (ver.12) released in 2018 March 28. When installing "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and/or "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool", use the latest installer according to the information provided by the developer. If the old version of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and/or "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" obtained from the website before 2017 March 28 resides in your computer, delete it immediately. Note that this vulnerability affects the installer only, thus users who have already installed "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and/or "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" do not need to re-install the software using the latest installer. For details, refer to the information provided by the developer.
Nippon Telegraph and Telephone East Corporation
FLET'S VIRUS CLEAR Easy Setup
https://flets.com/customer/tec/fvc/setup/difference.html
Nippon Telegraph and Telephone East Corporation
FLET'S VIRUS CLEAR v6 Easy Setup
https://flets.com/customer/next/sec/setup/difference.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0507
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0507
JVN
JVN#26255241
http://jvn.jp/en/jp/JVN26255241/index.html
National Vulnerability Database (NVD)
CVE-2018-0507
https://nvd.nist.gov/vuln/detail/CVE-2018-0507
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/01/22]\n Web page was published
1
2018-04-11T10:26:24+09:00
[2018/04/11]\n References : Content was added
2018-01-22T14:17:37+09:00
2018-04-11T11:44:11+09:00
2018-01-22T00:00:00+09:00
JVNDB-2018-000005
WordPress plugin "WP Retina 2x" vulnerable to cross-site scripting
The WordPress plugin "WP Retina 2x" contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Jordy Meow
WP Retina 2x
cpe:/a:jordy_meow:wp_retina_2x
prior to version 5.2.2
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Jordy Meow
Changeset 1802137 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1802137/#file1
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0511
JVN
JVN#30636823
http://jvn.jp/en/jp/JVN30636823/index.html
National Vulnerability Database (NVD)
CVE-2018-0511
https://nvd.nist.gov/vuln/detail/CVE-2018-0511
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/01/30]\n Web page was published
1
2018-04-11T11:14:20+09:00
[2018/04/11]\n References : Content was added
2018-01-30T12:30:54+09:00
2018-04-11T11:53:14+09:00
2018-01-30T00:00:00+09:00
JVNDB-2018-000006
Multiple vulnerabilities in epg search result viewer(kkcald)
epg search result viewer(kkcald) provided by kkcal contains multiple vulnerabilities listed below. * Cross-site Scripting (CWE-79) - CVE-2018-0508 * Cross-site request forgery (CWE-352) - CVE-2018-0509 * Buffer overflow (CWE-121) - CVE-2018-0510 Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
kkcal
epg search result viewer(kkcald)
cpe:/a:kkcald_project:kkcald
0.7.19 and earlier (CVE-2018-0510)
0.7.21 and earlier (CVE-2018-0508, CVE-2018-0509)
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* An arbitrary script may be executed on the logged-in user's web browser - CVE-2018-0508 * If a user views a malicious page while logged in, unintended operations may be performed - CVE-2018-0509 * A remote attacker may perform an unintended operation or execute a DoS (denial of service) attack - CVE-2018-0510
[Update the Software] Update to the latest version according to the information provided by the developer.
kkcal
kkcal website
http://dbit.web.fc2.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0510
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0510
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0508
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0508
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0509
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0509
JVN
JVN#91393903
http://jvn.jp/en/jp/JVN91393903/index.html
National Vulnerability Database (NVD)
CVE-2018-0508
https://nvd.nist.gov/vuln/detail/CVE-2018-0508
National Vulnerability Database (NVD)
CVE-2018-0509
https://nvd.nist.gov/vuln/detail/CVE-2018-0509
National Vulnerability Database (NVD)
CVE-2018-0510
https://nvd.nist.gov/vuln/detail/CVE-2018-0510
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-121
Stack-based Buffer Overflow
https://cwe.mitre.org/data/definitions/121.html
0
2018-02-17T10:37:53+09:00
[2018/02/01]\n Web page was published
1
2018-04-11T10:55:10+09:00
[2018/04/11]\n References : Contents were added
2018-02-01T13:58:04+09:00
2018-04-11T11:49:34+09:00
2018-02-01T00:00:00+09:00
JVNDB-2018-000007
Multiple I-O DATA network devices incorporating "MagicalFinder" vulnerable to OS command injection
"MagicalFinder" provided by I-O DATA DEVICE, INC. is a IP address setting tool to for I-O DATA network devices such as routers, network cameras, strages, etc. Multiple I-O DATA network devices that incorporate "MagicalFinder" contain an OS command injection vulnerability (CWE-78). Taizo Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
I-O DATA DEVICE, INC.
BX-VP1
cpe:/h:i-o_data_device:bx-vp1
firmware version 2.01 and earlier
I-O DATA DEVICE, INC.
GV-NTX1
cpe:/h:i-o_data_device:gv-ntx1
firmware version 1.02.00 and earlier
I-O DATA DEVICE, INC.
GV-NTX2
cpe:/h:i-o_data_device:gv-ntx2
firmware version 1.02.00 and earlier
I-O DATA DEVICE, INC.
HDL-A Series
cpe:/h:i-o_data_device:hdl-a
firmware version 1.26 and earlier
I-O DATA DEVICE, INC.
HDL-AH Series
cpe:/h:i-o_data_device:hdl-ah
firmware version 1.26 and earlier
I-O DATA DEVICE, INC.
HDL-GT Series
cpe:/h:i-o_data_device:hdl-gt
firmware version 1.37 and earlier
I-O DATA DEVICE, INC.
HDL-GTR Series
cpe:/h:i-o_data_device:hdl-gtr
firmware version 1.37 and earlier
I-O DATA DEVICE, INC.
HDL-T Series
cpe:/h:i-o_data_device:hdl-t
firmware version 1.12 and earlier
I-O DATA DEVICE, INC.
HDL-XR Series
cpe:/h:i-o_data_device:hdl-xr
firmware version 2.01 and earlier
I-O DATA DEVICE, INC.
HDL-XR2U Series
cpe:/h:i-o_data_device:hdl-xr2u
firmware version 2.01 and earlier
I-O DATA DEVICE, INC.
HDL-XR2UW Series
cpe:/h:i-o_data_device:hdl-xr2uw
firmware version 2.01 and earlier
I-O DATA DEVICE, INC.
HDL-XRW Series
cpe:/h:i-o_data_device:hdl-xrw
firmware version 2.01 and earlier
I-O DATA DEVICE, INC.
HDL-XV Series
cpe:/h:i-o_data_device:hdl-xv
firmware version 1.50 and earlier
I-O DATA DEVICE, INC.
HDL-XVW Series
cpe:/h:i-o_data_device:hdl-xvw
firmware version 1.50 and earlier
I-O DATA DEVICE, INC.
HDL2-A Series
cpe:/h:i-o_data_device:hdl2-a
firmware version 1.26 and earlier
I-O DATA DEVICE, INC.
HDL2-AH Series
cpe:/h:i-o_data_device:hdl2-ah
firmware version 1.26 and earlier
I-O DATA DEVICE, INC.
HFAS1 Series
cpe:/h:i-o_data_device:hfas1
firmware version 1.40 and earlier
I-O DATA DEVICE, INC.
HLS-C Series
cpe:/h:i-o_data_device:hls-c
firmware version 1.12 and earlier
I-O DATA DEVICE, INC.
HVL-A series
cpe:/h:i-o_data_device:hvl-a
firmware version 2.04 and earlier
I-O DATA DEVICE, INC.
HVL-AT series
cpe:/h:i-o_data_device:hvl-at
firmware version 2.04 and earlier
I-O DATA DEVICE, INC.
HVL-ATA series
cpe:/h:i-o_data_device:hvl-ata
firmware version 2.04 and earlier
I-O DATA DEVICE, INC.
HVL-S Series
cpe:/h:i-o_data_device:hvl-s
firmware version 1.00 and earlier
I-O DATA DEVICE, INC.
WHG-AC1750/A
cpe:/h:i-o_data_device:whg-ac1750a
firmware version 3.00 and earlier
I-O DATA DEVICE, INC.
WHG-AC1750/AL
cpe:/h:i-o_data_device:whg-ac1750%2fal
firmware version 1.07 and earlier
I-O DATA DEVICE, INC.
WHG-NAPG/A
cpe:/h:i-o_data_device:whg-napga
firmware version 1.08 and earlier
I-O DATA DEVICE, INC.
WHG-NAPG/AL
cpe:/h:i-o_data_device:whg-napgal
firmware version 1.05 and earlier
I-O DATA DEVICE, INC.
WN-AC1167DGR
cpe:/h:i-o_data_device:wn-ac1167dgr
firmware version 1.02 and earlier
I-O DATA DEVICE, INC.
WN-AC1300EX
cpe:/h:i-o_data_device:wn-ac1300ex
firmware version 1.02 and earlier
I-O DATA DEVICE, INC.
WN-AC1600DGR
cpe:/h:i-o_data_device:wn-ac1600dgr
firmware version 2.06 and earlier
I-O DATA DEVICE, INC.
WN-AC583RK
cpe:/h:i-o_data_device:wn-ac583rk
firmware version 1.06 and earlier
I-O DATA DEVICE, INC.
WN-AC583TRK
cpe:/h:i-o_data_device:wn-ac583trk
firmware version 1.05 and earlier
I-O DATA DEVICE, INC.
WN-AG300DGR
cpe:/h:i-o_data_device:wn-ag300dgr
firmware version 1.05 and earlier
I-O DATA DEVICE, INC.
WN-AG750DGR
cpe:/h:i-o_data_device:wn-ag750dgr
firmware version 1.08 and earlier
I-O DATA DEVICE, INC.
WN-AX1167GR
cpe:/h:i-o_data_device:wn-ax1167gr
firmware version 3.11 and earlier
I-O DATA DEVICE, INC.
WN-G300EX
cpe:/h:i-o_data_device:wn-g300ex
firmware version 1.01 and earlier
I-O DATA DEVICE, INC.
WN-G300R
cpe:/h:i-o_data_device:wn-g300r
firmware version 1.14 and earlier
I-O DATA DEVICE, INC.
WN-G300R3
cpe:/h:i-o_data_device:wn-g300r3
firmware version 1.04 and earlier
I-O DATA DEVICE, INC.
WN-G300SR
cpe:/h:i-o_data_device:wn-g300sr
firmware version 1.00 and earlier
I-O DATA DEVICE, INC.
WN-GX300GR
cpe:/h:i-o_data_device:wn-gx300gr
firmware version 2.00 and earlier
I-O DATA DEVICE, INC.
WNPR1167F
cpe:/h:i-o_data_device:wnpr1167f
firmware version 1.00 and earlier
I-O DATA DEVICE, INC.
WNPR1167G
cpe:/h:i-o_data_device:wnpr1167g
firmware version 1.00 and earlier
I-O DATA DEVICE, INC.
WNPR1750G
cpe:/h:i-o_data_device:wnpr1750g
firmware version 1.01 and earlier
I-O DATA DEVICE, INC.
WNPR2600G
cpe:/h:i-o_data_device:wnpr2600g
firmware version 1.01 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
An attacker who can log in the affected device may execute an arbitrary OS command.
[Apply the appropriate firmware update] Apply the appropriate firmware update according to the information provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2018/magicalfinder/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0512
JVN
JVN#36048131
https://jvn.jp/en/jp/JVN36048131/index.html
National Vulnerability Database (NVD)
CVE-2018-0512
https://nvd.nist.gov/vuln/detail/CVE-2018-0512
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/02/06]\n Web page was published
1
2018-04-11T10:01:42+09:00
[2018/04/11]\n References : Content was added
2018-02-06T14:22:15+09:00
2018-04-11T11:51:20+09:00
2018-02-06T00:00:00+09:00
JVNDB-2018-000008
Spring Security and Spring Framework vulnerable to authentication bypass
Spring Framework and Spring Security provided by Pivotal Software, Inc. contain an authentication bypass vulnerability. Macchinetta Framework Development Team : NTT COMWARE, NTT DATA Corporation, and NTT reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Greenplum
Spring Framework
cpe:/a:greenplum:spring_framework
4.3.0 to 4.3.13
5.0.0 to 5.0.2
Greenplum
Spring Security
cpe:/a:greenplum:spring_security
4.1.0 to 4.1.4
4.2.0 to 4.2.3
5.0.0
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
A remote attacker can bypass authentication. As a result, the attacker gains access to the server and information may be disclosed.
[Update the Software] Update to the latest version according to the information provided by the developer.
FUJITSU Security Information
Information from FUJITSU LIMITED
http://www.fujitsu.com/jp/products/software/resources/condition/security/products-fujitsu/solution/interstage-bas-201801.html
NEC Security Information
NV18-004
https://jpn.nec.com/security-info/secinfo/nv18-004.html
Pivotal Software, Inc.
CVE-2018-1199: Security bypass with static resources
https://pivotal.io/security/cve-2018-1199
Common Vulnerabilities and Exposures (CVE)
CVE-2018-1199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199
JVN
JVN#15643848
http://jvn.jp/en/jp/JVN15643848/index.html
National Vulnerability Database (NVD)
CVE-2018-1199
https://nvd.nist.gov/vuln/detail/CVE-2018-1199
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/02/02]\n Web page was published\n[2018/02/08]\n Vendor Information : Content was modified\n CVE : CVE-ID was modified\n[2018/02/09]\n Overview was modified
1
2018-03-27T15:05:14+09:00
[2018/03/27]\n Vendor Information : Content was added
2
2018-04-18T11:26:41+09:00
[2018/04/18]\n Vendor Information : Content was added
3
2018-06-14T11:01:22+09:00
[2018/06/14]\n References : Content was added
2018-02-02T12:28:18+09:00
2018-06-14T13:48:51+09:00
2018-02-02T00:00:00+09:00
JVNDB-2018-000009
The installer of Anshin net security for Windows may insecurely load Dynamic Link Libraries
Anshin net security for Windows provided by KDDI CORPORATION is an Internet Security suite. The installer of Anshin net security for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KDDI
Anshin net security
cpe:/a:kddi:anshin_net_security
for Windows Version 16.0.1.44 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only, thus users who have already installed Anshin net security for Windows do not need to re-install the software using the latest installer.
KDDI CORPORATION
KDDI CORPORATION website
https://www.au.com/internet/auonenet/option/security/anshin-security/
KDDI CORPORATION
Latest version of "Anshin net security for Windows" can be downloaded
https://www.au.com/support/service/internet/procedure/service/anshin-net/download-01/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0517
JVN
JVN#70615027
http://jvn.jp/en/jp/JVN70615027/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2018-0517
https://nvd.nist.gov/vuln/detail/CVE-2018-0517
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/02/06]\n Web page was published
1
2018-04-11T10:44:51+09:00
[2018/04/11]\n References : Content was added
2018-02-06T15:05:00+09:00
2018-04-11T12:13:49+09:00
2018-02-06T00:00:00+09:00
JVNDB-2018-000010
WordPress plugin "MTS Simple Booking C" vulnerable to cross-site scripting
The WordPress plugin "MTS Simple Booking C" provided by MT Systems Co., Ltd. contains a stored cross-site scripting vulnerability (CWE-79). Daichi Takaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
MT Systems Co., Ltd.
MTS Simple Booking
cpe:/a:mtssb.mt-systems:simple_booking
Business version 1.28.0 and earlier
C
Medium
4.3
AV:L/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of a user who logged-in as an administrator.
[Update the plugin] Update the plugin according to the information provided by the developer.
MT Systems Co., Ltd.
JVN#99312352 Vulnerability in MTS Simple Booking C and countermeasures
http://mtssb.mt-systems.jp/jvn99312352/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0513
JVN
JVN#99312352
http://jvn.jp/en/jp/JVN99312352/index.html
National Vulnerability Database (NVD)
CVE-2018-0513
https://nvd.nist.gov/vuln/detail/CVE-2018-0513
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/02/02]\n Web page was published
1
2018-04-11T10:14:59+09:00
[2018/04/11]\n References : Content was added
2018-02-02T13:39:50+09:00
2018-04-11T11:53:46+09:00
2018-02-02T00:00:00+09:00
JVNDB-2018-000011
MP Form Mail CGI eCommerce Edition vulnerable to OS command injection
MP Form Mail CGI eCommerce Edition provided by futomi Co., Ltd. is a CGI used to send mail from a web form. MP Form Mail CGI eCommerce Edition contains an OS command injection vulnerability (CWE-78). Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
futomi Co.,Ltd.
MP Form Mail CGI eCommerce Edition
cpe:/a:futomis_cgi_cafe:mp_form_mail_cgi_ecommerce
Ver 2.0.13 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
5.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
A remote attacker may execute an arbitrary OS command.
[Update the Software] Update to the latest version according to the information provided by the developer.
futomi's CGI Cafe
futomi Co., Ltd. website
http://www.futomi.com/library/info/2018/20180208.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0514
JVN
JVN#15462187
https://jvn.jp/en/jp/JVN15462187/index.html
National Vulnerability Database (NVD)
CVE-2018-0514
https://nvd.nist.gov/vuln/detail/CVE-2018-0514
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/02/08]\n Web page was published
1
2018-04-11T10:12:46+09:00
[2018/04/11]\n References : Content was added
2018-02-08T12:21:50+09:00
2018-04-11T11:57:00+09:00
2018-02-08T00:00:00+09:00
JVNDB-2018-000012
Installer of "FLET'S Azukeru Backup Tool" may insecurely load Dynamic Link Libraries
"FLET'S Azukeru Backup Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION is software to automatically back up files in the user's computer to "FLET'S Azukeru" service. Installer of "FLET'S Azukeru Backup Tool" contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
FLET'S Azukeru Backup Tool
cpe:/a:ntt_east:flet%27s_azukeru_backup_tool
version 1.5.2.6 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] This vulnerability has been already addressed in the latest version (ver.1.5.2.7) released in 2017 May 11. When installing "FLET'S Azukeru Backup Tool", use the latest installer according to the information provided by the developer. If the old version of "FLET'S Azukeru Backup Tool" obtained from the website before 2017 May 11 resides in your computer, delete it immediately. Note that this vulnerability affects the installer only, thus users who have already installed "FLET'S Azukeru Backup Tool" do not need to re-install the software using the latest installer. For details, refer to the information provided by the developer.
Nippon Telegraph and Telephone East Corporation
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION website
https://flets.com/azukeru/login/news/info_180213.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0515
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#04564808
https://jvn.jp/en/jp/JVN04564808/index.html
National Vulnerability Database (NVD)
CVE-2018-0515
https://nvd.nist.gov/vuln/detail/CVE-2018-0515
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/02/13]\n Web page was published
1
2018-04-11T11:07:07+09:00
[2018/04/11]\n References : Content was added
2018-02-13T15:37:29+09:00
2018-04-11T12:25:32+09:00
2018-02-13T00:00:00+09:00
JVNDB-2018-000013
Insecure DLL Loading issue in multiple Trend Micro products
Multiple products provided by Trend Micro Incorporated contain an insecure DLL loading issue (CWE-427). When invoking the installers of other applications while the concerned products are installed to the PC, the DLL placed in the same directory as the the installers (of the other applications) may be insecurely loaded. Hidenori Ohta of Mitsubishi Electric Information Systems Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Trend Micro, Inc.
OfficeScan
cpe:/a:trendmicro:virus_baster_corporate_edition
Version 11.0
XG (Version 12)
Trend Micro, Inc.
Trend Micro Deep Security
cpe:/a:trendmicro:deep_security
10.0
10.1 (Feature Release)
Trend Micro, Inc.
Trend Micro Endpoint Sensor
cpe:/a:trendmicro:endpoint_sensor
1.6
Trend Micro, Inc.
Trend Micro Security
cpe:/a:trendmicro:security
(Consumer) All 2018 (v12) Versions
Trend Micro, Inc.
Worry-Free Business Security
cpe:/a:trendmicro:business_security
Version 9.5 (Standard/Advanced)
Trend Micro, Inc.
Worry-Free Business Security Services
cpe:/a:trendmicro:business_security_services
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer of other applications.
[Apply the Patch] Apply the patch according to the information provided by the developer.
TrendMicro Solution
Solution Id: 1119326
https://success.trendmicro.com/solution/1119326
Common Vulnerabilities and Exposures (CVE)
CVE-2018-6218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6218
IPA SECURITY ALERTS
Security Alert for Vulnerability in multiple Trend Micro products (JVN#28865183)
https://www.ipa.go.jp/security/ciadr/vul/20180215-jvn.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#28865183
http://jvn.jp/en/jp/JVN28865183/index.html
National Vulnerability Database (NVD)
CVE-2018-6218
https://nvd.nist.gov/vuln/detail/CVE-2018-6218
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/02/15]\n Web page was published
1
2018-04-11T10:42:54+09:00
[2018/04/11]\n References : Content was added
2018-02-15T16:39:23+09:00
2018-04-11T12:23:39+09:00
2018-02-15T00:00:00+09:00
JVNDB-2018-000014
Application and self-extracting archive containing the application of "FLET'S v4 / v6 address selection tool" may insecurely load Dynamic Link Libraries
Application and self-extracting archive containing the application of "FLET'S v4 / v6 address selection tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
FLET'S v4/v6 address selection tool
cpe:/a:ntt_west:flet%27s_address_sentaku_tool
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the application or the self-extracting archive.
[Do not use "FLET'S v4 / v6 address selection tool"] Distribution and support of "FLET'S v4 / v6 address selection tool" was ended as of 2018 February 7. Stop using "FLET'S v4 / v6 address selection tool". If "FLET'S v4 / v6 address selection tool" obtained from the website before 2018 February 7 resides in your computer and has not yet been installed, do not install it. Delete the executable file immediately.
Nippon Telegraph and Telephone West Corporation
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION website
http://flets-w.com/topics/2018/20180207a.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0516
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#87403477
https://jvn.jp/en/jp/JVN87403477/index.html
National Vulnerability Database (NVD)
CVE-2018-0516
https://nvd.nist.gov/vuln/detail/CVE-2018-0516
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
0
2018-02-17T10:37:53+09:00
[2018/02/13]\n Web page was published
1
2018-04-11T11:12:50+09:00
[2018/04/11]\n References : Content was added
2018-02-13T15:43:25+09:00
2018-04-11T12:28:16+09:00
2018-02-13T00:00:00+09:00
JVNDB-2018-000015
Multiple vulnerabilities in FS010W
FS010W provided by FUJI SOFT INCORPORATED is a WiFi router. FS010W contains multiple vulnerabilities listed below. * Stored cross-site scripting (CWE-79) - CVE-2018-0519 * Cross-site request forgery (CWE-352) - CVE-2018-0520 Manabu Kobayashi reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
FUJISOFT INCORPORATED
FS010W
cpe:/h:fsi:fs010w
firmware FS010W_00_V1.3.0 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
High
7.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
The possible impact of each vulnerability is as follows: * An arbitrary script may be executed on the web browser of a user who is logging in the setting tool of the device - CVE-2018-0519 * If a user views a malicious page while logged in the setting tool of the affected product, unintended operations such as changing settings of the device may be conducted. - CVE-2018-0520
[Apply Workarounds] Applying all workarounds listed below may mitigate the impacts of these vulnerabilities. * Change the initial login password set in the setting tool * Do not access other websites while logged into the setting tool * Close the web browser after completing settings of the device using the setting tool
FUJI SOFT INCORPORATED
FUJI SOFT INCORPORATED website
https://www.fsi.co.jp/mobile/plusF/products/FS010W.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0519
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0519
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0520
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0520
JVN
JVN#83834277
http://jvn.jp/en/jp/JVN83834277/index.html
National Vulnerability Database (NVD)
CVE-2018-0519
https://nvd.nist.gov/vuln/detail/CVE-2018-0519
National Vulnerability Database (NVD)
CVE-2018-0520
https://nvd.nist.gov/vuln/detail/CVE-2018-0520
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-02-22T15:29:25+09:00
[2018/02/22]\n Web page was published
2
2018-04-11T11:26:10+09:00
[2018/04/11]\n References : Contents were added
2018-02-22T15:29:25+09:00
2018-04-11T12:31:24+09:00
2018-02-20T00:00:00+09:00
JVNDB-2018-000016
LINE for iOS fails to verify SSL server certificates
LINE for iOS provided by LINE Corporation fails to verify SSL server certificates due to the vulnerability existed in the Third Party SDK which is incorporated in the application. LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
LINE Corporation
LINE
cpe:/a:linecorp:line
for iOS version 7.1.3 to 7.1.5
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. According to the developer, text messages, LINE login credentials (passwords), free voice calls, and free video calls are not affected by this vulnerability. For details, refer to the information provided by the developer.
[Update the Software] Update the software to the latest version according to the information provided by the developer. This vulnerability was addressed in LINE for iOS version 7.16 released in 2017 November 24.
LINE Corporation
[Vulnerability Report] SSL Server Certificate Validation Deficiency in LINE for iOS
https://linecorp.com/en/security/article/136
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0518
JVN
JVN#75453852
http://jvn.jp/en/jp/JVN75453852/index.html
National Vulnerability Database (NVD)
CVE-2018-0518
https://nvd.nist.gov/vuln/detail/CVE-2018-0518
1
2018-02-22T15:29:23+09:00
[2018/02/22]\n Web page was published
2
2018-06-14T09:59:34+09:00
[2018/06/14]\n References : Content was added
2018-02-22T15:29:23+09:00
2018-06-14T12:23:16+09:00
2018-02-20T00:00:00+09:00
JVNDB-2018-000017
Multiple vulnerabilities in WXR-1900DHP2
WXR-1900DHP2 provided by BUFFALO INC. is a wireless LAN router. WXR-1900DHP2 contains multiple vulnerabilities listed below. * Missing Authentication for Critical Function (CWE-306) - CVE-2018-0521 * Buffer Overflow (CWE-119) - CVE-2018-0522 * OS Command Injection (CWE-78) - CVE-2018-0523 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BUFFALO INC.
WXR-1900DHP2
cpe:/h:buffalo_inc:wxr-1900dhp2
firmware Ver.2.48 and earlier
High
8.3
AV:A/AC:L/Au:N/C:C/I:C/A:C
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The possible impact of each vulnerability is as follows: * A user with access to the network that is connected to the affected device may execute an arbitrary command on the device - CVE-2018-0521 * If a user views a specially crafted file while logged into the affected device, arbitrary code may be executed - CVE-2018-0522 * A user with access to the network that is connected to the affected device may execute an arbitrary command on the device - CVE-2018-0523
[Update the Firmware] Apply the latest firmware update according to the information provided by the developer.
BUFFALO
BUFFALO INC. website
http://buffalo.jp/support_s/s20180223.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0523
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0523
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0521
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0521
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0522
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0522
JVN
JVN#97144273
http://jvn.jp/en/jp/JVN97144273/index.html
National Vulnerability Database (NVD)
CVE-2018-0521
https://nvd.nist.gov/vuln/detail/CVE-2018-0521
National Vulnerability Database (NVD)
CVE-2018-0522
https://nvd.nist.gov/vuln/detail/CVE-2018-0522
National Vulnerability Database (NVD)
CVE-2018-0523
https://nvd.nist.gov/vuln/detail/CVE-2018-0523
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-02-26T13:50:54+09:00
[2018/02/26]\n Web page was published
2
2018-06-14T10:11:57+09:00
[2018/06/14]\n References : Contents were added
2018-02-26T14:10:52+09:00
2018-06-14T13:49:22+09:00
2018-02-26T00:00:00+09:00
JVNDB-2018-000019
Multiple vulnerabilities in Jubatus
Jubatus provided by Jubatus Community contains multiple vulnerabilities listed below. * Arbitrary code execution - CVE-2018-0524 * Directory traversal (CWE-22) - CVE-2018-0525 Symantec Japan, Inc. Advisory Services Team reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Jubatus
Jubatus
cpe:/a:jubat:jubatus
1.0.2 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
5.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
The possible impact of each vulnerability is as follows: * A remote attacker may execute arbitrary code - CVE-2018-0524 * A remote attacker may create an arbitrary file or alter an existing file on the server - CVE-2018-0525
[Update the Software] Update to the latest version according to the information provided by the developer.
Jubatus
Jubatus Community website
https://github.com/jubatus/jubatus/blob/master/ChangeLog.rst
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0524
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0524
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0525
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0525
JVN
JVN#56132776
http://jvn.jp/en/jp/JVN56132776/index.html
National Vulnerability Database (NVD)
CVE-2018-0524
https://nvd.nist.gov/vuln/detail/CVE-2018-0524
National Vulnerability Database (NVD)
CVE-2018-0525
https://nvd.nist.gov/vuln/detail/CVE-2018-0525
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-02T12:21:03+09:00
[2018/03/02]\n Web page was published
2
2018-06-14T11:47:24+09:00
[2018/06/14]\n References : Contents were added\n
2018-03-02T13:45:12+09:00
2018-06-14T13:57:21+09:00
2018-03-02T00:00:00+09:00
JVNDB-2018-000020
Installer of JTrim may insecurely load Dynamic Link Libraries
Installer of JTrim contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
WoodyBells
Jtrim
cpe:/a:woodybells:jtrim
1.53c and earlier (Installer)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use ZIP file format JTrim] When using JTrim, download the ZIP file version and use the software, according to the information provided by the developer. If the old installer version of JTrim obtained from the website before 2018 February 20 resides in your computer, delete it immediately. Note that this vulnerability affects the installer only, thus users who have already installed JTrim do not need to re-install the software.
WoodyBells
JTrim
http://woodybells.com/jtrim.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0543
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0543
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#71816327
http://jvn.jp/en/jp/JVN71816327/index.html
National Vulnerability Database (NVD)
CVE-2018-0543
https://nvd.nist.gov/vuln/detail/CVE-2018-0543
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-05T14:07:11+09:00
[2018/03/05]\n Web page was published
2
2018-06-14T10:43:14+09:00
[2018/06/14]\n References : Content was added
2018-03-05T14:07:11+09:00
2018-06-14T13:46:03+09:00
2018-03-05T00:00:00+09:00
JVNDB-2018-000021
Installer of WinShot may insecurely load Dynamic Link Libraries
Installer of WinShot contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
WoodyBells
WinShot
cpe:/a:woodybells:winshot
1.53a and earlier (Installer)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use ZIP file format WinShot] When using WinShot, download the ZIP file version and use the software, according to the information provided by the developer. If the old installer version of WinShot obtained from the website before 2018 February 20 resides in your computer, delete it immediately. Note that this vulnerability affects the installer only, thus users who have already installed WinShot do not need to re-install the software.
WoodyBells
WinShot
http://woodybells.com/winshot.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0544
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#01837169
http://jvn.jp/en/jp/JVN01837169/index.html
National Vulnerability Database (NVD)
CVE-2018-0544
https://nvd.nist.gov/vuln/detail/CVE-2018-0544
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-05T15:10:50+09:00
[2018/03/05]\n Web page was published
2
2018-06-14T11:15:26+09:00
[2018/06/14]\n References : Content was added
2018-03-05T15:10:50+09:00
2018-06-14T13:43:31+09:00
2018-03-05T00:00:00+09:00
JVNDB-2018-000022
WordPress plugin "WP All Import" vulnerable to cross-site scripting
The WordPress plugin "WP All Import" provided by Soflyy contains a cross-site scripting vulnerability (CWE-79) in the file upload function. Note that this vulnerability is different from JVN#60032768. Mardan Muhidin of Gehirn Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Soflyy
WP All Import
cpe:/a:soflyy:wp_all_import
prior to version 3.4.6
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Soflyy
Import any XML or CSV File to WordPress - WordPress Plugins - Changelog
https://wordpress.org/plugins/wp-all-import/#developers
Soflyy
Changeset 1742744 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1742744/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0546
JVN
JVN#33527174
http://jvn.jp/en/jp/JVN33527174/index.html
National Vulnerability Database (NVD)
CVE-2018-0546
https://nvd.nist.gov/vuln/detail/CVE-2018-0546
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-08T14:10:32+09:00
[2018/03/08]\n Web page was published
2
2018-06-14T10:09:45+09:00
[2018/06/14]\n References : Content was added
2018-03-08T14:10:32+09:00
2018-06-14T12:26:12+09:00
2018-03-08T00:00:00+09:00
JVNDB-2018-000023
WordPress plugin "WP All Import" vulnerable to cross-site scripting
The WordPress plugin "WP All Import" provided by Soflyy contains a reflected cross-site scripting vulnerability (CWE-79). Note that this vulnerability is different from JVN#33527174. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Soflyy
WP All Import
cpe:/a:soflyy:wp_all_import
prior to version 3.4.7
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Soflyy
Import any XML or CSV File to WordPress - WordPress Plugins - Changelog
https://wordpress.org/plugins/wp-all-import/#developers
Soflyy
Changeset 1827741 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1827741/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0547
JVN
JVN#60032768
http://jvn.jp/en/jp/JVN60032768/index.html
National Vulnerability Database (NVD)
CVE-2018-0547
https://nvd.nist.gov/vuln/detail/CVE-2018-0547
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-08T14:10:34+09:00
[2018/03/08]\n Web page was published
2
2018-06-14T10:15:43+09:00
[2018/06/14]\n References : Content was added
2018-03-08T14:10:34+09:00
2018-06-14T12:27:58+09:00
2018-03-08T00:00:00+09:00
JVNDB-2018-000024
Multiple vulnerabilities in CG-WGR1200
CG-WGR1200 provided by Corega Inc is a wireless LAN router. CG-WGR1200 contains multiple vulnerabilities listed below. * Buffer Overflow (CWE-119) - CVE-2017-10852 * Buffer Overflow (CWE-78) - CVE-2017-10853 * Authentication bypass (CWE-306) - CVE-2017-10854 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Corega Inc
CG-WGR1200
cpe:/h:corega:cg-wgr_1200
firmware 2.20 and earlier
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* A user with access to the affected device may execute arbitrary code - CVE-2017-10852 * A user with access to the affected device may execute an arbitrary command - CVE-2017-10853 * A user with access to the affected device may change the login password. As a result, the user may access the management screen of the device and perform an arbitrary operation such as altering the device's settings - CVE-2017-10854
[Do not use CG-WGR1200] Stop using CG-WGR1200. According to the developer, there is no plan to provide fix for these vulnerabilities since CG-WGR1200 is no longer supported. [Apply a Workaround] CG-WGR1200 is no longer supported and there is no plan of the fixes for these vulnerabilities being provided. However if you continue to use the device, apply following workarounds to mitigate the impacts of these vulnerabilities. * Disable remote connection function to prevent an attacker's remote access to the device * Prevent unauthorized access from inside the LAN to the device.
corega
Multiple vulnerabilities in CG-WGR1200
http://corega.jp/support/security/20180309_wgr1200.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10854
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10854
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10852
Common Vulnerabilities and Exposures (CVE)
CVE-2017-10853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10853
JVN
JVN#15201064
http://jvn.jp/en/jp/JVN15201064/index.html
National Vulnerability Database (NVD)
CVE-2017-10852
https://nvd.nist.gov/vuln/detail/CVE-2017-10852
National Vulnerability Database (NVD)
CVE-2017-10853
https://nvd.nist.gov/vuln/detail/CVE-2017-10853
National Vulnerability Database (NVD)
CVE-2017-10854
https://nvd.nist.gov/vuln/detail/CVE-2017-10854
JVNDB
CWE-19
Data Handling
https://cwe.mitre.org/data/definitions/19.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-09T13:56:29+09:00
[2018/03/09]\n Web page was published
2
2018-06-14T10:27:25+09:00
[2018/06/14]\n References : Contents were added
2018-03-09T13:56:29+09:00
2018-06-14T13:54:30+09:00
2018-03-09T00:00:00+09:00
JVNDB-2018-000025
The installer of PhishWall Client Firefox and Chrome edition for Windows may insecurely load Dynamic Link Libraries
PhishWall Client Firefox and Chrome edition for Windows provided by SecureBrain Corporation is an anti-phishing and anti-MITB software. The installer of PhishWall Client Firefox and Chrome edition for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eiji James Yoshida of Security Professionals Network Inc. and Yuto Iso of NTT Security (Japan) KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SecureBrain Corporation
The Installer of PhishWall Client
cpe:/a:securebrain:phishwall_client
Firefox and Chrome edition for Windows, Ver. 5.1.26 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. According to the developer, users of Windows 7 must first apply Windows 7 security patch (KB2533623), and then use the latest installer to install the software. Users who already have installed PhishWall Client Firefox and Chrome edition for Windows, do not need to re-install the application, because this issue affects the installer only.
SecureBrain Corporation
SecureBrain Corporation website
https://www.securebrain.co.jp/about/news/2018/03/180314.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0552
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0552
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#39896275
http://jvn.jp/en/jp/JVN39896275/index.html
National Vulnerability Database (NVD)
CVE-2018-0552
https://nvd.nist.gov/vuln/detail/CVE-2018-0552
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-15T13:38:41+09:00
[2018/03/15]\n Web page was published
2
2018-06-14T12:05:14+09:00
[2018/06/14]\n References : Content was added
2018-03-15T13:38:41+09:00
2018-06-14T13:43:32+09:00
2018-03-15T00:00:00+09:00
JVNDB-2018-000026
iRemoconWiFi App for Android fails to verify SSL server certificates
iRemoconWiFi App for Android provided by Glamo Inc. fails to verify SSL server certificates. Seigo Yamamoto of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Glamo Inc.
iRemoconWiFi
cpe:/a:glamo:iremocon_wifi
App for Android version 4.1.7 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
GooglePlay
iRemoconWiFi
https://play.google.com/store/apps/details?id=jp.co.glamo.iremoconwifi
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0553
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0553
JVN
JVN#43382653
https://jvn.jp/en/jp/JVN43382653/index.html
National Vulnerability Database (NVD)
CVE-2018-0553
https://nvd.nist.gov/vuln/detail/CVE-2018-0553
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2018-03-27T12:29:20+09:00
[2018/03/27]\n Web page was published
3
2018-06-14T14:26:17+09:00
[2018/06/14]\n References : Content was added
2018-03-27T13:40:11+09:00
2018-06-14T14:29:26+09:00
2018-03-27T00:00:00+09:00
JVNDB-2018-000027
Multiple vulnerabilities in WZR-1750DHP2
WZR-1750DHP2 provided by BUFFALO INC. is a wireless LAN router. WXR-1900DHP2 contains multiple vulnerabilities listed below. * Missing Authentication for Critical Function (CWE-306) - CVE-2018-0554 * Buffer Overflow (CWE-119) - CVE-2018-0555 * OS Command Injection (CWE-78) - CVE-2018-0556 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BUFFALO INC.
WZR-1750DHP2 firmware
cpe:/o:buffalo_inc:wzr-1750dhp2_firmware
Ver.2.30 and earlier
High
8.3
AV:A/AC:L/Au:N/C:C/I:C/A:C
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The possible impact of each vulnerability is as follows: * A user with access to the network that is connected to the affected device may execute an arbitrary command on the device - CVE-2018-0554 * If a user views a specially crafted file while logged into the affected device, arbitrary code may be executed - CVE-2018-0555 * A user with access to the network that is connected to the affected device may execute an arbitrary command on the device - CVE-2018-0556
[Update the Firmware] Apply the latest firmware update according to the information provided by the developer.
BUFFALO
BUFFALO INC. website
http://buffalo.jp/support_s/s20180328.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0556
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0554
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0554
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0555
JVN
JVN#93397125
https://jvn.jp/en/jp/JVN93397125/index.html
National Vulnerability Database (NVD)
CVE-2018-0554
https://nvd.nist.gov/vuln/detail/CVE-2018-0554
National Vulnerability Database (NVD)
CVE-2018-0555
https://nvd.nist.gov/vuln/detail/CVE-2018-0555
National Vulnerability Database (NVD)
CVE-2018-0556
https://nvd.nist.gov/vuln/detail/CVE-2018-0556
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-29T12:29:51+09:00
[2018/03/29]\n Web page was published
2
2018-06-14T12:26:24+09:00
[2018/06/14]\n References : Contents were added
2018-03-29T13:52:36+09:00
2018-06-14T14:12:31+09:00
2018-03-29T00:00:00+09:00
JVNDB-2018-000028
LXR vulnerable to OS command injection
LXR provided by LXR Project contains an OS command injection vulnerability (CWE-78). Touma Hatano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
LXR Project
LXR
cpe:/a:lxr_project:lxr
version 1.0.0 to 2.3.0
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
On a server where the product is running, a remote attacker may execute an arbitrary OS command.
[Update the Software] Update to the latest version according to the information provided by the developer.
LXR
Known Bugs and Limitations in LXR
http://lxr.sourceforge.net/en/bugsandlimits.php
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0545
JVN
JVN#72589538
https://jvn.jp/en/jp/JVN72589538/index.html
National Vulnerability Database (NVD)
CVE-2018-0545
https://nvd.nist.gov/vuln/detail/CVE-2018-0545
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-29T12:22:18+09:00
[2018/03/29]\n Web page was published
2018-03-29T14:00:39+09:00
2018-06-14T14:08:41+09:00
2018-03-29T00:00:00+09:00
JVNDB-2018-000029
Safari vulnerable to script injection
Safari provided by Apple Inc. contains a script injection vulnerability (CWE-81) in the processing of displaying an error page when it fails to verify server certificates. In an error page Safari displays when it fails to verify server certificates, a domain name of the website accessed is output straightly. Therefore by exploiting this vulnerability, an arbitrary script may be executed on the user's web browser via an error page that is displayed when a user is led to visit a website with a specially crafted domain name. Yuji Tonai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apple Inc.
Safari
cpe:/a:apple:safari
version 11.0.2 and earlier
Medium
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
If a user is led to visit a website with a specially crafted domain name, an arbitrary script may be executed on the user's web browser.
[Update the Software] Apply the latest update according to the information provided by the developer.
Apple
About the security content of Safari 11.1
https://support.apple.com/en-us/HT208695
Common Vulnerabilities and Exposures (CVE)
CVE-2018-4133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4133
JVN
JVN#01161596
https://jvn.jp/en/jp/JVN01161596/index.html
National Vulnerability Database (NVD)
CVE-2018-4133
https://nvd.nist.gov/vuln/detail/CVE-2018-4133
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-30T12:28:56+09:00
[2018/03/30]\n Web page was published
2
2018-06-14T12:20:31+09:00
[2018/06/14]\n References : Content was added
2018-03-30T13:39:29+09:00
2018-06-14T14:02:46+09:00
2018-03-30T00:00:00+09:00
JVNDB-2018-000030
Installer of SoundEngine Free may insecurely load Dynamic Link Libraries
Installer of SoundEngine Free contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Coderium
SoundEngine Free
cpe:/a:coderium:soundengine
ver.5.21 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Note that this vulnerability affects the installer only, thus users who have already installed SoundEngine Free do not need to re-install the software.
Coderium
SoundEngine Free ver.5.22 released (Fixed DLL Hijacking vulnerability in the installer) [Press Release]
https://soundengine.jp/wordpress/penguin_press/press_release/4187/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0562
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0562
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#85056623
http://jvn.jp/en/jp/JVN85056623/index.html
National Vulnerability Database (NVD)
CVE-2018-0562
https://nvd.nist.gov/vuln/detail/CVE-2018-0562
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2018-04-13T12:20:29+09:00
[2018/04/13]\n Web page was published
3
2018-06-14T13:39:31+09:00
[2018/06/14]\n References : Content was added
2018-04-13T13:52:36+09:00
2018-06-14T14:16:16+09:00
2018-04-13T00:00:00+09:00
JVNDB-2018-000031
Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. * SQL injection in the application "Address" (CWE-89) - CVE-2018-0530 * Operation restriction bypass in the "Folder settings" (CWE-264) - CVE-2018-0531 * Operation restriction bypass in the setting of Login authentication (CWE-264) - CVE-2018-0532 * Operation restriction bypass in the setting of Session authentication (CWE-264) - CVE-2018-0533 * Browse restriction bypass in the application "Space" (CWE-264) - CVE-2018-0548 * Stored cross-site scripting in "Rich text" of the application "Message" (CWE-79) - CVE-2018-0549 * Browse restriction bypass in the application "Cabinet" (CWE-264) - CVE-2018-0550 * Stored cross-site scripting in "Rich text" of the application "Space" (CWE-79) - CVE-2018-0551 Cybozu, Inc. reported CVE-2018-0530, CVE-2018-0531, CVE-2018-0532, CVE-2018-0533 and CVE-2018-0548 vulnerabilities to JPCERT/CC to notify users of respective solutions through JVN. Jun Kokatsu reported CVE-2018-0549 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. ixama reported CVE-2018-0550 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. Masato Kinugawa reported CVE-2018-0551 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.2.6 (CVE-2018-0531, CVE-2018-0532, CVE-2018-0533)
3.0.0 to 4.6.0 (CVE-2018-0549)
3.0.0 to 4.6.1 (CVE-2018-0551)
3.5.0 to 4.2.6 (CVE-2018-0530)
3.5.0 to 4.6.1 (CVE-2018-0550)
4.0.0 to 4.6.0 (CVE-2018-0548)
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* A user who can login to the product may obtain information stored in the database. - CVE-2018-0530 * A user with operational administrative privileges for 1 or more folders may view or alter an access privilege of folder and/or notification setting. - CVE-2018-0531 * A user who can login to the product with administrative privileges may alter setting data of the Standard database. - CVE-2018-0532 * A user who can login to the product with administrative privileges may alter setting data of session authentication. - CVE-2018-0533 * A user can login to the product may view the closed title of "Space". - CVE-2018-0548 * An arbitrary script may be executed on the logged in user's web browser - CVE-2018-0549, CVE-2018-0551 * A user who can login to the product may view the folder names without appropriate privileges. - CVE-2018-0550
[Update the Software] Update to the latest version according to the information provided by the developer. [Updated on 2018 May 31] The developer states that the CVE-2018-0551 vulnerability was only addressed partially thus the issue still remains. According to the developer, it is under the investigation and the complete fix for this vulnerability is to be released in the future, but the release schedule has not been determined yet.
Cybozu
Cybozu, Inc. website
https://cs.cybozu.co.jp/2018/006562.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0532
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0532
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0533
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0533
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0548
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0549
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0549
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0550
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0550
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0551
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0530
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0530
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0531
JVN
JVN#65268217
http://jvn.jp/en/jp/JVN65268217/index.html
National Vulnerability Database (NVD)
CVE-2018-0531
https://nvd.nist.gov/vuln/detail/CVE-2018-0531
National Vulnerability Database (NVD)
CVE-2018-0532
https://nvd.nist.gov/vuln/detail/CVE-2018-0532
National Vulnerability Database (NVD)
CVE-2018-0533
https://nvd.nist.gov/vuln/detail/CVE-2018-0533
National Vulnerability Database (NVD)
CVE-2018-0548
https://nvd.nist.gov/vuln/detail/CVE-2018-0548
National Vulnerability Database (NVD)
CVE-2018-0549
https://nvd.nist.gov/vuln/detail/CVE-2018-0549
National Vulnerability Database (NVD)
CVE-2018-0550
https://nvd.nist.gov/vuln/detail/CVE-2018-0550
National Vulnerability Database (NVD)
CVE-2018-0551
https://nvd.nist.gov/vuln/detail/CVE-2018-0551
National Vulnerability Database (NVD)
CVE-2018-0530
https://nvd.nist.gov/vuln/detail/CVE-2018-0530
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-04-09T13:50:39+09:00
[2018/04/09]\n Web page was published
2
2018-04-09T19:34:53+09:00
[2018/04/09]\n Affected Products : Product version was modified\n
3
2018-05-31T18:21:03+09:00
[2018/05/31]\n Solution was modified\n
4
2018-06-14T13:33:50+09:00
[2018/06/14]\n References : Contents were added
2018-04-09T14:27:55+09:00
2018-06-14T14:33:28+09:00
2018-04-09T00:00:00+09:00
JVNDB-2018-000032
Hatena Bookmark App for iOS contains an address bar spoofing vulnerability
Hatena Bookmark App for iOS provided by Hatena Co., Ltd. contains a vulnerability where the address bar displays a different URL than the URL that is being accessed. Kenichiro Wakitani reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hatena Co., Ltd.
Hatena Bookmark
cpe:/a:hatena:hatenaboolmark
App for iOS Version 3.0 to 3.70
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Low
3.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
This vulnerability could be leveraged to forge the contents of the address bar for conducting phishing attacks.
[Update the Software] Update to the latest version according to the information provided by the developer.
Hatena
Hatena co.,ltd. website
http://bookmark.hatenastaff.com/entry/2018/04/09/170000
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0560
JVN
JVN#77753476
http://jvn.jp/en/jp/JVN77753476/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-04-10T12:25:38+09:00
[2018/04/10]\n Web page was published
2018-04-10T13:39:19+09:00
2018-04-10T13:39:19+09:00
2018-04-10T00:00:00+09:00
JVNDB-2018-000033
The installer of PhishWall Client Internet Explorer edition may insecurely load Dynamic Link Libraries
PhishWall Client Internet Explorer edition provided by SecureBrain Corporation is anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer edition contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). According to the developer, the affected installer was built using Install Shield with all Hotfixes applied as of November 2017. The developer has confirmed that the most recent Hotfix applied Install Shield addresses this issue. For details on Install Shield Hotfixes, refer to Best Practices to Avoid Windows Setup Launcher Executable Issues. Note that this vulnerability is different from JVN#93699304. Yuto Iso of NTT Security (Japan) KK and BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SecureBrain Corporation
The Installer of PhishWall Client
cpe:/a:securebrain:phishwall_client
Internet Explorer edition, Ver. 3.7.15 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. According to the developer, users of Windows 7 must first apply Windows 7 security patch (KB2533623), and then use the latest installer to install the software. Users who already have installed PhishWall Client Internet Explorer version do not need to re-install the application, because this issue affects the installer only.
Flexera Software
Best Practices to Avoid Windows Setup Launcher Executable Issues
https://flexeracommunity.force.com/customer/articles/en_US/INFO/Best-Practices-to-Avoid-Windows-Setup-Launcher-Executable-Issues
SecureBrain Corporation
SecureBrain Corporation website
https://www.securebrain.co.jp/about/news/2018/04/180411.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0561
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0561
JVN
JVN#92220486
http://jvn.jp/en/jp/JVN92220486/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-04-12T13:47:57+09:00
[2018/04/12]\n Web page was published
2018-04-12T14:27:56+09:00
2018-04-12T14:27:56+09:00
2018-04-12T00:00:00+09:00
JVNDB-2018-000034
Tenable Appliance vulnerable to cross-site scripting
Tenable Appliance provided by Tenable, Inc. contains a stored cross-site scripting vulnerability (CWE-79). Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Tenable, Inc.
Tenable Appliance
cpe:/a:tenable:appliance
4.6.1 and earlier
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Arbitrary JavaScript may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Tenable Blog
[R1] Tenable Appliance 4.7.0 Fixes One Vulnerability
https://www.tenable.com/security/tns-2018-02
Common Vulnerabilities and Exposures (CVE)
CVE-2018-1142
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1142
JVN
JVN#71255137
http://jvn.jp/en/jp/JVN71255137/index.html
National Vulnerability Database (NVD)
CVE-2018-1142
https://nvd.nist.gov/vuln/detail/CVE-2018-1142
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-04-12T14:32:31+09:00
[2018/04/12]\n Web page was published
2
2018-06-14T11:59:28+09:00
[2018/06/14]\n References : Content was added
2018-04-12T14:33:01+09:00
2018-06-14T14:20:34+09:00
2018-04-12T00:00:00+09:00
JVNDB-2018-000035
EC-CUBE vulnerable to session fixation
EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a session fixation vulnerability (CWE-384). LOCKON CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LOCKON CO.,LTD. coordinated under the Information Security Early Warning Partnership.
EC-CUBE CO.,LTD.
EC-CUBE
cpe:/a:ec-cube:ec-cube
3.0.0
3.0.1
3.0.10
3.0.11
3.0.12
3.0.12-p1
3.0.13
3.0.14
3.0.15
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
Medium
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
Medium
4.2
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
A remote attacker impersonating a logged in user may perform an unintended operation with the user's privilege.
[Update the Software or Update source code] Apply either of the measures listed below according to the information provided by the developer. *Update the software to the latest version *Update source code by applying the difference file provided by the developer
LOCKON CO.,LTD
LOCKON CO.,LTD. website
https://www.ec-cube.net/info/weakness/20180416/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0564
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0564
JVN
JVN#52695336
https://jvn.jp/en/jp/JVN52695336/index.html
National Vulnerability Database (NVD)
CVE-2018-0564
https://nvd.nist.gov/vuln/detail/CVE-2018-0564
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-04-17T12:28:39+09:00
[2018/04/17]\n Web page was published
2
2018-08-22T17:42:03+09:00
[2018/08/22]\n References : Contents were added
2018-04-17T13:39:04+09:00
2018-08-22T17:42:35+09:00
2018-04-17T00:00:00+09:00
JVNDB-2018-000036
Joruri Gw vulnerable to arbitrary file upload
Joruri Gw provided by SiteBridge Inc. is groupware which runs on Ruby on Rails. Joruri Gw contains a vulnerability that may allow an attacker to upload arbitrary files (CWE-434). Shoji Baba of Kobe Digital Labo, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SiteBridge Inc.
Joruri Gw
cpe:/a:joruri:SiteBridge_joruri_gw
Ver 3.2.0 and earlier
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Low
3.5
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
A user may upload arbitrary files. When PHP code execution is enabled on the server, a user may execute arbitrary PHP code by uploading PHP files.
[Disable Unnecessary Functions from the System] Disable PHP code execution on the server if it is not necessary. Configure the server with only the necessary functions. [Change Server Settings] If PHP code execution features are required, configure the server to prevent uploaded PHP files being executed. installation manual of Joruri Gw Ver.2.3.1 and later contains the following (example configuration for Apache httpd); #Insert the following when PHP execution feature is enabled on the server. <Directory "/var/share/jorurigw/public"> php_admin_flag engine off </Directory>
SiteBridge Inc.
installation manual of Joruri Gw Ver.2.3.1
https://github.com/joruri/joruri-gw/blob/master/doc/INSTALL.txt
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0568
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0568
JVN
JVN#95589314
http://jvn.jp/en/jp/JVN95589314/index.html
National Vulnerability Database (NVD)
CVE-2018-0568
https://nvd.nist.gov/vuln/detail/CVE-2018-0568
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-04-26T13:59:20+09:00
[2018/04/26]\n Web page was published
2
2018-08-30T14:01:41+09:00
[2018/08/30]\n References : Contents were added
2018-04-26T15:19:03+09:00
2018-08-30T14:02:17+09:00
2018-04-26T00:00:00+09:00
JVNDB-2018-000037
WordPress plugin "Events Manager" vulnerable to cross-site scripting
The WordPress plugin "Events Manager" provided by NetWebLogic contains a stored cross-site scripting vulnerability (CWE-79). Daichi Takaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NetWebLogic
Events Manager
prior to version 5.9
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
NetWebLogic
Events Manager - WordPress Plugins - Changelog
https://wordpress.org/plugins/events-manager/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0576
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0576
JVN
JVN#85531148
https://jvn.jp/en/jp/JVN85531148/index.html
National Vulnerability Database (NVD)
CVE-2018-0576
https://nvd.nist.gov/vuln/detail/CVE-2018-0576
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-04-27T12:28:43+09:00
[2018/04/27]\n Web page was published
2
2018-08-30T11:47:53+09:00
[2018/08/30]\n References : Contents were added
2018-04-27T14:00:51+09:00
2018-08-30T11:48:14+09:00
2018-04-27T00:00:00+09:00
JVNDB-2018-000038
WordPress plugin "WP Google Map Plugin" vulnerable to cross-site scripting
The WordPress plugin "WP Google Map Plugin" provided by Flipper Code contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Flipper Code
WP Google Map Plugin
cpe:/a:flippercode:google_map
prior to version 4.0.4
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Flipper Code
WP Google Map Plugin - WordPress Plugins - Changelog
https://wordpress.org/plugins/wp-google-map-plugin/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0577
JVN
JVN#01040170
https://jvn.jp/en/jp/JVN01040170/index.html
National Vulnerability Database (NVD)
CVE-2018-0577
https://nvd.nist.gov/vuln/detail/CVE-2018-0577
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-04-27T12:32:10+09:00
[2018/04/27]\n Web page was published
2
2018-08-30T12:00:22+09:00
[2018/08/30]\n References : Contents were added
2018-04-27T14:15:26+09:00
2018-08-30T12:00:36+09:00
2018-04-27T00:00:00+09:00
JVNDB-2018-000039
WordPress plugin "PixelYourSite" vulnerable to cross-site scripting
The WordPress plugin "PixelYourSite" provided by Minimal Work SRL contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Minimal Work SRL
PixelYourSite
cpe:/a:misc:minimal_work_srl_pixelyoursite
prior to version 5.3.0
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Minimal Work SRL
PixelYourSite - WordPress Plugins - Changelog
https://wordpress.org/plugins/pixelyoursite/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0578
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0578
JVN
JVN#61081552
https://jvn.jp/en/jp/JVN61081552/index.html
National Vulnerability Database (NVD)
CVE-2018-0578
https://nvd.nist.gov/vuln/detail/CVE-2018-0578
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-04-27T13:43:33+09:00
[2018/04/27]\n Web page was published
2
2018-08-30T11:54:39+09:00
[2018/08/30]\n References : Contents were added
2018-04-27T14:24:02+09:00
2018-08-30T11:55:10+09:00
2018-04-27T00:00:00+09:00
JVNDB-2018-000040
WordPress plugin "Open Graph for Facebook, Google+ and Twitter Card Tags" vulnerable to cross-site scripting
The WordPress plugin "Open Graph for Facebook, Google+ and Twitter Card Tags" provided by Webdados contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Webdados
Open Graph for Facebook, Google+ and Twitter Card Tags
cpe:/a:misc:webdados_Open_Graph_for_Facebook_Google_and_Twitter_Card_Tags
prior to version 2.2.4.1
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Webdados
Open Graph for Facebook, Google+ and Twitter Card Tags - WordPress Plugins - Changelog
https://wordpress.org/plugins/wonderm00ns-simple-facebook-open-graph-tags/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0579
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0579
JVN
JVN#08386386
https://jvn.jp/en/jp/JVN08386386/index.html
National Vulnerability Database (NVD)
CVE-2018-0579
https://nvd.nist.gov/vuln/detail/CVE-2018-0579
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2018-04-27T14:50:01+09:00
[2018/04/27]\n Web page was published
3
2018-08-30T13:54:32+09:00
[2018/08/30]\n References : Contents were added
2018-04-27T15:01:32+09:00
2018-08-30T13:54:47+09:00
2018-04-27T00:00:00+09:00
JVNDB-2018-000041
The installers of multiple CELSYS,Inc. software may insecurely load Dynamic Link Libraries
The installers of multiple software provided by CELSYS,Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
CELSYS,Inc.
CLIP STUDIO ACTION (for Windows)
cpe:/a:misc:celsys_clip_studio_action
Ver.1.5.5 and earlier, with its timestamp prior to April 25, 2018, 12:11:31
CELSYS,Inc.
CLIP STUDIO MODELER (for Windows)
cpe:/a:misc:celsys_clip_studio_modeler
Ver.1.6.3 and earlier, with its timestamp prior to April 25, 2018, 17:02:49
CELSYS,Inc.
CLIP STUDIO PAINT (for Windows) EX/PRO/DEBUT
cpe:/a:misc:celsys_clip_studio_paint
Ver.1.7.3 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only, thus users who have already installed the software do not need to re-install the software.
CELSYS,Inc.
CLIP STUDIO PAINT
http://www.clipstudio.net/en/dl
CELSYS,Inc.
CLIP STUDIO ACTION
https://www.clip-studio.com/clip_site/download/clipstudioaction/csaupdater/index_win
CELSYS,Inc.
CLIP STUDIO MODELER
https://www.clip-studio.com/clip_site/download/clipstudiomodeler/csmupdater/index_win
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0580
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0580
JVN
JVN#68345747
https://jvn.jp/en/jp/JVN68345747/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2018-0580
https://nvd.nist.gov/vuln/detail/CVE-2018-0580
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2018-04-27T14:51:59+09:00
[2018/04/27]\n Web page was published
3
2018-08-30T14:10:45+09:00
[2018/08/30]\n References : Contents were added
2018-04-27T15:19:33+09:00
2018-08-30T14:12:59+09:00
2018-04-27T00:00:00+09:00
JVNDB-2018-000042
RT-AC87U vulnerable to cross-site scripting
RT-AC87U provided by ASUS Japan Inc. is a wireless LAN router. RT-AC87U contains a cross-site scripting vulnerability (CWE-79). Keigo Yamazaki of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ASUS JAPAN Inc.
RT-AC87U
cpe:/h:misc:asus_japan_rt-ac87u
Firmware version prior to 3.0.0.4.378.9383
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Firmware] Apply the firmware update according to the information provided by the developer.
ASUS JAPAN Inc.
RT-AC87U BIOS & FIRMWARE
https://www.asus.com/en/Networking/RTAC87U/HelpDesk_BIOS/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0581
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0581
JVN
JVN#33901663
https://jvn.jp/en/jp/JVN33901663/index.html
National Vulnerability Database (NVD)
CVE-2018-0581
https://nvd.nist.gov/vuln/detail/CVE-2018-0581
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-09T15:09:16+09:00
[2018/05/09]\n Web page was published
2
2018-08-30T12:31:50+09:00
[2018/08/30]\n References : Contents were added
2018-05-09T15:37:08+09:00
2018-08-30T12:32:09+09:00
2018-05-09T00:00:00+09:00
JVNDB-2018-000043
RT-AC1200HP vulnerable to cross-site scripting
RT-AC1200HP provided by ASUS Japan Inc. is a wireless LAN router. RT-AC1200HP contains a cross-site scripting vulnerability (CWE-79). Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ASUS JAPAN Inc.
RT-AC1200HP
cpe:/h:misc:asus_japan_rt-ac1200hp
Firmware version prior to 3.0.0.4.380.4180
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the logged in user's web browser.
[Update the Firmware] Apply the firmware update according to the information provided by the developer.
ASUS JAPAN Inc.
RT-AC1200HP BIOS & FIRMWARE
https://www.asus.com/en/Networking/RTAC1200HP/HelpDesk_BIOS/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0583
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0583
JVN
JVN#34562916
https://jvn.jp/en/jp/JVN34562916/index.html
National Vulnerability Database (NVD)
CVE-2018-0583
https://nvd.nist.gov/vuln/detail/CVE-2018-0583
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-09T15:19:46+09:00
[2018/05/09]\n Web page was published\n
2
2018-08-30T12:15:18+09:00
[2018/08/30]\n References : Contents were added
2018-05-09T15:37:29+09:00
2018-08-30T12:15:47+09:00
2018-05-09T00:00:00+09:00
JVNDB-2018-000044
RT-AC68U vulnerable to cross-site scripting
RT-AC68U provided by ASUS Japan Inc. is a wireless LAN router. RT-AC68U contains a cross-site scripting vulnerability (CWE-79). Yuto MAEDA of University of Tsukuba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ASUS JAPAN Inc.
RT-AC68U
Firmware version prior to 3.0.0.4.380.1031
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Firmware] Apply the firmware update according to the information provided by the developer.
ASUS JAPAN Inc.
RT-AC68U BIOS & FIRMWARE
https://www.asus.com/Networking/RTAC68U/HelpDesk_BIOS/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0582
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0582
JVN
JVN#73742314
http://jvn.jp/en/jp/JVN73742314/index.html
National Vulnerability Database (NVD)
CVE-2018-0582
https://nvd.nist.gov/vuln/detail/CVE-2018-0582
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-09T14:47:39+09:00
[2018/05/09]\n Web page was published
2
2018-08-30T12:19:48+09:00
[2018/08/30]\n References : Contents were added
2018-05-09T15:38:11+09:00
2018-08-30T12:20:01+09:00
2018-05-09T00:00:00+09:00
JVNDB-2018-000045
Multiple vulnerabilities in WordPress plugin "Ultimate Member"
The WordPress plugin "Ultimate Member" provided by Ultimate Member contains multiple vulnerabilities listed below. * Cross-site Scripting (CWE-79) - CVE-2018-0585 * Directory Traversal in the shortcodes function (CWE-22) - CVE-2018-0586 * Arbitrary File Upload (CWE-434) - CVE-2018-0587 * Directory Traversal in the AJAX function (CWE-22) - CVE-2018-0588 * Access Restriction Bypass in the "Forms" page (CWE-284) - CVE-2018-0589 * Access Restriction Bypass due to an issue in processing "Role" (CWE-284) - CVE-2018-0590 Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ultimate Member Group Ltd
Ultimate Member
cpe:/a:ultimatemember:ultimate_member
prior to version 2.0.4
Medium
6.4
AV:N/AC:L/Au:N/C:N/I:P/A:P
High
7.2
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
* An arbitrary script may be executed on the user's web browser - CVE-2018-0585 * Arbitrary local files on the server may be accessed by a logged-in user - CVE-2018-0586 * An arbitrary image file can be uploaded by a remote attacker, which may be used for unauthorized file sharing - CVE-2018-0587 * A remote attacker may delete arbitrary files on the server - CVE-2018-0588 * A user with the Author role may add a new form - CVE-2018-0589 * Profiles for other users may be modified by a logged-in user - CVE-2018-0590
[Update the plugin] Update the plugin according to the information provided by the developer.
Ultimate Member
Ultimate Member - User Profile & Membership Plugin
https://wordpress.org/plugins/ultimate-member/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0587
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0587
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0588
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0588
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0589
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0589
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0590
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0590
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0585
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0585
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0586
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0586
JVN
JVN#28804532
https://jvn.jp/en/jp/JVN28804532/index.html
National Vulnerability Database (NVD)
CVE-2018-0588
https://nvd.nist.gov/vuln/detail/CVE-2018-0588
National Vulnerability Database (NVD)
CVE-2018-0589
https://nvd.nist.gov/vuln/detail/CVE-2018-0589
National Vulnerability Database (NVD)
CVE-2018-0590
https://nvd.nist.gov/vuln/detail/CVE-2018-0590
National Vulnerability Database (NVD)
CVE-2018-0585
https://nvd.nist.gov/vuln/detail/CVE-2018-0585
National Vulnerability Database (NVD)
CVE-2018-0586
https://nvd.nist.gov/vuln/detail/CVE-2018-0586
National Vulnerability Database (NVD)
CVE-2018-0587
https://nvd.nist.gov/vuln/detail/CVE-2018-0587
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-10T12:29:51+09:00
[2018/05/10]\n Web page was published
2
2018-08-30T18:10:56+09:00
[2018/08/30]\n References : Contents were added
2018-05-10T13:44:19+09:00
2018-08-30T18:11:09+09:00
2018-05-10T00:00:00+09:00
JVNDB-2018-000046
The installer of PlayMemories Home for Windows may insecurely load Dynamic Link Libraries
PlayMemories Home for Windows provided by Sony Corporation is Image Management Software. The installer of PlayMemories Home for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Corporation
PlayMemories Home
cpe:/a:sony:playmemories_home
for Windows ver.5.5.01 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Apply a Workaround] The following workaround may mitigate the impact of this vulnerability. * Check and see if there are no suspicious files in the folder where the installer resides before executing the installer Note that this vulnerability affects the installer only, thus users who have already installed the software do not need to re-install the software.
Sony
PlayMemories Home
http://www.sony.net/pm/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0600
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0600
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#13940333
http://jvn.jp/en/jp/JVN13940333/index.html
National Vulnerability Database (NVD)
CVE-2018-0600
https://nvd.nist.gov/vuln/detail/CVE-2018-0600
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2018-05-24T13:47:09+09:00
[2018/05/24]\n Web page was published
3
2019-07-02T14:30:21+09:00
[2019/07/02]\n References : Content was added
2018-05-24T15:25:30+09:00
2019-07-02T14:31:42+09:00
2018-05-24T00:00:00+09:00
JVNDB-2018-000047
IIJ SmartKey App for Android vulnerable to authentication bypass
IIJ SmartKey App for Android contains an authentication bypass vulnerability. IIJ SmartKey App for Android provided by Internet Initiative Japan Inc. is an application that enables two-step authentication (two-factor authentication) for a website from an Android device. IIJ SmartKey App for Android contains an authentication bypass vulnerability (CWE-287). Ryo Tateguchi of AndroPlus reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Internet Initiative Japan Inc.
IIJ SmartKey
cpe:/a:iij:iij_smartkey
App for Android version 2.1.0 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N
Low
3.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
An attacker may be able to obtain one-time password.
[Update the Software] Update to the latest version according to the information provided by the developer. The developer recommends that users should update the application to 2.1.1 or later version immediately. [Apply a Workaround] The following workaround may mitigate the impact of this vulnerability. *Use the screen lock of Android OS standard function
IIJ
Information from Internet Initiative Japan Inc.
http://jvn.jp/en/jp/JVN27137002/317632/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0584
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0584
JVN Status Tracking Notes
JVN#27137002
http://jvn.jp/en/jp/JVN27137002/index.html
National Vulnerability Database (NVD)
CVE-2018-0584
https://nvd.nist.gov/vuln/detail/CVE-2018-0584
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-11T14:34:21+09:00
[2018/05/11]\n Web page was published
2
2019-12-27T18:11:20+09:00
[2019/12/27]\n References : Contents were added
2018-05-11T14:34:21+09:00
2019-12-27T18:11:36+09:00
2018-05-11T00:00:00+09:00
JVNDB-2018-000048
KINEPASS App fails to verify SSL server certificates
KINEPASS App provided by T-JOY CO.,LTD fails to verify SSL server certificates. Seigo Yamamoto of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
T-JOY CO.,LTD
kinepass
cpe:/a:misc:t-joy_kinepass
App for Android Ver 3.1.1 and earlier
App for iOS Ver 3.1.2 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
T-JOY CO.,LTD
KINEPASS - Android Apps on Google Play
https://play.google.com/store/apps/details?id=jp.tjoy.kinepass&hl=ja
T-JOY CO.,LTD
KINEPASS on the App Store
https://itunes.apple.com/jp/app/kinepasu-apuridekantan-bian/id637453055?mt=8
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0591
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0591
JVN
JVN#83671755
https://jvn.jp/en/jp/JVN83671755/index.html
National Vulnerability Database (NVD)
CVE-2018-0591
https://nvd.nist.gov/vuln/detail/CVE-2018-0591
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-11T14:34:22+09:00
[2018/05/11]\n Web page was published
2
2018-08-30T15:01:40+09:00
[2018/08/30]\n References : Contents were added
2018-05-11T14:34:22+09:00
2018-08-30T15:01:59+09:00
2018-05-11T00:00:00+09:00
JVNDB-2018-000049
Multiple Microsoft Windows applications and installers may insecurely load Dynamic Link Libraries
Multiple Windows applications and installers provided by Microsoft contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the same directory where applications and/or installers reside (CWE-427). Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting" and attacks exploiting this vulnerability are limited, thus there is no plan to release any security updates to address this issue. For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft. Following researchers reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning partnership. CVE-2018-0592, CVE-2018-0593, CVE-2018-0596 Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. CVE-2018-0594 BlackWingCat of Pink Flying Whale CVE-2018-0595, CVE-2018-0597 Eili Masami
Microsoft Corporation
Microsoft OneDrive
cpe:/a:microsoft:onedrive
- CVE-2018-0592
(The installer) - CVE-2018-0593
Microsoft Corporation
Skype
cpe:/a:microsoft:skype
for Windows - CVE-2018-0594
for Windows (The installer) - CVE-2018-0595
Microsoft Corporation
Visual Studio Code
cpe:/a:microsoft:visual_studio_code
(The installer) - CVE-2018-0597
Microsoft Corporation
Visual Studio Community
cpe:/a:microsoft:visual_studio_community
(The installer) - CVE-2018-0596
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
If a crafted DLL file is in the same directory where the vulnerable applicaion and/or installer resides, arbitrary code may be executed with the privilege of the user invoking the application or installer.
[Apply Workaround] *Make sure to allow that the system directories are writable only by administrators, which is the Windows' initial configuration. *Operate Windows PCs with a standard user (non-administrator) account. Administrator accounts should be used only when necessary. *When invoking an installer, make sure there are no unrelated files in the same directory where the installer resides. It is strongly recommended to copy the installer into a newly created directory and invoke it from that directory. *Make sure there are no untrusted files in the directory where the application is installed. *If your organization uses shared directories to place installers for organizational operations, make sure that the shared directory is set read-only for non-administrative users. Note that some applications including Microsoft OneDrive may be installed in user directories, not in system directories. Apply respective workarounds in accordance with how respective applications are installed and used.
Microsoft TechNet
Triaging a DLL planting vulnerability
https://blogs.technet.microsoft.com/srd/2018/04/04/triaging-a-dll-planting-vulnerability/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0594
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0594
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0595
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0595
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0596
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0596
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0597
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0592
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0593
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0593
JVN
JVN#91151862
http://jvn.jp/en/jp/JVN91151862/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2018-0594
https://nvd.nist.gov/vuln/detail/CVE-2018-0594
National Vulnerability Database (NVD)
CVE-2018-0595
https://nvd.nist.gov/vuln/detail/CVE-2018-0595
National Vulnerability Database (NVD)
CVE-2018-0596
https://nvd.nist.gov/vuln/detail/CVE-2018-0596
National Vulnerability Database (NVD)
CVE-2018-0597
https://nvd.nist.gov/vuln/detail/CVE-2018-0597
National Vulnerability Database (NVD)
CVE-2018-0592
https://nvd.nist.gov/vuln/detail/CVE-2018-0592
National Vulnerability Database (NVD)
CVE-2018-0593
https://nvd.nist.gov/vuln/detail/CVE-2018-0593
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-17T13:56:29+09:00
[2018/05/17]\n Web page was published
2
2019-07-01T16:00:12+09:00
[2018/08/21]\n References : Contents were added\n
3
2019-07-01T15:57:26+09:00
[2019/07/01]\n References : Contents were added
2018-05-17T15:18:42+09:00
2019-07-05T16:40:06+09:00
2018-05-17T00:00:00+09:00
JVNDB-2018-000050
Self-Extracting Archive files created by IExpress may insecurely load Dynamic Link Libraries
Self-extracting archive files created by IExpress provided Microsoft contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting" and attacks exploiting this vulnerability are limited, thus there is no plan to release any security updates to address this issue. For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft. Eili Masami reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Microsoft Corporation
IExpress
cpe:/a:microsoft:iexpress
(Self-extracting archive files created by IExpress bundled with Microsoft Windows)
Microsoft Corporation
Microsoft Windows
cpe:/o:microsoft:windows
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking a vulnerable self-extracting archive file.
[Apply Workaround] Applying the following workarounds may mitigate the impacts of this vulnerability. * Save self-extracting archive files into a newly created directory, and confirm there are no unrelated files in the directory then invoke the files. * Make sure there are no suspicious files in the directory where self-extracting archive files are saved.
Microsoft TechNet
Triaging a DLL planting vulnerability
https://blogs.technet.microsoft.com/srd/2018/04/04/triaging-a-dll-planting-vulnerability/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0598
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#72748502
https://jvn.jp/en/jp/JVN72748502/index.html
National Vulnerability Database (NVD)
CVE-2018-0598
https://nvd.nist.gov/vuln/detail/CVE-2018-0598
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-17T14:57:41+09:00
[2018/05/17]\n Web page was published
2
2018-08-21T16:37:44+09:00
[2018/08/21]\n References : Content was added
2018-05-17T14:57:41+09:00
2018-08-21T16:40:56+09:00
2018-05-17T00:00:00+09:00
JVNDB-2018-000051
The installer of Visual C++ Redistributable may insecurely load Dynamic Link Libraries
The installer of Visual C++ Redistributable provided Microsoft contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the same directory as the installer (CWE-427). Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting" and attacks exploiting this vulnerability are limited, thus there is no plan to release any security updates to address this issue. For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft.
Microsoft Corporation
Visual C++ Redistributable Package
cpe:/a:microsoft:visual_c%2B%2B_redistributable_package
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Apply Workaround] Applying the following workarounds may mitigate the impacts of this vulnerability. * Save the installer into a newly created directory, and confirm there are no unrelated files in the directory then invoke the installer. * Make sure there are no suspicious files in the directory where the installer is saved.
Microsoft TechNet
Triaging a DLL planting vulnerability
https://blogs.technet.microsoft.com/srd/2018/04/04/triaging-a-dll-planting-vulnerability/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0599
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#81196185
https://jvn.jp/en/jp/JVN81196185/index.html
National Vulnerability Database (NVD)
CVE-2018-0599
https://nvd.nist.gov/vuln/detail/CVE-2018-0599
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-17T14:57:43+09:00
[2018/05/17]\n Web page was published
2
2019-07-05T16:40:57+09:00
[2019/07/05]\n References : Content was added
2018-05-17T14:57:43+09:00
2019-07-05T16:41:19+09:00
2018-05-17T00:00:00+09:00
JVNDB-2018-000052
Nessus vulnerable to cross-site scripting
Nessus provided by Tenable, Inc. contains a stored cross-site scripting vulnerability (CWE-79). Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Tenable, Inc.
Nessus
cpe:/a:tenable:nessus
7.0.3 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Arbitrary JavaScript may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Tenable Network Security
[R1] Nessus 7.1.0 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2018-05
Common Vulnerabilities and Exposures (CVE)
CVE-2018-1147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1147
JVN
JVN#96954395
https://jvn.jp/en/jp/JVN96954395/index.html
National Vulnerability Database (NVD)
CVE-2018-1147
https://nvd.nist.gov/vuln/detail/CVE-2018-1147
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-21T13:39:47+09:00
[2018/05/21]\n Web page was published
2
2018-08-30T13:47:05+09:00
[2018/08/30]\n References : Contents were added
2018-05-21T13:39:47+09:00
2018-08-30T13:47:23+09:00
2018-05-21T00:00:00+09:00
JVNDB-2018-000053
Multiple vulnerabilities in Cybozu Office
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. *Information disclosure in the application "Message" when viewing an external image (CWE-200) - CVE-2018-0526 *Stored cross-site scripting in "E-mail Details Screen" of the application "E-mail" (CWE-79) - CVE-2018-0527 *Browse restriction bypass in the application "Scheduler" (CWE-264) - CVE-2018-0528 *Denial-of-service (DoS) in the application "Message" due to a flaw in processing of an attached file (CWE-20) - CVE-2018-0529 *Reflected cross-site scripting in the application "MultiReport" (CWE-79) - CVE-2018-0565 *Browse restriction bypass in the application "Scheduler" (CWE-264) - CVE-2018-0566 *Operation restriction bypass in the application "Bulletin" (CWE-264) - CVE-2018-0567 Jun Kokatsu reported CVE-2018-0526 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. Masato Kinugawa reported CVE-2018-0527 and CVE-2018-0565 vulnerabilities to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. Cybozu, Inc. reported CVE-2018-0528, CVE-2018-0529 and CVE-2018-0566 vulnerabilities to JPCERT/CC to notify users of respective solutions through JVN. Yuji Tounai reported CVE-2018-0567 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc.
Cybozu Office
cpe:/a:cybozu:office
10.0.0 to 10.7.0 (CVE-2018-0526, CVE-2018-0527, CVE-2018-0528, CVE-2018-0529)
10.0.0 to 10.8.0 (CVE-2018-0565, CVE-2018-0566, CVE-2018-0567)
Medium
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
*If a user browses a message, an attached image located in an external server may be displayed without the user's permission - CVE-2018-0526 *An arbitrary script may be executed on the logged in user's web browser - CVE-2018-0527, CVE-2018-0565 *A user who can login to the product may view the schedules that are not permitted to access - CVE-2018-0528 *Attaching a specially crafted image file in "Compose E-mail screen" by a user may result in Denial-of-service (DoS) condition - CVE-2018-0529 *The schedule may be obtained by a user who does not have privileges to access - CVE-2018-0566 *A user without privileges may access and write data prior to being public - CVE-2018-0567
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1513]
https://support.cybozu.com/ja-jp/article/10052
Cybozu
[CyVDB-1523]
https://support.cybozu.com/ja-jp/article/10200
Cybozu
[CyVDB-1589]
https://support.cybozu.com/ja-jp/article/10195
Cybozu
[CyVDB-1660]
https://support.cybozu.com/ja-jp/article/10198
Cybozu
[CyVDB-1296]
https://support.cybozu.com/ja-jp/article/10030
Cybozu
[CyVDB-1309]
https://support.cybozu.com/ja-jp/article/10029
Cybozu
[CyVDB-1360]
https://support.cybozu.com/ja-jp/article/9812
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0529
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0565
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0565
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0566
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0566
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0567
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0567
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0526
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0526
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0527
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0527
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0528
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0528
JVN
JVN#51737843
https://jvn.jp/jp/JVN51737843/index.html
National Vulnerability Database (NVD)
CVE-2018-0527
https://nvd.nist.gov/vuln/detail/CVE-2018-0527
National Vulnerability Database (NVD)
CVE-2018-0528
https://nvd.nist.gov/vuln/detail/CVE-2018-0528
National Vulnerability Database (NVD)
CVE-2018-0529
https://nvd.nist.gov/vuln/detail/CVE-2018-0529
National Vulnerability Database (NVD)
CVE-2018-0565
https://nvd.nist.gov/vuln/detail/CVE-2018-0565
National Vulnerability Database (NVD)
CVE-2018-0566
https://nvd.nist.gov/vuln/detail/CVE-2018-0566
National Vulnerability Database (NVD)
CVE-2018-0567
https://nvd.nist.gov/vuln/detail/CVE-2018-0567
National Vulnerability Database (NVD)
CVE-2018-0526
https://nvd.nist.gov/vuln/detail/CVE-2018-0526
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-22T14:30:49+09:00
[2018/05/22]\n Web page was published
2
2018-08-30T16:02:59+09:00
[2018/08/30]\n References : Contents were added
2018-05-22T14:30:49+09:00
2018-08-30T16:03:22+09:00
2018-05-22T00:00:00+09:00
JVNDB-2018-000054
Multiple cross-site scripting vulnerabilities in Cybozu Mailwise
Cybozu Mailwise contains multiple cross-site scripting vulnerabilities below. * Stored cross-site scripting vulnerability in "E-mail Details Screen" (CWE-79) - CVE-2018-0557 * Reflected cross-site scripting vulnerability in "System settings" (CWE-79) - CVE-2018-0558 * Reflected cross-site scripting vulnerability in "Address" (CWE-79) - CVE-2018-0559 Masato Kinugawa reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Mailwise
cpe:/a:cybozu:mailwise
5.0.0 to 5.4.1
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the logged in user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
[CyVDB-1308]
https://support.cybozu.com/ja-jp/article/10194
Cybozu
[CyVDB-1525]
https://support.cybozu.com/ja-jp/article/10193
Cybozu
[CyVDB-1527][CyVDB-1533]
https://support.cybozu.com/ja-jp/article/10196
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0557
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0557
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0558
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0558
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0559
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0559
JVN
JVN#52319657
https://jvn.jp/en/jp/JVN52319657/index.html
National Vulnerability Database (NVD)
CVE-2018-0557
https://nvd.nist.gov/vuln/detail/CVE-2018-0557
National Vulnerability Database (NVD)
CVE-2018-0558
https://nvd.nist.gov/vuln/detail/CVE-2018-0558
National Vulnerability Database (NVD)
CVE-2018-0559
https://nvd.nist.gov/vuln/detail/CVE-2018-0559
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-22T15:26:22+09:00
[2018/05/22]\n Web page was published
2
2018-08-30T17:47:21+09:00
[2018/08/30]\n References : Contents were added
2018-05-22T15:26:22+09:00
2018-08-30T17:47:36+09:00
2018-05-22T00:00:00+09:00
JVNDB-2018-000055
Multiple vulnerabilities in baserCMS
baserCMS provided by baserCMS Users Community is an opensource content management system. baserCMS contains multiple vulnerabilities listed below. *Command injection (CWE-94) - CVE-2018-0569 *Cross-site scripting (CWE-79) - CVE-2018-0570 *Unrestricted Upload of File with Dangerous Type in upload file management function (CWE-434) - CVE-2018-0571 *Restrict access permissions failure in contents management function (CWE-264) - CVE-2018-0572 *Restrict access permissions failture for a content with a period being public is expired (CWE-264) - CVE-2018-0573 *Cross-site scripting in theme management function (CWE-79) - CVE-2018-0574 *Restrict access permissions failure in the function to attach files in mail form (CWE-264) - CVE-2018-0575 Following researchers reported respective vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning partnership. CVE-2018-0569, CVE-2018-0570, CVE-2018-0571, CVE-2018-0572, and CVE-2018-0573 Toshitsugu Yoneyama and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. CVE-2018-0574 and CVE-2018-0575 Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.
baserCMS Users Community
baserCMS
cpe:/a:basercms:basercms
3.0.15 and earlier versions
4.1.0.1 and earlier versions
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
*A remote attacker may execute arbitrary code with the operation manager privilege - CVE-2018-0569 *An attacker who can log in to the product as a site operator privilege may execute arbitrary OS commands - CVE-2018-0570 *An attacker who can log in to the product as a site operator privilege may upload arbitrary files - CVE-2018-0571 *An attacker who can log in to the product as a site operator privilege may view or alter a restricted content - CVE-2018-0572 *A remote attacker may view a file which is uploaded by a site user - CVE-2018-0573 *An arbitrary script may be executed on the user's web browser where the user accesses the theme management function - CVE-2018-0574 *A remote attacker may view a file which is uploaded by a site user. - CVE-2018-0575
Solution for CVE-2018-0570, CVE-2018-0571, CVE-2018-0573, CVE-2018-0574, and CVE-2018-0575: [Update the software] Update to the latest version according to the information provided by the developer. According to the developer, CVE-2018-0573 and CVE-2018-0575 vulnerabilities do not exist if the product has been successfully installed. Those 2 vulnerabilities exist only in the situation where the installation of the product failed with issues such as access restrictions, etc. Solution for CVE-2018-0569: [Update the software and then configure a user authentication properly] Update the software first, and then set a user authentication enabled/disabled. If a user authentication is enabled, a system administrator's privilege is required to save a script in an article. The developer states that all authentications besides a system administrator's authentication becomes disabled, and then setting respective authentications enabled/disabled appropriately becomes possible after updating the software to the latest version. All users authentications are enabled if installing the software for the first time using the latest installer. Solution for CVE-2018-0572: [Apply a Workaround] When restricting access control using contents management function, be sure to register all URLs of the pages that need to be accessed. For more information, refer to the developer's website.
baserCMS Users Community
baserCMS Users Community website
https://basercms.net/security/JVN67881316
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0571
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0571
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0572
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0573
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0573
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0574
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0574
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0575
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0575
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0569
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0569
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0570
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0570
JVN
JVN#67881316
http://jvn.jp/en/jp/JVN67881316/index.html
National Vulnerability Database (NVD)
CVE-2018-0571
https://nvd.nist.gov/vuln/detail/CVE-2018-0571
National Vulnerability Database (NVD)
CVE-2018-0572
https://nvd.nist.gov/vuln/detail/CVE-2018-0572
National Vulnerability Database (NVD)
CVE-2018-0573
https://nvd.nist.gov/vuln/detail/CVE-2018-0573
National Vulnerability Database (NVD)
CVE-2018-0574
https://nvd.nist.gov/vuln/detail/CVE-2018-0574
National Vulnerability Database (NVD)
CVE-2018-0575
https://nvd.nist.gov/vuln/detail/CVE-2018-0575
National Vulnerability Database (NVD)
CVE-2018-0569
https://nvd.nist.gov/vuln/detail/CVE-2018-0569
National Vulnerability Database (NVD)
CVE-2018-0570
https://nvd.nist.gov/vuln/detail/CVE-2018-0570
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-22T14:53:01+09:00
[2018/05/22]\n Web page was published
2
2019-12-27T18:10:11+09:00
[2019/12/27]\n References : Contents were added\n
2018-05-22T14:53:01+09:00
2019-12-27T18:10:29+09:00
2018-05-22T00:00:00+09:00
JVNDB-2018-000056
Susie plug-in "axpdfium" may insecurely load Dynamic Link Libraries
Susie plug-in "axpdfium" contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Yasutaka ATARASHI
axpdfium
cpe:/a:axpdfium_project:axpdfium
v0.01
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
High
7
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user running the program where "axpdfium" is used.
[Update the plug-in] Update the plug-in according to the information provided by the developer.
yak1ex
A vulnerability to load unintended DLLs by Susie plugin "axpdfium.spi"
https://github.com/yak1ex/axpdfium/wiki/JVN%2379301396(en)
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0601
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#79301396
http://jvn.jp/en/jp/JVN79301396/index.html
National Vulnerability Database (NVD)
CVE-2018-0601
https://nvd.nist.gov/vuln/detail/CVE-2018-0601
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2018-05-24T13:38:09+09:00
[2018/05/24]\n Web page was published
3
2019-07-02T14:53:32+09:00
[2019/07/02]\n References : Content was added
2018-05-24T15:15:55+09:00
2019-07-02T14:53:54+09:00
2018-05-24T00:00:00+09:00
JVNDB-2018-000057
The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" may insecurely invoke an executable file
The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION contains an issue with the DLL search path, which may lead to insecurely invoke an executable file (CWE-427). DigiGnome reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
FLET'S VIRUS CLEAR Easy Setup & Application Tool
cpe:/a:ntt_east:flet%27s_virus_clear_easy_setup_%26_application_tool
ver.13.0 and earlier versions
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool
cpe:/a:ntt_east:flet%27s_virus_clear_v6_easy_setup_%26_application_tool
ver.13.0 and earlier versions
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] This vulnerability has been already addressed in the latest version (ver.13.1) released in 2018 May 29. When installing "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and/or "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool", use the latest installer according to the information provided by the developer. Note that this vulnerability affects the installer only, thus users who have already installed "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and/or "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" do not need to re-install the software using the latest installer. For details, refer to the information provided by the developer.
Nippon Telegraph and Telephone East Corporation
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION website
https://flets.com/customer/tec/fvc/setup/esat_install.html
Nippon Telegraph and Telephone East Corporation
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION website
https://flets.com/customer/next/sec/setup/esat_install.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0563
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0563
JVN
JVN#20040004
http://jvn.jp/en/jp/JVN20040004/index.html
JVN
JVNTA#91240916
http://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2018-0563
https://nvd.nist.gov/vuln/detail/CVE-2018-0563
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-29T13:47:32+09:00
[2018/05/29]\n Web page was published
2
2019-12-27T18:09:10+09:00
[2019/12/27]\n References : Contents were added\n
2018-05-29T13:47:32+09:00
2019-12-27T18:09:33+09:00
2018-05-29T00:00:00+09:00
JVNDB-2018-000058
WordPress plugin "Email Subscribers & Newsletters" vulnerable to cross-site scripting
The WordPress plugin "Email Subscribers & Newsletters" provided by Icegram contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Icegram
Email Subscribers & Newsletters
cpe:/a:icegram:email_subscribers_%26_newsletters
prior to version 3.5.0
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Icegram
Email Subscribers & Newsletters - WordPress Plugins - Changelog
https://wordpress.org/plugins/email-subscribers/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0602
JVN
JVN#16471686
http://jvn.jp/en/jp/JVN16471686/index.html
National Vulnerability Database (NVD)
CVE-2018-0602
https://nvd.nist.gov/vuln/detail/CVE-2018-0602
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-28T14:11:31+09:00
[2018/05/28]\n Web page was published
2
2019-07-02T14:50:27+09:00
[2019/07/02]\n References : Content was added
2018-05-28T14:11:31+09:00
2019-07-02T14:50:47+09:00
2018-05-28T00:00:00+09:00
JVNDB-2018-000059
WordPress plugin "Site Reviews" vulnerable to cross-site scripting
The WordPress plugin "Site Reviews" provided by Gemini Labs contains a stored cross-site scripting vulnerability (CWE-79). Keita Uchida of TDU Cryptography Lab reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Gemini Labs
Site Reviews
cpe:/a:gemini_labs:site_reviews
prior to version 2.15.3
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Gemini Labs
Site Reviews - WordPress Plugins - Changelog
https://wordpress.org/plugins/site-reviews/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0603
JVN
JVN#60978548
http://jvn.jp/en/jp/JVN60978548/index.html
National Vulnerability Database (NVD)
CVE-2018-0603
https://nvd.nist.gov/vuln/detail/CVE-2018-0603
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-28T14:11:32+09:00
[2018/05/28]\n Web page was published
2
2019-07-02T14:24:43+09:00
[2019/07/02]\n References : Content was added
2018-05-28T14:11:32+09:00
2019-07-02T14:25:02+09:00
2018-05-28T00:00:00+09:00
JVNDB-2018-000060
Multiple vulnerabilities in Pixelpost
Pixelpost provided by Pixelpost.org contains multiple vulnerabilities listed below. * Arbitrary code execution - CVE-2018-0604 * Cross-site scripting (CWE-79) - CVE-2018-0605 * SQL injection (CWE-89) - CVE-2018-0606 ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Pixelpost.org
Pixelpost
cpe:/a:pixelpost:pixelpost
v1.7.3 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
The possible impact of each vulnerability is as follows: * A user with administrative privilege may execute arbitrary code - CVE-2018-0604 * An unauthenticated remote attacker may execute arbitrary scripts on the logged-in user's web browser - CVE-2018-0605 * A user with administrative privilege may execute arbitrary SQL commands - CVE-2018-0606
[Do not use Pixelpost] Pixelpost is no longer being developed or maintained. It is recommended to stop using Pixelpost.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0604
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0605
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0605
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0606
JVN
JVN#27978559
http://jvn.jp/en/jp/JVN27978559/index.html
National Vulnerability Database (NVD)
CVE-2018-0604
https://nvd.nist.gov/vuln/detail/CVE-2018-0604
National Vulnerability Database (NVD)
CVE-2018-0605
https://nvd.nist.gov/vuln/detail/CVE-2018-0605
National Vulnerability Database (NVD)
CVE-2018-0606
https://nvd.nist.gov/vuln/detail/CVE-2018-0606
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-31T14:07:20+09:00
[2018/05/31]\n Web page was published
2
2019-07-01T14:23:43+09:00
[2019/07/01]\n References : Contents were added
2018-05-31T14:07:20+09:00
2018-05-31T14:07:20+09:00
2018-05-31T00:00:00+09:00
JVNDB-2018-000061
H2O vulnerable to buffer overflow
H2O is open source web server software. H2O contains a buffer overflow vulnerability (CWE-119) due to a processing flaw in the output of Access Log. Marlies Ruck of ForAllSecure reported this vulnerability to Kazuho Oku, and Kazuho Oku reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Kazuho Oku coordinated under the Information Security Early Warning Partnership.
Kazuho Oku
H2O
cpe:/a:h2o_project:h2o
version 2.2.4 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
A remote attacker may be able to cause a denial-of-service (DoS) condition or may execute arbitrary code.
[Update the Software] Update to the latest version according to the information provided by the developer.
Kazuho Oku
heap buffer overflow while trying to emit access log (CVE-2018-0608) #1775
https://github.com/h2o/h2o/issues/1775
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0608
JVN
JVN#93226941
https://jvn.jp/en/jp/JVN93226941/index.html
National Vulnerability Database (NVD)
CVE-2018-0608
https://nvd.nist.gov/vuln/detail/CVE-2018-0608
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-06-04T14:10:31+09:00
[2018/06/04]\n Web page was published
2
2019-07-01T14:21:16+09:00
[2019/07/01]\n References : Content was added
2018-06-04T14:10:31+09:00
2018-06-04T14:10:31+09:00
2018-06-04T00:00:00+09:00
JVNDB-2018-000062
Local File Inclusion vulnerability in Zenphoto
Zenphoto is a content management system (CMS). Zenphoto contains a Local File Inclusion vulnerability. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Zenphoto
Zenphoto
cpe:/a:zenphoto:zenphoto
1.4.14 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
6.6
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Sensitive information may be obtained or arbitrary code may be executed by a remote administrative user.
[Update the Software] Update to the latest version according to the information provided by the developer.
Zenphoto
Zenphoto 1.5
https://www.zenphoto.org/news/zenphoto-1.5
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0610
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0610
JVN
JVN#33124193
http://jvn.jp/en/jp/JVN33124193/index.html
National Vulnerability Database (NVD)
CVE-2018-0610
https://nvd.nist.gov/vuln/detail/CVE-2018-0610
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-06-13T15:11:59+09:00
[2018/06/13]\n Web page was published
2
2019-07-01T10:09:00+09:00
[2019/07/01]\n References : Content was added
2018-06-13T15:11:59+09:00
2018-06-13T15:11:59+09:00
2018-06-13T00:00:00+09:00
JVNDB-2018-000063
LINE for Windows may insecurely load Dynamic Link Libraries
LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software. If a user launches LINE for Windows by clicking the specially crafted link prepared by a remote attacker, it may result in insecurely loading Dynamic Link Libraries (CWE-427). LINE Corporation reported this vulnerability to JPCERT/CC to notify users of respective solutions through JVN.
LINE Corporation
LINE
cpe:/a:linecorp:line
for Windows versions before 5.8.0
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the software.
[Update the Software] Update the software to the latest version according to the information provided by the developer. According to the developer, the version 5.8.0 which contains a fix for this vulnerability was released on 2018 May 31, and the update is automatically applied when launching software.
LINE Corporation
[Vulnerabilities] Vulnerability in the LINE Application for Windows PC Has Been Fixed
https://linecorp.com/en/security/article/172
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0609
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0609
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#92265618
http://jvn.jp/en/jp/JVN92265618/index.html
National Vulnerability Database (NVD)
CVE-2018-0609
https://nvd.nist.gov/vuln/detail/CVE-2018-0609
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-06-12T14:44:55+09:00
[2018/06/12]\n Web page was published
2
2019-07-01T10:08:11+09:00
[2019/07/01]\n References : Content was added
2018-06-12T14:44:55+09:00
2018-06-12T14:44:55+09:00
2018-06-12T00:00:00+09:00
JVNDB-2018-000064
Chrome Extension "5000 trillion yen converter" vulnerable to cross-site scripting
Chrome Extension "5000 trillion yen converter" provided by Owen contains a cross-site scripting vulnerability (CWE-79).
Owen
5000 trillion yen converter
cpe:/a:Owen:5000_trillion_yen_converter
v1.0.6
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the extension] Update the extension according to the information provided by the developer.
Owen
5000 trillion yen converter
https://chrome.google.com/webstore/detail/5000%E5%85%86%E5%86%86%E3%82%B3%E3%83%B3%E3%83%90%E3%83%BC%E3%82%BF%E3%83%BC/mgaphgebhfgmkahikdhdomnnpelbijmo
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0612
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0612
JVN
JVN#98975951
http://jvn.jp/en/jp/JVN98975951/index.html
National Vulnerability Database (NVD)
CVE-2018-0612
https://nvd.nist.gov/vuln/detail/CVE-2018-0612
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-06-15T14:36:09+09:00
[2018/06/15]\n Web page was published
2
2019-07-01T10:06:16+09:00
[2019/07/01]\n References : Content was added
2018-06-15T14:36:09+09:00
2018-06-15T14:36:09+09:00
2018-06-15T00:00:00+09:00
JVNDB-2018-000065
ANA App for iOS fails to verify SSL server certificates
ANA App for iOS provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates (CWE-295). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ALL NIPPON AIRWAYS CO., LTD
ANA
cpe:/a:ana:all_nippon_airways
App for iOS version 4.0.22 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to obtain and/or alter on a content of communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
ALL NIPPON AIRWAYS CO., LTD
ALL NIPPON AIRWAYS CO., LTD website
https://www.ana.co.jp/share/mobile/smartphone/app_ana/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0611
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0611
JVN
JVN#71535108
http://jvn.jp/en/jp/JVN71535108/index.html
National Vulnerability Database (NVD)
CVE-2018-0611
https://nvd.nist.gov/vuln/detail/CVE-2018-0611
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-06-15T14:40:32+09:00
[2018/06/15]\n Web page was published
2
2019-12-27T18:08:09+09:00
[2019/12/27]\n References : Contents were added
2018-06-15T14:40:32+09:00
2019-12-27T18:08:32+09:00
2018-06-15T00:00:00+09:00
JVNDB-2018-000066
MemoCGI vulnerable to directory traversal
MemoCGI provided by ChamaNet contains a directory traversal vulnerability (CWE-22). Ikuo Shoji reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Chama-Net
MemoCGI
cpe:/a:chama:memocgi
v2.1800 to v2.2200
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Medium
5.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
A remote attacker may view files on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
Chama-Net
MemoCGI
http://www.chama.ne.jp/download/etc/memo/index.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0617
https://nvd.nist.gov/vuln/detail/CVE-2018-0617
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0617
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0617
JVN
JVN#58362455
http://jvn.jp/en/jp/JVN58362455/index.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-06-27T14:34:23+09:00
[2018/06/27]\n Web page was published
2
2019-07-05T11:23:47+09:00
[2019/07/05]\n References : Content was added
2018-06-27T14:44:49+09:00
2019-07-05T17:58:01+09:00
2018-06-27T00:00:00+09:00
JVNDB-2018-000067
Mailman vulnerable to cross-site scripting
Mailman provided by GNU Mailman contains a stored cross-site scripting vulnerability (CWE-79). Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
GNU Project
GNU Mailman
cpe:/a:gnu:mailman
2.1.26 and earlier
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
GNU Mailman
[Mailman-Announce] Mailman 2.1.27 released
https://mail.python.org/pipermail/mailman-announce/2018-June/000236.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0618
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0618
JVN
JVN#00846677
http://jvn.jp/en/jp/JVN00846677/index.html
National Vulnerability Database (NVD)
CVE-2018-0618
https://nvd.nist.gov/vuln/detail/CVE-2018-0618
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-06-28T12:29:44+09:00
[2018/06/28]\n Web page was published
2
2019-07-24T15:21:13+09:00
[2019/07/24]\n References : Content was added
2018-06-28T12:30:30+09:00
2019-07-24T15:21:51+09:00
2018-06-28T00:00:00+09:00
JVNDB-2018-000068
Multiple vulnerabilities in Calsos CSDX and CSDJ series products
Calsos CSDX and CSDJ series products provided by NEC Platforms, Ltd. contain multiple vulnerabilities listed below. * Access Restriction Bypass (CWE-284) - CVE-2018-0613 * Cross-site scripting (CWE-79) - CVE-2018-0614 NEC Platforms, Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.
NEC Platforms, Ltd.
CSDJ
cpe:/a:necplatforms:nec_platforms_csdj
-A 03.00.00
-B 01.03.00 and earlier
-D 01.03.00 and earlier
-H 01.03.00 and earlier
NEC Platforms, Ltd.
CSDX
cpe:/o:necplatforms:calsos_csdx_firmware
(D) 3.37210411 and earlier
(P) 4.37210411 and earlier
(S) 2.37210411 and earlier
1.37210411 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* An arbitrary operation with administrative privilege may be performed by an attacker who logged in with the user privilege - CVE-2018-0613 * An arbitrary script may be executed on a logged in user's web browser - CVE-2018-0614
[Update the Software] Update to the latest version according to the information provided by the developer.
NEC Platforms, Ltd.
NEC Platforms, Ltd. website
https://www.necplatforms.co.jp/product/enkaku/info180702.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0613
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0613
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0614
JVN
JVN#63895206
http://jvn.jp/en/jp/JVN63895206/index.html
National Vulnerability Database (NVD)
CVE-2018-0613
https://nvd.nist.gov/vuln/detail/CVE-2018-0613
National Vulnerability Database (NVD)
CVE-2018-0614
https://nvd.nist.gov/vuln/detail/CVE-2018-0614
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-02T15:22:38+09:00
[2018/07/02]\n Web page was published
2
2019-07-24T14:29:59+09:00
[2019/07/24]\n References : Contents were added
2018-07-02T15:22:38+09:00
2019-07-24T14:31:08+09:00
2018-07-02T00:00:00+09:00
JVNDB-2018-000069
Cybozu Garoon vulnerable to SQL injection
Cybozu Garoon provided by Cybozu, Inc. contains an SQL injection vulnerability (CWE-89) in application "Notifications". Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.5.0 to 4.6.2
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
A remote authenticated attacker may execute an arbitrary SQL command.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu infomation
Cybozu, Inc. website
https://cs.cybozu.co.jp/2018/006604.html
Cybozu support
[CyVDB-1678]
https://kb.cybozu.support/article/33120/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0607
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0607
JVN
JVN#13415512
http://jvn.jp/en/jp/JVN13415512/index.html
National Vulnerability Database (NVD)
CVE-2018-0607
https://nvd.nist.gov/vuln/detail/CVE-2018-0607
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-02T15:22:40+09:00
[2018/07/02]\n Web page was published
2
2019-07-05T11:41:35+09:00
[2019/07/05]\n References : Content was added
2018-07-02T15:22:40+09:00
2019-07-05T17:55:04+09:00
2018-07-02T00:00:00+09:00
JVNDB-2018-000070
Installer of Glary Utilities may insecurely load Dynamic Link Libraries
Installer of Glary Utilities provided by Glarysoft Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Glarysoft Ltd.
Glary Utilities
cpe:/a:glarysoft:glary_utilities
5.99 and earlier
Pro 5.99 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Note that this vulnerability affects the installer only, thus users who have already installed Glary Utilities do not need to re-install the software.
Glarysoft Ltd.
Glary Utilities
https://www.glarysoft.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0619
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0619
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
JVN
JVN#84967039
http://jvn.jp/en/jp/JVN84967039/index.html
National Vulnerability Database (NVD)
CVE-2018-0619
https://nvd.nist.gov/vuln/detail/CVE-2018-0619
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-03T12:13:47+09:00
[2018/07/03]\n Web page was published
2
2019-07-05T11:16:25+09:00
[2019/07/05]\n References : Content was added
2018-07-03T13:42:00+09:00
2019-07-05T17:52:02+09:00
2018-07-03T00:00:00+09:00
JVNDB-2018-000071
DHC Online Shop App for Android fails to verify SSL server certificates
DHC Online Shop App for Android provided by DHC Corporation fails to verify SSL server certificates. Sho Ueshima and Tsuyoshi Ogawa of SIE Co.,Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
DHC Corporation
DHC online shop
cpe:/a:dhc:dhc_online_shop
App for Android version 3.2.0 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
DHC Corporation
DHC online shop app
https://top.dhc.co.jp/contents/all/sph/app/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0622
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0622
JVN
JVN#77409513
http://jvn.jp/en/jp/JVN77409513/index.html
National Vulnerability Database (NVD)
CVE-2018-0622
https://nvd.nist.gov/vuln/detail/CVE-2018-0622
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-06T14:36:12+09:00
[2018/07/06]\n Web page was published
2
2019-07-05T10:51:10+09:00
[2019/07/05]\n References : Content was added
2018-07-06T14:36:12+09:00
2019-07-05T17:35:25+09:00
2018-07-06T00:00:00+09:00
JVNDB-2018-000072
The installers of multiple Logicool software programs may insecurely load Dynamic Link Libraries
The installers of multiple software programs provided by Logicool Co. Ltd contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427) . Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Logitech
LOGICOOL CONNECTION UTILITY SOFTWARE
cpe:/a:logitech:connection_utility_software
versions before 2.30.9
Logitech
LOGICOOL Game Software
cpe:/a:logitech:game_software
versions before 8.87.116
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installers provided by the developer. According to the developer, the vulnerability in LOGICOOL Game Software has been already addressed in version 8.87.116 released on August 31, 2016. Note that this vulnerability affects the installers only. Users who have already installed the program(s) are not affected. If older versions of the installers are saved on your computer, delete them immediately.
JVN
Information from Logicool Co Ltd.
http://jvn.jp/en/jp/JVN52574492/996192/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0620
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0620
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0621
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0621
JVN
JVN#52574492
http://jvn.jp/en/jp/JVN52574492/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2018-0620
https://nvd.nist.gov/vuln/detail/CVE-2018-0620
National Vulnerability Database (NVD)
CVE-2018-0621
https://nvd.nist.gov/vuln/detail/CVE-2018-0621
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-06T14:36:11+09:00
[2018/07/06]\n Web page was published
2
2019-07-05T11:11:03+09:00
[2019/07/05]\n References : Contents were added
2018-07-06T14:36:11+09:00
2019-07-05T17:38:37+09:00
2018-07-06T00:00:00+09:00
JVNDB-2018-000073
Installer of ChatWork Desktop App for Windows may insecurely load Dynamic Link Libraries
Installer of ChatWork Desktop App for Windows provided by ChatWork Co,. LTD. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Hamasaki Hiroki of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ChatWork Co,. LTD.
Chatwork
cpe:/a:chatwork:chatwork
Desktop APP for Windows 2.3.0 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer according to the information provided by the developer. Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only, thus users who have already installed ChatWork Desktop App for Windows do not need to re-install the software.
ChatWork Co,. LTD.
ChatWork Co,. LTD. website
https://go.chatwork.com/download/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0648
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0648
JVN
JVN#39171169
https://jvn.jp/en/jp/JVN39171169/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/index.html
National Vulnerability Database (NVD)
CVE-2018-0648
https://nvd.nist.gov/vuln/detail/CVE-2018-0648
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-23T12:45:39+09:00
[2018/07/23]\n Web page was published
2
2019-07-25T16:48:49+09:00
[2019/07/25]\n References : Content was added
2018-07-23T14:28:26+09:00
2019-07-25T16:50:22+09:00
2018-07-23T00:00:00+09:00
JVNDB-2018-000074
DLL planting vulnerability in multiple Yayoi 17 Series products
Multiple Yayoi 17 Series products provided by Yayoi Co., Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Yayoi Co., Ltd
Yayoi Aoiro Shinkoku
cpe:/a:misc:yayoi_no_aoiroshinkoku
17 Ver.23.1.1 and earlier
Yayoi Co., Ltd
Yayoi Hanbai
cpe:/a:misc:yayoi-hanbai
17 Series Ver.20.0.2 and earlier
Yayoi Co., Ltd
Yayoi Kaikei
cpe:/a:misc:yayoi-kaikei
17 Series Ver.23.1.1 and earlier
Yayoi Co., Ltd
Yayoi Kokyaku Kanri
cpe:/a:misc:yayoi_no_kokyakukanri
17 Ver.11.0.2 and earlier
Yayoi Co., Ltd
Yayoi Kyuuyo
cpe:/a:misc:yayoi_kyuyo
17 Ver.20.1.4 and earlier
Yayoi Co., Ltd
Yayoi Kyuuyo Keisan
cpe:/a:misc:yayoi_no_kyuyokeisan
17 Ver.20.1.4 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the running application.
[Update the Software] Apply the appropriate update according to the information provided by the developer.
yayoi-kk.co.jp
Yayoi 17 Series
https://www.yayoi-kk.co.jp/yss/download/17.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0623
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0623
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0624
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0624
JVN
JVN#06813756
https://jvn.jp/en/jp/JVN06813756/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2018-0623
https://nvd.nist.gov/vuln/detail/CVE-2018-0623
National Vulnerability Database (NVD)
CVE-2018-0624
https://nvd.nist.gov/vuln/detail/CVE-2018-0624
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-20T15:41:37+09:00
[2018/07/20]\n Web page was published
2
2019-07-25T15:05:07+09:00
[2019/07/25]\n References : Contents were added
2018-07-20T15:41:37+09:00
2019-07-25T15:04:17+09:00
2018-07-20T00:00:00+09:00
JVNDB-2018-000075
Multiple OS command injection vulnerabilities in Aterm WG1200HP
Aterm WG1200HP provided by NEC Corporation contains multiple OS command injection vulnerabilities (CWE-78). Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NEC Corporation
Aterm WG1200HP firmware
cpe:/o:nec:aterm_wg1200hp_firmware
firmware Ver1.0.31 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
A user who can access the product with administrative privileges may execute an arbitrary OS command.
[Update the Firmware] Apply the latest firmware update according to the information provided by the developer.
NEC Security Information
NV16-005
https://jpn.nec.com/security-info/secinfo/nv18-011.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0627
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0628
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0625
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0626
JVN
JVN#00401783
http://jvn.jp/en/jp/JVN00401783/index.html
National Vulnerability Database (NVD)
CVE-2018-0625
https://nvd.nist.gov/vuln/detail/CVE-2018-0625
National Vulnerability Database (NVD)
CVE-2018-0626
https://nvd.nist.gov/vuln/detail/CVE-2018-0626
National Vulnerability Database (NVD)
CVE-2018-0627
https://nvd.nist.gov/vuln/detail/CVE-2018-0627
National Vulnerability Database (NVD)
CVE-2018-0628
https://nvd.nist.gov/vuln/detail/CVE-2018-0628
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-12T15:04:35+09:00
[2018/07/12]\n Web page was published
2
2019-08-27T11:44:57+09:00
[2019/08/27]\n References : Content was added
2018-07-12T15:04:35+09:00
2019-08-27T13:44:37+09:00
2018-07-12T00:00:00+09:00
JVNDB-2018-000076
Multiple vulnerabilities in Aterm W300P
Aterm W300P provided by NEC Corporation contains multiple vulnerabilities listed below. * OS Command Injection (CWE-78) - CVE-2018-0629, CVE-2018-0630, CVE-2018-0631 * Buffer Overflow (CWE-119) - CVE-2018-0632, CVE-2018-0633 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NEC Corporation
Aterm W300P firmware
cpe:/o:nec:aterm_w300p_firmware
firmware Ver1.0.13 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* A user who can access the product with administrative privileges may execute an arbitrary OS command. - CVE-2018-0629, CVE-2018-0630, CVE-2018-0631 * A user who can access the product with administrative privileges may execute an arbitrary code. - CVE-2018-0632, CVE-2018-0633
[Update the Firmware] Apply the latest firmware update according to the information provided by the developer.
NEC Security Information
NV18-011
https://jpn.nec.com/security-info/secinfo/nv18-011.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0631
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0632
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0632
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0633
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0629
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0629
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0630
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0630
JVN
JVN#26629618
http://jvn.jp/en/jp/JVN26629618/index.html
National Vulnerability Database (NVD)
CVE-2018-0633
https://nvd.nist.gov/vuln/detail/CVE-2018-0633
National Vulnerability Database (NVD)
CVE-2018-0629
https://nvd.nist.gov/vuln/detail/CVE-2018-0629
National Vulnerability Database (NVD)
CVE-2018-0630
https://nvd.nist.gov/vuln/detail/CVE-2018-0630
National Vulnerability Database (NVD)
CVE-2018-0631
https://nvd.nist.gov/vuln/detail/CVE-2018-0631
National Vulnerability Database (NVD)
CVE-2018-0632
https://nvd.nist.gov/vuln/detail/CVE-2018-0632
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-12T15:04:36+09:00
[2018/07/12]\n Web page was published
2
2019-08-27T12:14:55+09:00
[2019/08/27]\n References : Contents were added
2018-07-12T15:04:36+09:00
2019-08-27T16:56:58+09:00
2018-07-12T00:00:00+09:00
JVNDB-2018-000077
Multiple vulnerabilities in Aterm HC100RC
Aterm HC100RC provided by NEC Corporation contains multiple vulnerabilities listed below. * OS Command Injection (CWE-78) - CVE-2018-0634, CVE-2018-0635, CVE-2018-0636, CVE-2018-0637, CVE-2018-0638, CVE-2018-0639 * Buffer Overflow (CWE-119) - CVE-2018-0640, CVE-2018-0641 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NEC Corporation
Aterm HC100RC
cpe:/o:nec:aterm_hc100rc_firmware
camera firmware Ver1.0.1 and earlier
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
* A user who can access the product with administrative privileges may execute an arbitrary OS command. - CVE-2018-0634, CVE-2018-0635, CVE-2018-0636, CVE-2018-0637, CVE-2018-0638, CVE-2018-0639 * A user who can access the product with administrative privileges may execute an arbitrary code. - CVE-2018-0640, CVE-2018-0641
[Update the Firmware] Apply the latest firmware update according to the information provided by the developer.
NEC Security Information
NV18-011
https://jpn.nec.com/security-info/secinfo/nv18-011.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0636
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0637
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0637
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0638
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0638
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0639
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0640
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0641
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0634
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0634
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0635
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0635
JVN
JVN#84825660
https://jvn.jp/en/jp/JVN84825660/index.html
National Vulnerability Database (NVD)
CVE-2018-0635
https://nvd.nist.gov/vuln/detail/CVE-2018-0635
National Vulnerability Database (NVD)
CVE-2018-0636
https://nvd.nist.gov/vuln/detail/CVE-2018-0636
National Vulnerability Database (NVD)
CVE-2018-0637
https://nvd.nist.gov/vuln/detail/CVE-2018-0637
National Vulnerability Database (NVD)
CVE-2018-0638
https://nvd.nist.gov/vuln/detail/CVE-2018-0638
National Vulnerability Database (NVD)
CVE-2018-0639
https://nvd.nist.gov/vuln/detail/CVE-2018-0639
National Vulnerability Database (NVD)
CVE-2018-0640
https://nvd.nist.gov/vuln/detail/CVE-2018-0640
National Vulnerability Database (NVD)
CVE-2018-0641
https://nvd.nist.gov/vuln/detail/CVE-2018-0641
National Vulnerability Database (NVD)
CVE-2018-0634
https://nvd.nist.gov/vuln/detail/CVE-2018-0634
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-12T15:04:38+09:00
[2018/07/12]\n Web page was published
2
2019-08-27T12:11:40+09:00
[2019/08/27]\n References : Content was added
2018-07-12T15:04:38+09:00
2019-08-27T13:52:41+09:00
2018-07-12T00:00:00+09:00
JVNDB-2018-000078
WordPress plugin "FV Flowplayer Video Player" vulnerable to cross-site scripting
The WordPress plugin "FV Flowplayer Video Player" provided by Foliovision contains a cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
FolioVision
FV Flowplayer Video Player
cpe:/a:foliovision:fv_flowplayer_video_player
6.1.2 to 6.6.4
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
FolioVision
FV Flowplayer Video Player - WordPress.org - Changelog
https://wordpress.org/plugins/fv-wordpress-flowplayer/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0642
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0642
JVN
JVN#70246549
http://jvn.jp/en/jp/JVN70246549/index.html
National Vulnerability Database (NVD)
CVE-2018-0642
https://nvd.nist.gov/vuln/detail/CVE-2018-0642
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-17T12:27:00+09:00
[2018/07/17]\n Web page was published
2
2019-07-25T17:11:43+09:00
[2019/07/25]\n References : Content was added
2018-07-17T12:27:00+09:00
2019-07-25T17:12:01+09:00
2018-07-17T00:00:00+09:00
JVNDB-2018-000079
Explzh vulnerable to directory traversal
Explzh is a file compression/extraction software supporting multiple file formats. Explzh contains a directory traversal vulnerability (CWE-22). Explzh is not vulnerable to relative path traversal but to absolute path traversal. Therefore, an attacker may create new files or overwrite existing files on the directory accessible with the privileges for extracting files with Explzh. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
pon software
Explzh
cpe:/a:ponsoftware:explzh
v.7.58 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Low
3.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
By extracting a malicious compressed file, an attacker may create arbitrary files or overwrite existing files in the directory that is different from the extraction/saving destination configured on the affected product.
[Update the software] Update to the latest version according to the information provided by the developer.
pon software
Explzh for Windows
https://www.ponsoftware.com/archiver/explzh/explzh.htm#explz759
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0646
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0646
JVN
JVN#55813866
http://jvn.jp/en/jp/JVN55813866/index.html
National Vulnerability Database (NVD)
CVE-2018-0646
https://nvd.nist.gov/vuln/detail/CVE-2018-0646
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-13T14:17:29+09:00
[2018/07/13]\n Web page was published
2
2019-07-25T16:25:49+09:00
[2019/07/25]\n References : Content was added\n
2018-07-13T14:47:40+09:00
2019-07-25T16:26:04+09:00
2018-07-13T00:00:00+09:00
JVNDB-2018-000080
Movable Type plugin MTAppjQuery vulnerable to PHP code execution
MTAppjQuery provided by bit part LLC is a plugin for Movable Type. An older version PHP library Uploadify is incorporated in MTAppjQuery v1.8.1 and earlier versions and the older versions of Uploadify contains unrestricted upload of arbitrary file (CWE-434), which may lead to arbitrary PHP code execution if MTAppjQuery is used. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
bit part LLC.
MTAppjQuery
cpe:/a:bit-part:mtappjquery
1.8.1 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
A remote attacker may execute arbitrary PHP code on the server.
[Update MTAppjQuery] Update to the latest version according to the information provided by the developer. According to the developer, delete the Uplodify directory manually if the latest update cannot be applied.
bit part LLC.
About incorrect access to the Uploadify included by the past MTAppjQuery
http://www.tinybeans.net/blog/2015/06/26-230919.html
bit part LLC.
[Re posting] About incorrect access to the Uploadify included by the MTAppjQuery v1.8.1 and earlier
https://bit-part.net/news/2018/07/mtappjquery-20180717.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0645
JVN
JVN#62423700
http://jvn.jp/en/jp/JVN62423700/index.html
National Vulnerability Database (NVD)
CVE-2018-0645
https://nvd.nist.gov/vuln/detail/CVE-2018-0645
Sucuri
Uploadify, Uploadify and Uploadify - The New TimThumb?
https://blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-18T15:35:08+09:00
[2018/07/18]\n Web page was published
2
2019-07-26T15:22:53+09:00
[2019/07/26]\n References : Content was added
2018-07-18T15:35:08+09:00
2019-07-26T15:23:08+09:00
2018-07-18T00:00:00+09:00
JVNDB-2018-000081
Multiple vulnerabilities in ORCA(Online Receipt Computer Advantage)
ORCA(Online Receipt Computer Advantage) provided by ORCA Management Organization Co., Ltd contains vulnerabilities listed below. * OS command injection (CWE-78) - CVE-2018-0643 * Buffer overflow (CWE-119) - CVE-2018-0644 IoT x Security Hackathon 2016 all participants reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ORCA Management Organization Co., Ltd
Ubuntu14.04 ORCA(Online Receipt Computer Advantage)
cpe:/a:orcamo:ubuntu_14.04_online_receipt_computer_advantage
4.8.0(panda-client2) 1:1.4.9+p41-u4jma1 and earlier (CVE-2018-0644)
4.8.0(panda-server) 1:1.4.9+p41-u4jma1 and earlier (CVE-2018-0643)
5.0.0(panda-client2) 1:2.0.0+p48-u4jma1 and earlier (CVE-2018-0644)
ORCA Management Organization Co., Ltd
Ubuntu16.04 ORCA(Online Receipt Computer Advantage)
cpe:/a:orcamo:ubuntu_16.04_online_receipt_computer_advantage
5.0.0(panda-client2) 1:2.0.0+p48-u5jma1 and earlier (CVE-2018-0644)
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
5.5
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
The possible impact of each vulnerability is as follows: * A user with access to the network that is connected to the affected product may execute an arbitrary command on the product - CVE-2018-0643 * If a user opens a specially crafted file while logged into the affected product, that may result in a denial-of-service (DoS) condition - CVE-2018-0644
[Update the software] Update the software to the latest version according to the information provided by the developer.
ORCA Management Organization Co., Ltd
ORCA Management Organization Co., Ltd. website
https://www.orca.med.or.jp/news/vulnerability_2018-07-18-1.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0643
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0643
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0644
JVN
JVN#37376131
http://jvn.jp/en/jp/JVN37376131/index.html
National Vulnerability Database (NVD)
CVE-2018-0643
https://nvd.nist.gov/vuln/detail/CVE-2018-0643
National Vulnerability Database (NVD)
CVE-2018-0644
https://nvd.nist.gov/vuln/detail/CVE-2018-0644
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-18T15:35:09+09:00
[2018/07/18]\n Web page was published
2
2019-07-25T16:59:20+09:00
[2019/07/25]\n References : Contents were added
2018-07-18T15:35:09+09:00
2019-07-25T16:59:57+09:00
2018-07-18T00:00:00+09:00
JVNDB-2018-000082
WL-330NUL vulnerable to cross-site request forgery
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a cross-site request forgery vulnerability (CWE-352). Masashi Sakai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ASUS JAPAN Inc.
WL-330NUL
cpe:/a:misc:asus_japan_wl-330nul
Firmware prior to version 3.0.0.46
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
If a user views a malicious page while logged in the management screen, unintended operations may be performed on the device.
[Update the Firmware] Apply the firmware update according to the information provided by the developer.
ASUS JAPAN Inc.
BIOS & FIRMWARE
https://www.asus.com/us/Networking/WL330NUL/HelpDesk_BIOS/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0647
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0647
JVN
JVN#71329812
http://jvn.jp/en/jp/JVN71329812/index.html
National Vulnerability Database (NVD)
CVE-2018-0647
https://nvd.nist.gov/vuln/detail/CVE-2018-0647
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-20T15:41:39+09:00
[2018/07/20]\n Web page was published
2
2019-07-25T14:38:31+09:00
[2019/07/25]\n References : Content was added
2018-07-20T15:41:39+09:00
2019-07-25T14:38:50+09:00
2018-07-20T00:00:00+09:00
JVNDB-2018-000083
The installers of multiple Canon IT Solutions Inc. software programs may insecurely load Dynamic Link Libraries
The installers of multiple software programs provided by Canon IT Solutions Inc. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ESET
CompuSec
cpe:/a:eset:compusec
(all programs except packaged ones)
ESET
DESlock+ Pro
cpe:/a:eset:deslock%2b_pro
ESET
ESET Internet Security
cpe:/a:eset:internet_security
ESET
ESET NOD32 Antivirus
cpe:/a:eset:nod32_antivirus
ESET
ESET Smart Security
cpe:/a:eset:smart_security
ESET
ESET Smart Security Premium
cpe:/a:eset:smart_security_premium
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installers provided by the developer. Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only. Users who have already installed the program(s) are not affected.
Canon IT Solutions Inc.
Canon IT Solutions Inc. website
https://eset-support.canon-its.jp/faq/show/10720?site_domain=default
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0649
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0649
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#41452671
http://jvn.jp/en/jp/JVN41452671/index.html
National Vulnerability Database (NVD)
CVE-2018-0649
https://nvd.nist.gov/vuln/detail/CVE-2018-0649
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-24T14:14:17+09:00
[2018/07/24]\n Web page was published
2
2019-07-26T12:05:06+09:00
[2019/07/26]\n References : Content was added
2018-07-24T14:43:41+09:00
2019-07-26T12:05:20+09:00
2018-07-24T00:00:00+09:00
JVNDB-2018-000084
LINE MUSIC for Android fails to verify SSL server certificates
LINE MUSIC for Android provided by LINE MUSIC CORPORATION fails to verify SSL server certificates (CWE-295). LINE MUSIC CORPORATION reported this vulnerability to JPCERT/CC to notify users of respective solutions through JVN.
LINE MUSIC CORPORATION
LINE MUSIC
cpe:/a:line_music_corporation:line_music
for Android version 3.1.0 to versions prior to 3.6.5
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer. The developer states that this vulnerability was addressed in the version 3.6.5.
Google Play
LINE MUSIC - Google Play
https://play.google.com/store/apps/details?id=jp.linecorp.linemusic.android
LINE Corporation
[Vulnerability Report] LINE MUSIC for Android fails to verify SSL server certificates
https://linecorp.com/en/security/article/182
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0650
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0650
JVN
JVN#16933564
https://jvn.jp/en/jp/JVN16933564/index.html
National Vulnerability Database (NVD)
CVE-2018-0650
https://nvd.nist.gov/vuln/detail/CVE-2018-0650
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-07-26T14:29:39+09:00
[2018/07/26]\n Web page was published
2
2019-07-25T17:28:03+09:00
[2019/07/25]\n References : Content was added
2018-07-26T14:58:04+09:00
2019-07-25T17:28:17+09:00
2018-07-26T00:00:00+09:00
JVNDB-2018-000085
Multiple cross-site scripting vulnerabilities in GROWI
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below. * Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652 * Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653 * Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654 * Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655 The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-0652, CVE-2018-0653 Yoshinori Hayashi of Information Science College CVE-2018-0654, CVE-2018-0655 Kanta Nishitani of Information Science College
WESEEK, Inc.
GROWI
cpe:/a:weseek:growi
v.3.1.11 and earlier
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
6.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
* An arbitrary script may be executed on a logged-in user's web browser. - CVE-2018-0652, CVE-2018-0653 * An arbitrary script may be executed on the user's web browser. - CVE-2018-0654, CVE-2018-0655
[Update the software] Update to the latest version according to the information provided by the developer.
WESEEK, Inc.
WESEEK, Inc. website
https://weseek.co.jp/security/2018/07/31/growi-prevent-xss/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0654
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0654
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0655
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0655
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0652
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0652
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0653
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0653
JVN
JVN#18716340
http://jvn.jp/en/jp/JVN18716340/index.html
National Vulnerability Database (NVD)
CVE-2018-0652
https://nvd.nist.gov/vuln/detail/CVE-2018-0652
National Vulnerability Database (NVD)
CVE-2018-0653
https://nvd.nist.gov/vuln/detail/CVE-2018-0653
National Vulnerability Database (NVD)
CVE-2018-0654
https://nvd.nist.gov/vuln/detail/CVE-2018-0654
National Vulnerability Database (NVD)
CVE-2018-0655
https://nvd.nist.gov/vuln/detail/CVE-2018-0655
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2018-08-03T14:14:34+09:00
[2018/08/03]\n Web page was published
3
2019-07-05T10:43:40+09:00
[2019/07/05]\n References : Contents were added
2018-08-03T15:04:45+09:00
2019-07-05T17:13:23+09:00
2018-08-03T00:00:00+09:00
JVNDB-2018-000086
Multiple vulnerabilities in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE
EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service), which are additional modules for EC-CUBE, provided by GMO Payment Gateway, Inc. contain multiple vulnerabilities listed below. * Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2018-0657 * Input validation bypass vulnerability in the management screen (CWE-20) - CVE-2018-0658 Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
GMO Payment Gateway, Inc.
EC-CUBE Payment Settlement Module
cpe:/a:gmo_payment_gateway:ec-cubepayment_settlement_module
(2.11) version 2.3.17 and earlier
(2.12) version 3.5.23 and earlier
GMO Payment Gateway, Inc.
GMO-PG Settlement Module (PG Multi Payment Service)
cpe:/a:gmo_payment_gateway:gmo-pg_settlement_module
(2.11) version 2.3.17 and earlier
(2.12) version 3.5.23 and earlier
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Low
3.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
* An arbitrary script may be executed on the web browser of an administrator logged into the EC-CUBE management screen - CVE-2018-0657 * An arbitrary PHP code may be executed on the server by an administrator logged into the EC-CUBE management screen - CVE-2018-0658 When the two vulnerabilities are combined, an arbitrary PHP code may be executed on the server, if an administrator logged into the EC-CUBE management screen accesses a malicious URL.
[Update the software] Update to the latest version according to the information provided by the developer.
GMO Payment Gateway, Inc.
Information from GMO Payment Gateway, Inc.
https://jvn.jp/en/jp/JVN06372244/996220/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0657
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0657
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0658
JVN
JVN#06372244
https://jvn.jp/en/jp/JVN06372244/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-09T16:43:51+09:00
[2018/08/09]\n Web page was published
2018-08-09T16:43:51+09:00
2018-08-09T16:43:51+09:00
2018-08-09T00:00:00+09:00
JVNDB-2018-000087
The installer of Digital Paper App may insecurely load Dynamic Link Libraries
Digital Paper App provided by Sony Corporation is document management software exclusively for Sony Digital Paper. The installer of Digital Paper App contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Corporation
Digital Paper App
cpe:/a:sony:digital_paper_app
version 1.4.0.16050 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer provided by the developer. Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only, thus users who have already installed the software do not need to re-install the software.
Sony
Sony Corporation website
https://esupport.sony.com/US/p/swu-download.pl?upd_id=10998&PASSVAL2=SMB.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0656
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0656
JVN
JVN#75700242
http://jvn.jp/en/jp/JVN75700242/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
National Vulnerability Database (NVD)
CVE-2018-0656
https://nvd.nist.gov/vuln/detail/CVE-2018-0656
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-21T15:59:33+09:00
[2018/08/21]\n Web page was published
2
2019-07-25T16:16:46+09:00
[2019/07/25]\n References : Content was added\n
2018-08-21T15:59:33+09:00
2019-07-25T16:17:04+09:00
2018-08-21T00:00:00+09:00
JVNDB-2018-000089
Multiple vulnerabilities in multiple I-O DATA network camera products
Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below. * Permissions, Privileges, and Access Controls (CWE-264) - CVE-2018-0661 * Insufficient Verification of Data Authenticity (CWE-345) - CVE-2018-0662 * Use of Hard-coded Credentials (CWE-798) - CVE-2018-0663 The following researchers reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-0661 Yutaka Kokubu, Toshitsugu Yoneyama, and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. CVE-2018-0662 Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. CVE-2018-0663 Yutaka Kokubu and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc.
I-O DATA DEVICE, INC.
TS-WRLA
cpe:/h:i-o_data_device:ts-wrla
firmware Ver.1.09.04 and earlier
I-O DATA DEVICE, INC.
TS-WRLP
cpe:/h:i-o_data_device:ts-wrlp
firmware Ver.1.09.04 and earlier
I-O DATA DEVICE, INC.
TS-WRLP/E
cpe:/a:i-o_data_device:ts-wrlp%2Fe
firmware Ver.1.09.04 and earlier
Medium
6
AV:N/AC:M/Au:S/C:P/I:P/A:P
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
* A remote attacker on the adjacent network may add files on a specific directory and execute arbitrary OS commands and codes - CVE-2018-0661 * Information including credentials may be leaked and altered - CVE-2018-0661 * An attacker who can access the affected product physically may add malicious files on the product and execute an arbitrary code - CVE-2018-0662 * A remote attacker may execute an arbitrary OS command - CVE-2018-0663
[Update the Firmware] Apply the firmware update according to the information provided by the developer.
I-O DATA
I-O DATA DEVICE, INC. website
http://www.iodata.jp/support/information/2018/ts-wrlp/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0663
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0661
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0662
JVN
JVN#83701666
https://jvn.jp/en/jp/JVN83701666/index.html
National Vulnerability Database (NVD)
CVE-2018-0661
https://nvd.nist.gov/vuln/detail/CVE-2018-0661
National Vulnerability Database (NVD)
CVE-2018-0662
https://nvd.nist.gov/vuln/detail/CVE-2018-0662
National Vulnerability Database (NVD)
CVE-2018-0663
https://nvd.nist.gov/vuln/detail/CVE-2018-0663
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-07T14:33:44+09:00
[2018/08/07]\n Web page was published
2
2019-07-25T15:59:25+09:00
[2019/07/25]\n References : Contents were added\n
2018-08-07T14:33:44+09:00
2019-07-25T16:00:15+09:00
2018-08-07T00:00:00+09:00
JVNDB-2018-000090
Multiple directory traversal vulnerabilities in AttacheCase
AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains a directory traversal vulnerability (CWE-22) due to a flaw in processing filenames in ATC files. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported CVE-2018-0660 vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
HiBARA Software
AttacheCase
cpe:/a:hibara:attachecase
ver.2.8.3.0 and earlier
ver.3.2.3.0 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Low
3.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* Decrypting a crafted ATC file may result in creation of an arbitrary file or overwriting of an existing file - CVE-2018-0659 * Decrypting a crafted ATC file may result in creation of an arbitrary file - CVE-2018-0660
[Update the Software] Update to the latest version according to the information provided by the developer.
HiBARA Software
HiBARA Software website
https://hibara.org/software/attachecase/?lang=en
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0659
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0660
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0660
JVN
JVN#62121133
https://jvn.jp/en/jp/JVN62121133/index.html
National Vulnerability Database (NVD)
CVE-2018-0659
https://nvd.nist.gov/vuln/detail/CVE-2018-0659
National Vulnerability Database (NVD)
CVE-2018-0660
https://nvd.nist.gov/vuln/detail/CVE-2018-0660
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-06T14:10:50+09:00
[2018/08/06]\n Web page was published
2
2018-08-31T15:59:10+09:00
[2018/08/31]\n Information under [Products Affected] was modified.
3
2019-07-25T14:31:50+09:00
[2019/07/25]\n References : Contents were added
2018-08-06T14:10:50+09:00
2019-07-25T14:32:25+09:00
2018-08-06T00:00:00+09:00
JVNDB-2018-000091
NoMachine App for Android vulnerable to environment variables alteration
NoMachine App for Android contains an information alteration vulnerability. Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NoMachine
NoMachine
cpe:/a:nomachine:nomachine
App for Android 5.0.63 and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
Medium
5.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
A remote attacker may alter environemt variables of the NoMachine App. As a result, arbitrary code may be executed.
[Update the Software] Update to the latest version of software according to the information provided by the developer.
NoMachine
NoMachine app for Android v. 5.0.63 could be exploited by altering environment
https://www.nomachine.com/TR06P08619
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0664
JVN
JVN#14451678
https://jvn.jp/en/jp/JVN14451678/index.html
National Vulnerability Database (NVD)
CVE-2018-0664
https://nvd.nist.gov/vuln/detail/CVE-2018-0664
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-17T13:49:18+09:00
[2018/08/17]\n Web page was published
2
2019-07-25T17:17:19+09:00
[2019/07/25]\n References : Content was added
2018-08-17T13:49:18+09:00
2019-07-25T17:17:51+09:00
2018-08-17T00:00:00+09:00
JVNDB-2018-000092
Multiple vulnerabilities in INplc
INplc provided by MICRONET CORPORATION contains multiple vulnerabilities listed below. *DLL preloading vulnerability (CWE-427) - CVE-CVE-2018-0667 *Buffer overflow (CWE-119) - CVE-2018-0668 *Authentication bypass (CWE-287) - CVE-2018-0669 *Authentication bypass (CWE-287) - CVE-2018-0670 *Privilege escalation - CVE-2018-0671 Kotatsu Shiraki of University of Tokyo/NEC reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
MICRONET CORP.
INplc SDK Express
cpe:/a:mnc:inplc-rt_sdk_express
3.08 and earlier (CVE-2018-0667)
MICRONET CORP.
INplc SDK Pro+
cpe:/a:mnc:inplc_sdk_pro%2b
3.08 and earlier (CVE-2018-0667)
MICRONET CORP.
INplc-RT
cpe:/a:mnc:inplc-rt
3.08 and earlier (CVE-2018-0668, CVE-2018-0669, CVE-2018-0670, CVE-2018-0671)
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Although the expected impact will vary depending on the vulnerability, the following may be affected. *Arbitrary code may be executed with the privilege of the user invoking the installer - CVE-2018-0667 *A remote attacker may be able to cause a denial-of-service (DoS) condition or may execute arbitrary code - CVE-2018-0668 *A remote attacker may execute an arbitrary command through the traffic based on the protocol - CVE-2018-0669, CVE-2018-0670 *An attacker may execute arbitrary code with the administrative privilege on the Windows system which the product is installed on. - CVE-2018-0671
[Use the latest installer] - CVE-2018-0667 Use the latest installer according to the information provided by the developer. Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only, thus users who have already installed INplc do not need to re-install the software. [Update the software] - CVE-2018-0668, CVE-2018-0669, CVE-2018-0670, CVE-2018-0671 Update to the latest version according to the information provided by the developer.
MICRONET CORP.
MICRONET CORPORATION website
http://www.mnc.co.jp/INplc/info_20180907_E.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0669
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0669
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0670
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0670
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0671
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0671
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0667
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0667
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0668
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0668
JVN
JVN#59624986
http://jvn.jp/en/jp/JVN59624986/index.html
National Vulnerability Database (NVD)
CVE-2018-0671
https://nvd.nist.gov/vuln/detail/CVE-2018-0671
National Vulnerability Database (NVD)
CVE-2018-0667
https://nvd.nist.gov/vuln/detail/CVE-2018-0667
National Vulnerability Database (NVD)
CVE-2018-0668
https://nvd.nist.gov/vuln/detail/CVE-2018-0668
National Vulnerability Database (NVD)
CVE-2018-0669
https://nvd.nist.gov/vuln/detail/CVE-2018-0669
National Vulnerability Database (NVD)
CVE-2018-0670
https://nvd.nist.gov/vuln/detail/CVE-2018-0670
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-09-07T14:45:41+09:00
[2018/09/07]\n Web page was published.
2
2018-11-09T16:41:57+09:00
[2018/11/09]\n Fixed the CVSS scores and the description under [Impact] of CVE-2018-0671
3
2019-08-28T09:50:44+09:00
[2019/08/28]\n References : Contents were added
2018-09-07T16:49:28+09:00
2019-08-28T09:51:16+09:00
2018-09-07T00:00:00+09:00
JVNDB-2018-000093
Multiple script injection vulnerabilities in multiple Yamaha network devices
The management screen of multiple network devices provided by Yamaha Corporation contains multiple script injection vulnerabilities (CWE-74). The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-0665 Hayato Doi of Kanazawa Institute of Technology CVE-2018-0666 Tomonori Yamamoto of Mitsui Bussan Secure Directions, Inc.
Yamaha Corporation
FWX120
cpe:/h:yamaha:fwx120_firmware
Firewall Rev.11.03.25 and earlier
Yamaha Corporation
NVR500
cpe:/o:yamaha:nvr500_firmware
Broadband VoIP Router Rev.11.00.36 and earlier
Yamaha Corporation
RT57i
cpe:/o:yamaha:rt57i_firmware
Broadband VoIP Router Rev.8.00.95 and earlier
Yamaha Corporation
RT58i
cpe:/o:yamaha:rt58i_firmware
Broadband VoIP Router Rev.9.01.51 and earlier
Yamaha Corporation
RTX810
cpe:/o:yamaha:rtx810_firmware
Gigabit VPN Router Rev.11.01.31 and earlier
Low
2.7
AV:A/AC:L/Au:S/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
In the case where multiple administrators manage an affected device, an administrator with malicious intent may embed an arbitrary script into the management screen. The embedded script may be executed when another administrator logs into the screen.
[Update the Firmware] Apply the firmware update according to the information provided by the developer.
FAQ for YAMAHA RT Series / Security
Yamaha Corporation website
http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/JVN69967692.html
Nippon Telegraph and Telephone East Corporation
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION website
https://web116.jp/ced/support/news/contents/2018/20180829b.html
Nippon Telegraph and Telephone West Corporation
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION website
https://flets-w.com/solution/kiki_info/info/180829.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0665
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0665
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0666
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0666
JVN
JVN#69967692
https://jvn.jp/en/jp/JVN69967692/index.html
National Vulnerability Database (NVD)
CVE-2018-0665
https://nvd.nist.gov/vuln/detail/CVE-2018-0665
National Vulnerability Database (NVD)
CVE-2018-0666
https://nvd.nist.gov/vuln/detail/CVE-2018-0666
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-29T18:01:56+09:00
[2018/08/29]\n Web page was published
2
2018-08-31T14:52:38+09:00
[2018/08/31]\n Vendor Information : Contents were added
3
2018-09-03T11:08:38+09:00
[2018/09/03]\n Affected Products : Product version was modified
4
2019-08-27T15:56:30+09:00
[2019/08/27]\n References : Contents were added
2018-08-29T18:01:56+09:00
2019-08-27T17:53:18+09:00
2018-08-29T00:00:00+09:00
JVNDB-2018-000094
Movable Type vulnerable to cross-site scripting
Movable Type provided by Six Apart, Ltd. is a content management system. Movable Type contains a cross-site scripting vulnerability (CWE-79). ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Six Apart, Ltd.
Movable Type
cpe:/a:sixapart:movabletype
versions prior to Ver. 6.3.1
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer. [Apply a Workaround] If you continue to use older version that does not contains a fix for this vulnerability, apply the following workaround to mitigate the impact of this vulnerability. Delete the directory listed below. *<MT_HOME>/php/extlib/adodb5/tests
JVN
Information from Six Apart, Ltd.
http://jvn.jp/en/jp/JVN89550319/370331/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0672
JVN
JVN#89550319
http://jvn.jp/en/jp/JVN89550319/index.html
National Vulnerability Database (NVD)
CVE-2018-0672
https://nvd.nist.gov/vuln/detail/CVE-2018-0672
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-30T17:06:37+09:00
[2018/08/30]\n Web page was published
2
2019-07-25T14:24:46+09:00
[2019/07/25]\n References : Content was added
2018-08-30T17:34:51+09:00
2019-07-25T14:25:33+09:00
2018-08-30T00:00:00+09:00
JVNDB-2018-000095
AttacheCase vulnerable to arbitrary script execution
AttacheCase is an open source file encryption software provided by HiBARA Software. If a setting file _AtcCase.ini is specially crafted and it resides in the same folder where ATC file resides, it is leveraged to execute an arbitrary script when ATC file is decrypted. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
HiBARA Software
AttacheCase
ver.2.8.4.0 and earlier
ver.3.3.0.0 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
A remote unauthenticated attacker may execute an arbitrary script.
[Update the software] Update to the latest version according to the information provided by the developer.
HiBARA Software
AttacheCase #3
https://hibara.org/software/attachecase/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0674
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0675
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0675
JVN
JVN#02037158
http://jvn.jp/en/jp/JVN02037158/index.html
National Vulnerability Database (NVD)
CVE-2018-0674
https://nvd.nist.gov/vuln/detail/CVE-2018-0674
National Vulnerability Database (NVD)
CVE-2018-0675
https://nvd.nist.gov/vuln/detail/CVE-2018-0675
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-31T15:01:45+09:00
[2018/08/31]\n Web page was published.
2
2019-07-26T12:18:53+09:00
[2019/07/26]\n References : Contents were added\n
2018-08-31T15:59:09+09:00
2019-07-26T12:19:22+09:00
2018-08-31T00:00:00+09:00
JVNDB-2018-000096
QNAP Photo Station vulnerable to cross-site scripting
Photo Station provided by QNAP Systems, Inc. contains a reflected cross-site scripting vulnerability (CWE-79). Mitsuaki (Mitch) Shiraishi of Secureworks Japan reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
QNAP Systems
Photo Station
cpe:/h:qnap:photo_station
version 5.7.0 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
QNAP Systems, Inc.
Security Advisory for XSS Vulnerability in Photo Station
https://www.qnap.com/ja-jp/security-advisory/nas-201808-23
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0715
JVN
JVN#63556416
http://jvn.jp/en/jp/JVN63556416/index.html
National Vulnerability Database (NVD)
CVE-2018-0715
https://nvd.nist.gov/vuln/detail/CVE-2018-0715
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-31T15:04:00+09:00
[2018/08/31]\n Web page was published.\n
2
2019-07-25T16:09:10+09:00
[2019/07/25]\n References : Content was added\n
2018-08-31T15:48:46+09:00
2019-07-25T16:09:28+09:00
2018-08-31T00:00:00+09:00
JVNDB-2018-000097
Multiple FXC network devices vulnerable to cross-site scripting
Multiple network devices provided by FXC Inc. contain a stored cross-site scripting vulnerability (CWE-79). SUNAGAWA, Masanori of Japan Advanced Institute of Science and Technology Graduate School of Advanced Science and Technology Security and Networks reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
FXC Inc.
Managed Ethernet switch FXC5210
cpe:/o:fxc:fxc5210_firmware
firmware prior to version Ver1.00.22
FXC Inc.
Managed Ethernet switch FXC5218
cpe:/o:fxc:fxc5218_firmware
firmware prior to version Ver1.00.22
FXC Inc.
Managed Ethernet switch FXC5224
cpe:/o:fxc:fxc5224_firmware
firmware prior to version Ver1.00.22
FXC Inc.
Managed Ethernet switch FXC5426F
cpe:/o:fxc:fxc5426f_firmware
firmware prior to version Ver1.00.06
FXC Inc.
Managed Ethernet switch FXC5428
cpe:/o:fxc:fxc5428_firmware
firmware prior to version Ver1.00.07
FXC Inc.
Power over Ethernet (PoE) Switch FXC5210PE
cpe:/o:fxc:fxc5210pe_firmware
firmware prior to version Ver1.00.14
FXC Inc.
Power over Ethernet (PoE) Switch FXC5218PE
cpe:/o:fxc:fxc5218pe_firmware
firmware prior to version Ver1.00.14
FXC Inc.
Power over Ethernet (PoE) Switch FXC5224PE
cpe:/o:fxc:fxc5224pe_firmware
firmware prior to version Ver1.00.14
FXC Inc.
Wireless LAN router AE1021
cpe:/o:fxc:ae1021_firmware
firmware all versions
FXC Inc.
Wireless LAN router AE1021PE
cpe:/o:fxc:ae1021pe_firmware
firmware all versions
Low
2.3
AV:A/AC:M/Au:S/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
If an attacker with administrative rights logs in the Management GUI and embeds a specially crafted script, then that script may be executed on another administrator's web browser.
Solution for Managed Ethernet switch and Power over Ethernet (PoE) switch: [Update the Firmware] Apply the appropriate firmware update according to the information provided by the developer. Solution for Wireless LAN router: [Apply Workaround] The following workaround may mitigate the impact of this vulnerability. * Restrict access to Management CGI of the device. Permit access only to trusted administrators.
FXC Inc.
FXC Inc. website
https://www.fxc.jp/news/20171228.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0679
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0679
JVN
JVN#68528150
http://jvn.jp/en/jp/JVN68528150/index.html
National Vulnerability Database (NVD)
CVE-2018-0679
https://nvd.nist.gov/vuln/detail/CVE-2018-0679
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-09-13T12:21:28+09:00
[2018/09/13]\n Web page was published
2
2019-08-27T11:00:42+09:00
[2019/08/27]\n References : Contents were added
2018-09-13T13:57:45+09:00
2019-08-27T11:30:58+09:00
2018-09-13T00:00:00+09:00
JVNDB-2018-000099
Cybozu Garoon vulnerable to directory traversal
Cybozu Garoon provided by Cybozu, Inc. contains a directory traversal vulnerability (CWE-22) due to a flaw in processing of the session information. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.5.0 to 4.6.3
Medium
5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N
Medium
6.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
A user who can login to the product may obtain or alter arbitrary files on the server.
[Apply the Patch] Apply the patch according to the information provided by the developer. [Updated on 2019 April 22] [Update the Software] Update to the latest version according to the information provided by the developer. According to developer, this vulnerability was addressed in Cybozu Garoon 4.10.0.
Cybozu infomation
Cybozu, Inc. website
https://cs.cybozu.co.jp/2018/006717.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0673
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0673
JVN
JVN#12583112
http://jvn.jp/en/jp/JVN12583112/index.html
National Vulnerability Database (NVD)
CVE-2018-0673
https://nvd.nist.gov/vuln/detail/CVE-2018-0673
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-09-10T13:42:03+09:00
[2018/09/10]\n Web page was published
2
2019-04-22T12:28:20+09:00
[2019/04/22]\n Solution was modified
3
2019-07-26T15:26:50+09:00
[2019/07/26]\n References : Content was added
2018-09-10T14:01:26+09:00
2019-07-26T15:28:13+09:00
2018-09-10T00:00:00+09:00
JVNDB-2018-000100
+Message App fails to verify SSL server certificates
+Message App fails to verify SSL server certificates. ma.la of LINE Corporation reported this vulnerability to the developer, and also to IPA in order to notify users of its solution through JVN. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KDDI
+Message (PlusMessage)
cpe:/a:kddi:%2b_message
App for Android prior to version 1.0.6
App for iOS prior to version 1.1.23
NTT DOCOMO, INC.
+Message (PlusMessage)
cpe:/a:nttdocomo:%2b_message
App for Android prior to version 42.40.2800
App for iOS prior to version 1.1.23
SoftBank
+Message (PlusMessage)
cpe:/a:softbank:%2b_message
App for Android prior to version 10.1.7
App for iOS prior to version 1.1.23
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
KDDI CORPORATION
Please update the app to customers who use +Message App.
https://www.au.com/information/notice_mobile/service/2018-002/
NTT docomo
Please update the app to customers who use +Message App.
https://www.nttdocomo.co.jp/info/notice/page/180927_00.html
Softbank
+Message Please update the app for security measures
https://www.softbank.jp/mobile/info/personal/news/service/20180927a/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0691
JVN
JVN#37288228
https://jvn.jp/en/jp/JVN37288228/
National Vulnerability Database (NVD)
CVE-2018-0691
https://nvd.nist.gov/vuln/detail/CVE-2018-0691
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-09-27T16:52:08+09:00
[2018/09/27]\n Web page was published
2
2018-10-01T13:41:57+09:00
[2018/10/01]\n Overview was modified
3
2019-08-27T14:16:33+09:00
[2019/08/27]\n References : Content was added
2018-09-27T16:52:08+09:00
2019-08-27T17:22:43+09:00
2018-09-27T00:00:00+09:00
JVNDB-2018-000101
The installer of Baidu Browser may insecurely load Dynamic Link Libraries
Baidu Browser provided by Baidu, Inc. is a Web browser. The installer of Baidu Browser contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Asuka Nakajima of NTT Secure Platform Laboratories reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Baidu, Inc.
Baidu Browser
cpe:/a:baidu:baidu_browser
Version 43.23.1000.500 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer
[Do not use the installer of Baidu Browser] According to the developer, development and support of Baidu Browser has been discontinued, thus recommends users to stop using the installer.
Baidu, Inc.
Information from Baidu, Inc.
https://jvn.jp/en/jp/JVN77885134/996041/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0692
JVN
JVN#77885134
https://jvn.jp/en/jp/JVN77885134/index.html
National Vulnerability Database (NVD)
CVE-2018-0692
https://nvd.nist.gov/vuln/detail/CVE-2018-0692
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-03T15:02:59+09:00
[2018/10/03]\n Web page was published
2
2019-08-27T10:38:04+09:00
[2019/08/27]\n References : Content was added
2018-10-03T15:02:59+09:00
2019-08-27T10:39:37+09:00
2018-10-03T00:00:00+09:00
JVNDB-2018-000102
Multiple vulnerabilities in Denbun
Denbun provided by NEOJAPAN Inc. is a WebMail System. Denbun contains multiple vulnerabilities listed below. * Hard-coded credentials for user account (CWE-798) - CVE-2018-0680 * Hard-coded credentials for the configuration management page (CWE-798) - CVE-2018-0681 * Improper session management (CWE-639) - CVE-2018-0682 * Stack-based buffer overflow due to a flaw in processing Cookie data (CWE-121) - CVE-2018-0683 * Stack-based buffer overflow due to a flaw in processing multipart/form-data format data (CWE-121) - CVE-2018-0684 * SQL injection due to a flaw in processing HTTP requests for mail search (CWE-89) - CVE-2018-0685 * Arbitrary executable files can be uploaded (CWE-434) - CVE-2018-0686 * Cross-site scripting in HTML mail view (CWE-79) - CVE-2018-0687
NEOJAPAN,Inc.
Denbun IMAP
cpe:/a:neo_japan:denbun_imap
version V3.3I R3.0 and earlier (CVE-2018-0684)
version V3.3I R4.0 and earlier (CVE-2018-0680, CVE-2018-0681, CVE-2018-0682, CVE-2018-0683, CVE-2018-0686, CVE-2018-0687)
NEOJAPAN,Inc.
Denbun POP
cpe:/a:neo_japan:denbun_pop
version V3.3P R3.0 and earlier (CVE-2018-0684)
version V3.3P R4.0 and earlier (CVE-2018-0680, CVE-2018-0681, CVE-2018-0682, CVE-2018-0683, CVE-2018-0685, CVE-2018-0686, CVE-2018-0687)
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* A remote attacker may read and/or send mail, may change the configuration. - CVE-2018-0680, CVE-2018-0682 * A remote attacker may log in to the Management page and modify the mail server configuration. - CVE-2018-0681 * A remote attacker may be able to execute arbitrary code or cause a denial-of-service (DoS) condition. - CVE-2018-0683, CVE-2018-0684 * A logged in user may execute arbitrary SQL statements. - CVE-2018-0685 * A logged in user may upload and execute any executable files. - CVE-2018-0686 * An arbitrary script may be executed on a logged in user's web browser. - CVE-2018-0687
[Update the Software] - CVE-2018-0680, CVE-2018-0681, CVE-2018-0682, CVE-2018-0683, CVE-2018-0684, CVE-2018-0685, CVE-2018-0687 Update to the latest version according to the information provided by the developer. [Apply Workaround] - CVE-2018-0686 Configure the web server to restrict execution of uploaded files For more information, refer to the information provided by the developer.
NEOJAPAN,Inc.
Denbun POP version
http://denbun.com/ja/pop/support/security/181003.html
NEOJAPAN,Inc.
Denbun IMAP version
http://denbun.com/ja/imap/support/security/181003.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0681
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0681
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0682
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0682
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0683
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0684
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0684
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0685
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0686
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0686
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0687
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0687
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0680
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0680
JVN
JVN#00344155
http://jvn.jp/en/jp/JVN00344155/index.html
National Vulnerability Database (NVD)
CVE-2018-0680
https://nvd.nist.gov/vuln/detail/CVE-2018-0680
National Vulnerability Database (NVD)
CVE-2018-0681
https://nvd.nist.gov/vuln/detail/CVE-2018-0681
National Vulnerability Database (NVD)
CVE-2018-0682
https://nvd.nist.gov/vuln/detail/CVE-2018-0682
National Vulnerability Database (NVD)
CVE-2018-0683
https://nvd.nist.gov/vuln/detail/CVE-2018-0683
National Vulnerability Database (NVD)
CVE-2018-0684
https://nvd.nist.gov/vuln/detail/CVE-2018-0684
National Vulnerability Database (NVD)
CVE-2018-0685
https://nvd.nist.gov/vuln/detail/CVE-2018-0685
National Vulnerability Database (NVD)
CVE-2018-0686
https://nvd.nist.gov/vuln/detail/CVE-2018-0686
National Vulnerability Database (NVD)
CVE-2018-0687
https://nvd.nist.gov/vuln/detail/CVE-2018-0687
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-255
Credentials Management
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-04T16:11:32+09:00
[2018/10/04]\n Web page was published
2
2019-07-11T15:59:33+09:00
[2019/07/11]\n References : Contents were added
2018-10-04T16:11:32+09:00
2019-07-11T16:02:48+09:00
2018-10-04T00:00:00+09:00
JVNDB-2018-000103
Music Center for PC improperly verifies software update files
Music Center for PC provided by Sony Video & Sound Products Inc. contains an issue in software update process (CWE-669). As a result, under a man-in-the-middle attack, a specially crafted executable file may be downloaded and executed. DigiGnome reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Video & Sound Products Inc.
Music Center
cpe:/a:sony:music_center
for PC version 1.0.02 and earlier
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
High
7.5
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Under a man-in-the-middle attack, a specially crafted file may be downloaded and executed.
[Update the Software] Update to the latest version using the latest installer directly downloaded from the developer's site, according to the information provided by the developer.
Sony Video & Sound Products Inc.
Music Center for PC
https://musiccenter.sony.net/en/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0690
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0690
JVN
JVN#36623716
http://jvn.jp/en/jp/JVN36623716/
National Vulnerability Database (NVD)
CVE-2018-0690
https://nvd.nist.gov/vuln/detail/CVE-2018-0690
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-09T12:21:48+09:00
[2018/10/09]\n Web page was published
2
2018-10-11T18:18:42+09:00
[2018/10/11]\n Solution was modified
3
2019-07-26T15:57:33+09:00
[2019/07/26]\n References : Content was added\n
2018-10-09T16:22:27+09:00
2019-07-26T15:57:59+09:00
2018-10-09T00:00:00+09:00
JVNDB-2018-000104
Multiple vulnerabilities in FileZen
FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface. FileZen contains multiple vulnerabilities listed below. * Directory traversal (CWE-22) - CVE-2018-0693 * OS command injection (CWE-78) - CVE-2018-0694 Soliton Systems K.K. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.
Soliton Systems K.K.
FileZen
cpe:/a:soliton:filezen
V3.0.0 to V4.2.1
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
* A remote unauthenticated attacker may upload an arbitrary file in the specific directory in FileZen - CVE-2018-0693 * A remote unauthenticated attacker may execute an arbitrary OS command - CVE-2018-0694
[Update the Software] Update to the software to the latest version according to the information provided by the developer.
Soliton Systems K.K.
Soliton Systems K.K. website
https://www.soliton.co.jp/support/2018/003328.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0693
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0694
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0694
IPA SECURITY ALERTS
Security Alert for Vulnerabilities in FileZen
https://www.ipa.go.jp/security/ciadr/vul/20181015-jvn.html
JVN
JVN#95355683
http://jvn.jp/en/jp/JVN95355683/index.html
National Vulnerability Database (NVD)
CVE-2018-0693
https://nvd.nist.gov/vuln/detail/CVE-2018-0693
National Vulnerability Database (NVD)
CVE-2018-0694
https://nvd.nist.gov/vuln/detail/CVE-2018-0694
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-15T13:50:08+09:00
[2018/10/15]\n Web page was published
2
2019-07-26T16:59:55+09:00
[2019/07/26]\n References : Content was added
2018-10-15T15:26:04+09:00
2019-07-26T17:00:18+09:00
2018-10-15T00:00:00+09:00
JVNDB-2018-000105
Metabase vulnerable to cross-site scripting
Metabase provided by Metabase, Inc. contains a reflected cross-site scripting vulnerability (CWE-79). Yuuta Watanabe of STNet, Incorporated reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Metabase, Inc.
Metabase
cpe:/a:metabase:metabase
version 0.29.3 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged-in user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Metabase, Inc.
Metabase
https://metabase.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0697
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0697
JVN
JVN#14323043
http://jvn.jp/en/jp/JVN14323043/index.html
National Vulnerability Database (NVD)
CVE-2018-0697
https://nvd.nist.gov/vuln/detail/CVE-2018-0697
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-11T15:36:05+09:00
[2018/10/11]\n Web page was published\n
2
2019-07-26T17:49:04+09:00
[2019/07/26]\n References : Content was added
2018-10-11T15:54:17+09:00
2019-07-26T17:49:38+09:00
2018-10-11T00:00:00+09:00
JVNDB-2018-000106
User-friendly SVN vulnerable to cross-site scripting
User-friendly SVN provided by USVN Team contains a reflected cross-site scripting vulnerability (CWE-79). Jun Okutsu of NTT TechnoCross Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
USVN Team
User-Friendly SVN
cpe:/a:usvn:usvn
Version 1.0.7 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged-in user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
USVN
USVN 1.0.8
http://www.usvn.info/2018/10/02/usvn-1.0.8
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0695
JVN
JVN#73794686
http://jvn.jp/en/jp/JVN73794686/
National Vulnerability Database (NVD)
CVE-2018-0695
https://nvd.nist.gov/vuln/detail/CVE-2018-0695
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-09T12:28:36+09:00
[2018/10/09]\n Web page was published
2
2019-07-11T17:54:37+09:00
[2019/07/11]\n References : Contents were added
2018-10-09T16:27:27+09:00
2019-07-11T18:00:25+09:00
2018-10-09T00:00:00+09:00
JVNDB-2018-000107
OpenAM (Open Source Edition) vulnerable to session management
OpenAM (Open Source Edition) contains a vulnerability in session management. Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
OpenAM Consortium
OpenAM
cpe:/a:osstech:openam
(Open Source Edition) 13.0 and later
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
A user who can login to the product may change the security questions and reset the login password.
[Apply the Patch] Patch for this vulnerability has been released by OpenAM Consortium. Apply the patch according to the information provided by OpenAM Consortium. [Apply a Workaround] The following workaround may mitigate the effects of this vulnerability. * Disable the Security Questions function for password resetting
GitHub
Add an authz module for kbaInfo
https://github.com/openam-jp/openam/commit/59a6f7bf0255d9074dab6bc28a07e3b4b77fb91f
JVN
Information from OGIS-RI Co.,Ltd.
http://jvn.jp/en/jp/JVN49995005/996125/index.html
Open Source Solution Technology Corporation
Notice of OpenAM security vulnerability and product updates [AM20181012-1]
https://www.osstech.co.jp/support/am2018-4-1-en
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0696
JVN
JVN#49995005
http://jvn.jp/en/jp/JVN49995005/index.html
National Vulnerability Database (NVD)
CVE-2018-0696
https://nvd.nist.gov/vuln/detail/CVE-2018-0696
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-12T14:05:01+09:00
[2018/10/12]\n Web page was published
2
2019-09-26T16:50:12+09:00
[2019/09/26]\n References : Content was added\n
2018-10-12T14:44:16+09:00
2019-09-26T18:10:54+09:00
2018-10-12T00:00:00+09:00
JVNDB-2018-000109
Multiple vulnerabilities in YukiWiki
YukiWiki is a Wiki engine. YukiWiki contains multiple vulnerabilities listed below. * Cross-site scripting (CWE-79) - CVE-2018-0699 * Processing a particular request consumes large amounts of CPU and memory resources (CWE-400) - CVE-2018-0700 Tanaka Akira of National Institute of Advanced Industrial Science and Technology (AIST) reported CVE-2018-0700 vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hiroshi Yuki
YukiWiki
cpe:/a:hyuki:yukiwiki
2.1.3 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* An arbitrary script may be executed on the user's web browser. - CVE-2018-0699 * A remote attacker may be able to cause a denial-of-service (DoS) condition. - CVE-2018-0700
[Do not use YukiWiki] YukiWiki is no longer being developed. It is recommended to stop using YukiWiki.
YukiWiki
Information on end of YukiWiki
http://www.hyuki.com/yukiwiki/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0699
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0699
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0700
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0700
JVN
JVN#36343375
https://jvn.jp/en/jp/JVN36343375/index.html
National Vulnerability Database (NVD)
CVE-2018-0699
https://nvd.nist.gov/vuln/detail/CVE-2018-0699
National Vulnerability Database (NVD)
CVE-2018-0700
https://nvd.nist.gov/vuln/detail/CVE-2018-0700
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-400
Uncontrolled Resource Consumption ('Resource Exhaustion')
https://cwe.mitre.org/data/definitions/400.html
1
2018-10-19T12:27:28+09:00
[2018/10/19]\n Web page was published
2
2019-08-27T10:31:36+09:00
[2019/08/27]\n References : Contents were added
2018-10-19T14:31:37+09:00
2019-08-27T10:32:17+09:00
2018-10-19T00:00:00+09:00
JVNDB-2018-000110
Web Isolation vulnerable to cross-site scripting
Web Isolation provided by Symantec Corporation contains a reflected cross-site scripting vulnerability (CWE-79).
Symantec Corporation
Web Isolation
cpe:/a:symantec:web_isolation
1.11
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update the software to the latest version according to the information provided by the developer.
Symantec Corporation
Reflected XSS Vulnerability in Web Isolation
https://support.symantec.com/en_US/article.SYMSA1464.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-12246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12246
JVN
JVN#58005743
https://jvn.jp/en/jp/JVN58005743/index.html
National Vulnerability Database (NVD)
CVE-2018-12246
https://nvd.nist.gov/vuln/detail/CVE-2018-12246
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-19T13:41:15+09:00
[2018/10/19]\n Web page was published
2
2019-07-26T14:05:39+09:00
[2019/07/26]\n References : Content was added
2018-10-19T14:45:32+09:00
2019-07-26T14:06:13+09:00
2018-10-19T00:00:00+09:00
JVNDB-2018-000111
BlueStacks App Player fails to restrict access permissions
BlueStacks App Player fails to restrict access permissions (CWE-284). Masaki Kubo and Yoshiki Mori of Cybersecurity Laboratory, National Institute of Information and Communications Technology reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Bluestacks
BlueStacks App Player
cpe:/a:bluestacks:bluestacks
for macOS 2.0.0 and later
for Windows 3.0.0 to 4.31.55
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
A user with access to the network that is connected to the affected product may gain unauthorized access.
[Update the Software] Windows users should update to the latest version of software according to the information provided by the developer. [Apply Workarounds] macOS users should apply the following workarounds to mitigate the effects of this vulnerability. * Do not connect BlueStacks installed machine to the network * Block access from outside to 5555/TCP
Bluestacks
BlueStacks fails to restrict access permissions for ADB
https://support.bluestacks.com/hc/en-us/articles/360018274091
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0701
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0701
JVN
JVN#60702986
http://jvn.jp/en/jp/JVN60702986/index.html
National Vulnerability Database (NVD)
CVE-2018-0701
https://nvd.nist.gov/vuln/detail/CVE-2018-0701
JVNDB
CWE-284
Improper Access Control
https://cwe.mitre.org/data/definitions/284.html
1
2018-10-24T14:47:55+09:00
[2018/10/24]\n Web page was published
2
2019-08-27T10:35:20+09:00
[2019/08/27]\n References : Content was added
2018-10-24T16:13:11+09:00
2019-08-27T10:35:48+09:00
2018-10-24T00:00:00+09:00
JVNDB-2018-000112
SecureCore Standard Edition vulnerable to authentication bypass
SecureCore Standard Edition provided by Feitian Japan Co., Ltd. contains an authentication bypass vulnerability (CWE-287). Daisuke Ota of BizReach, inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Feitian Japan Co., Ltd.
SecureCore Standard Edition
cpe:/a:misc:feitian_japan_securecore_standard_edition
Version 2.x
Low
2.1
AV:L/AC:L/Au:N/C:N/I:P/A:N
Low
2.4
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
An attacker may bypass the product's authentication and log in to a Windows PC.
[Update the Software] Update the software to the latest version according to the information provided by the developer. [Apply the Patch] Apply the patch according to the information provided by the developer. For more information, refer to the information provided by the developer.
JVN
Information from Feitian Japan Co., Ltd.
http://jvn.jp/en/jp/JVN21528670/996248/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16160
JVN
JVN#21528670
http://jvn.jp/en/jp/JVN21528670/index.html
National Vulnerability Database (NVD)
CVE-2018-16160
https://nvd.nist.gov/vuln/detail/CVE-2018-16160
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2018-10-24T16:06:55+09:00
[2018/10/24]\n Web page was published
3
2019-08-06T17:33:54+09:00
[2019/08/06]\n References : Content was added
2018-10-24T16:07:48+09:00
2019-08-06T17:34:39+09:00
2018-10-24T00:00:00+09:00
JVNDB-2018-000113
Multiple vulnerabilities in OpenDolphin
OpenDolphin provided by Life Sciences Computing Corporation contains multiple vulnerabilities listed below. * Privilege escalation - CVE-2018-16161 * Information disclosure (CWE-200) - CVE-2018-16162 * Restrict access permissions failure (CWE-284) - CVE-2018-16163 Symantec Japan, Inc. Advisory Services Team reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Life Sciences Computing Corporation
OpenDolphin
cpe:/a:opendolphin:opendolphin
2.7.0 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* A user may perform unintended operations with the administrative privilege - CVE-2018-16161 * A user may obtain other users' sensitive information such as ID and password - CVE-2018-16162 * A user may create or delete other users - CVE-2018-16163
[Update the Software] Update to the latest version according to the information provided by the developer.
Life Sciences Computing Corporation
Life Sciences Computing Corporation website
http://www.digital-globe.co.jp/security20181023.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16163
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16163
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16161
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16162
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16162
JVN
JVN#59394343
http://jvn.jp/en/jp/JVN59394343/index.html
National Vulnerability Database (NVD)
CVE-2018-16161
https://nvd.nist.gov/vuln/detail/CVE-2018-16161
National Vulnerability Database (NVD)
CVE-2018-16162
https://nvd.nist.gov/vuln/detail/CVE-2018-16162
National Vulnerability Database (NVD)
CVE-2018-16163
https://nvd.nist.gov/vuln/detail/CVE-2018-16163
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-26T14:32:18+09:00
[2018/10/26]\n Web page was published
2
2019-07-26T14:34:42+09:00
[2019/07/26]\n References : Contents were added
2018-10-26T16:16:12+09:00
2019-07-26T14:35:31+09:00
2018-10-26T00:00:00+09:00
JVNDB-2018-000114
Confluence Server vulnerable to script injection
User Macros of Confluence Server provided by Atlassian Pty Ltd. contains a script injection vulnerability (CWE-74). Kanta Nishitani of Information Science College reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Atlassian
Confluence
cpe:/a:atlassian:confluence
Server Version 6.9.0 and earlier
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
When the administrator embeds a malicious script into User Macros, the embedded script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer.
Atlassian
XSS in User Macros, Macro Title and Icon URL
https://jira.atlassian.com/browse/CONFSERVER-55918
Atlassian
Issues resolved in 6.10.1
https://confluence.atlassian.com/doc/issues-resolved-in-6-10-1-953671313.html
JVN
JVN#37943805
https://jvn.jp/en/jp/JVN37943805/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-29T12:16:57+09:00
[2018/10/29]\n Web page was published
2018-10-29T13:36:48+09:00
2018-10-29T13:36:48+09:00
2018-10-29T00:00:00+09:00
JVNDB-2018-000115
WordPress plugin "Event Calendar WD" vulnerable to cross-site scripting
The WordPress plugin "Event Calendar WD" provided by Web-Dorado contains a stored cross-site scripting vulnerability (CWE-79). Yuta Kitaoka of TokyoDenkiUniversity Cryptography Lab reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Web-Dorado
Event Calendar WD
cpe:/a:web-dorado:event_calendar_wd
version 1.1.21 and earlier
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged-in user's web browser.
[Update the plugin] Update the plugin according to the information provided by the developer.
Web-Dorado
Changeset 1961423 - WordPress Plugin Repository
https://plugins.trac.wordpress.org/changeset/1961423/
Web-Dorado
WordPress Plugins - Event Calendar WD - Responsive Event Calendar plugin - Changelog
https://wordpress.org/plugins/event-calendar-wd/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16164
JVN
JVN#75738023
https://jvn.jp/en/jp/JVN75738023/index.html
National Vulnerability Database (NVD)
CVE-2018-16164
https://nvd.nist.gov/vuln/detail/CVE-2018-16164
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-02T14:56:13+09:00
[2018/11/02]\n Web page was published
2
2019-08-27T12:12:23+09:00
[2019/08/27]\n References : Contents were added\n
2018-11-02T14:56:13+09:00
2019-08-27T15:15:43+09:00
2018-11-02T00:00:00+09:00
JVNDB-2018-000116
Mail app for iOS vulnerable to denial-of-service (DoS)
Mail app for iOS provided by Apple contains a denial-of-service (DoS) vulnerability due to an issue in the handling of a maliciously crafted S/MIME signed message. Yukinobu Nagayasu of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Apple Inc.
iOS
cpe:/o:apple:iphone_os
Mail app
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
High
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Mail app may continuously crash when a maliciously crafted S/MIME signed message is listed on it.
[Update iOS] Update iOS to the latest version according to the information provided by the developer.
Apple
Apple security updates
https://support.apple.com/kb/HT201222
Apple
About the security content of iOS 12.1
https://support.apple.com/HT209192
Common Vulnerabilities and Exposures (CVE)
CVE-2018-4400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4400
JVN
JVN#96551318
http://jvn.jp/en/jp/JVN96551318/index.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-02T14:42:43+09:00
[2018/11/02]\n Web page was published
2018-11-02T14:42:43+09:00
2018-11-02T14:42:43+09:00
2018-11-02T00:00:00+09:00
JVNDB-2018-000117
Multiple vulnerabilities in WordPress plugin "LearnPress"
WordPress LMS plugin "LearnPress" contains multiple vulnerabilities listed below. * Cross-site Scripting (CWE-79) - CVE-2018-16173 * Open Redirect (CWE-601) - CVE-2018-16174 * SQL Injection (CWE-89) - CVE-2018-16175 Daiki Sueyoshi of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University directly reported these vulnerabilities to the developer and coordinated on his own. After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
ThimPress
LearnPress
cpe:/a:thimpress:learnpress
prior to version 3.1.0
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
High
7.2
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* An arbitrary script may be executed on the logged in user's web browser - CVE-2018-16173 * Accessing a specially crafted URL may lead a logged in user to be redirected to an arbitrary website, which may result in a phishing attack - CVE-2018-16174 * A user with an administrative privilege may execute an arbitrary SQL command - CVE-2018-16175
[Update the plugin] Update the plugin according to the information provided by the developer.
ThimPress
LearnPress - WordPress LMS Plugin
https://wordpress.org/plugins/learnpress/
ThimPress
WordPress LMS Plugin - LearnPress - ThimPress
https://thimpress.com/product/wordpress-lms-plugin-learnpress/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16174
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16175
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16173
JVN
JVN#85760090
http://jvn.jp/en/jp/JVN85760090/index.html
National Vulnerability Database (NVD)
CVE-2018-16173
https://nvd.nist.gov/vuln/detail/CVE-2018-16173
National Vulnerability Database (NVD)
CVE-2018-16174
https://nvd.nist.gov/vuln/detail/CVE-2018-16174
National Vulnerability Database (NVD)
CVE-2018-16175
https://nvd.nist.gov/vuln/detail/CVE-2018-16175
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-09T16:13:06+09:00
[2018/11/09]\n Web page was published
2
2019-08-27T10:12:38+09:00
[2019/08/27]\n References : Contents were added
2018-11-09T16:13:06+09:00
2019-08-27T11:35:39+09:00
2018-11-09T00:00:00+09:00
JVNDB-2018-000118
The installer of Windows10 Fall Creators Update Modify module for Security Measures tool may insecurely load Dynamic Link Libraries
The installer of Windows10 Fall Creators Update Modify module for Security Measures tool provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Tomohisa Hasegawa of Canon IT Solutions Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Windows10 Fall Creators Update Modify module for Security Measures tool
cpe:/a:ntt_west:fall_creators_update
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Do not use Windows10 Fall Creators Update Modify module] The developer states that Windows10 Fall Creators Update Modify module was a temporary module to help update the older version of Security Measures tool appropriately, and it is no longer necessary since the latest version of Security Measures tool contains the module itself into it. For details, refer to the information provided by the developer.
Nippon Telegraph and Telephone West Corporation
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION website
https://f-security.jp/v6/support/information/100193.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16177
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16177
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#15709478
https://jvn.jp/en/jp/JVN15709478/index.html
National Vulnerability Database (NVD)
CVE-2018-16177
https://nvd.nist.gov/vuln/detail/CVE-2018-16177
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-09T16:13:05+09:00
[2018/11/09]\n Web page was published
2
2019-08-27T14:25:06+09:00
[2019/08/27]\n References : Content was added
2018-11-09T16:13:05+09:00
2019-08-27T18:03:40+09:00
2018-11-09T00:00:00+09:00
JVNDB-2018-000119
Cybozu Mailwise vulnerable to directory traversal
Cybozu Mailwise provided by Cybozu, Inc. contains a directory traversal vulnerability (CWE-22) due to a flaw in processing parameter of the HTTP request. Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Mailwise
cpe:/a:cybozu:mailwise
5.0.0 to 5.4.5
High
7.8
AV:N/AC:L/Au:N/C:N/I:C/A:N
High
8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
A remote attacker may delete arbitrary files on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu infomation
Cybozu, Inc. website
https://cs.cybozu.co.jp/2018/006755.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0702
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0702
JVN
JVN#83739174
http://jvn.jp/en/jp/JVN83739174/index.html
National Vulnerability Database (NVD)
CVE-2018-0702
https://nvd.nist.gov/vuln/detail/CVE-2018-0702
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-14T15:34:10+09:00
[2018/11/14]\n Web page was published
2
2019-08-27T11:29:33+09:00
[2019/08/27]\n References : Content was added \n
2018-11-14T15:34:10+09:00
2019-08-27T13:37:43+09:00
2018-11-14T00:00:00+09:00
JVNDB-2018-000120
Multiple directory traversal vulnerabilities in Cybozu Office
Cybozu Office provided by Cybozu, Inc. contains multiple directory traversal vulnerabilities below. * Directory traversal vulnerability due to a flaw in processing parameter of the HTTP request (CWE-22) - CVE-2018-0703 * Directory traversal vulnerability due to a flaw in processing parameter when logging out Keitai Screen (CWE-22) - CVE-2018-0704 Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Office
cpe:/a:cybozu:office
10.0.0 to 10.8.1
High
7.8
AV:N/AC:L/Au:N/C:N/I:C/A:N
High
8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
A remote attacker may delete arbitrary files on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu infomation
Cybozu, Inc. website
https://cs.cybozu.co.jp/2018/006683.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0703
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0703
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0704
JVN
JVN#15232217
http://jvn.jp/en/jp/JVN15232217/index.html
National Vulnerability Database (NVD)
CVE-2018-0703
https://nvd.nist.gov/vuln/detail/CVE-2018-0703
National Vulnerability Database (NVD)
CVE-2018-0704
https://nvd.nist.gov/vuln/detail/CVE-2018-0704
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-14T15:38:07+09:00
[2018/11/14]\n Web page was published
2
2019-08-27T11:05:15+09:00
[2019/08/27]\n References : Content was added
2018-11-14T15:38:07+09:00
2019-08-27T12:28:09+09:00
2018-11-14T00:00:00+09:00
JVNDB-2018-000121
Cybozu Dezie vulnerable to directory traversal
Cybozu Dezie provided by Cybozu, Inc. contains a directory traversal vulnerability (CWE-22) due to a flaw in processing parameter of the HTTP request. Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Dezie
cpe:/a:cybozu:dezie
8.0.2 to 8.1.2
High
7.8
AV:N/AC:L/Au:N/C:N/I:C/A:N
High
8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
A remote attacker may delete arbitrary files on the server.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu infomation
Cybozu, Inc. website
https://cs.cybozu.co.jp/2018/006698.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0705
JVN
JVN#16697622
http://jvn.jp/en/jp/JVN16697622/index.html
National Vulnerability Database (NVD)
CVE-2018-0705
https://nvd.nist.gov/vuln/detail/CVE-2018-0705
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-14T15:42:39+09:00
[2018/11/14]\n Web page was published
2
2019-08-27T10:47:59+09:00
[2019/08/27]\n References : Content was added \n
2018-11-14T15:42:39+09:00
2019-08-27T12:25:10+09:00
2018-11-14T00:00:00+09:00
JVNDB-2018-000122
Multiple vulnerabilities in Panasonic BN-SDWBP3
BN-SDWBP3 provided by Panasonic Corporation is a Wi-Fi Reader/Writer for SD Memory Cards. BN-SDWBP3 contains multiple vulnerabilities listed below. * Improper Authentication (CWE-287) - CVE-2018-0676 * OS Command Injection(CWE-78) - CVE-2018-0677 * Buffer Overflow (CWE-119) - CVE-2018-0678 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Panasonic Corporation
BN-SDWBP3 firmware
cpe:/o:panasonic:bn-sdwbp3_firmware
version 1.0.9 and earlier
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* An attacker may access to the management screen and execute an arbitrary command. - CVE-2018-0676 * A user on the same LAN who can access the product as an administrative privilege may execute an arbitrary OS command. - CVE-2018-0677 * A user on the same LAN who can access the product as an administrative privilege may execute an arbitrary code or perform a denial-of-service (DoS) attack. - CVE-2018-0678
[Update the Firmware] Apply the latest firmware update according to the information provided by the developer.
App Store
Panasonic Wi-Fi Card reader - App Store
https://itunes.apple.com/us/app/wi-fikadorida/id859950047?l=ja&ls=1&mt=8
Google Play
Panasonic Wi-Fi Card reader - Google Play
https://play.google.com/store/apps/details?id=com.panasonic.avc.media.wifirw&hl=en_US
Panasonic
Panasonic Corporation website
https://p3.support.panasonic.com/faq/show/5017?&site_domain=p3
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0676
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0676
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0677
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0677
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0678
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0678
JVN
JVN#65082538
http://jvn.jp/en/jp/JVN65082538/index.html
National Vulnerability Database (NVD)
CVE-2018-0676
https://nvd.nist.gov/vuln/detail/CVE-2018-0676
National Vulnerability Database (NVD)
CVE-2018-0677
https://nvd.nist.gov/vuln/detail/CVE-2018-0677
National Vulnerability Database (NVD)
CVE-2018-0678
https://nvd.nist.gov/vuln/detail/CVE-2018-0678
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2019-06-28T18:28:17+09:00
[2019/06/28]\n Web page was published
2
2019-08-27T15:29:31+09:00
[2019/08/27]\n References : Contents were added
2019-06-28T18:28:17+09:00
2019-08-27T17:46:15+09:00
2018-11-20T00:00:00+09:00
JVNDB-2018-000123
Panasonic applications register unquoted service paths
Some pre-installed applications on Panasonic PCs register Windows services with unquoted file paths (CWE-428). Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information Security Early Warning Partnership.
Panasonic Corporation
Multiple Computers
cpe:/a:panasonic:multiple_computers
Medium
4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P
High
8.4
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
If a malicious executable is placed on a certain path, it may be executed with the elevated privilege.
[Update the Software] Apply "Remediate Service Path Vulnerability Utility" according to the information provided by the developer.
Panasonic
Remediate Service Path Vulnerability Utility (V1.00L10 M02) Panasonic PC in which Windows 10, Windows 8.1, Windows 8 and Windows 7 are pre-installed
https://pc-dl.panasonic.co.jp/dl/docs/077770
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16183
JVN
JVN#36895151
https://jvn.jp/en/jp/JVN36895151/index.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-29T14:45:41+09:00
[2018/11/29]\n Web page was published
2
2019-09-27T10:31:39+09:00
[2019/09/27]\n References : Content was added\n
2018-11-29T14:45:41+09:00
2019-09-27T10:31:51+09:00
2018-11-29T00:00:00+09:00
JVNDB-2018-000124
Multiple vulnerabilities in RICOH Interactive Whiteboard
RICOH Interactive Whiteboard provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below. * Command injection (CWE-94) - CVE-2018-16184 * Missing file signature - CVE-2018-16185 * Hard-coded credentials for the administrator settings screen - CVE-2018-16186 * The server certificate is self-signed - CVE-2018-16187 * SQL injection (CWE-89) - CVE-2018-16188 RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership.
Ricoh Co., Ltd
RICOH Interactive Whiteboard D2200
cpe:/o:ricoh:d2200_firmware
Ricoh Co., Ltd
RICOH Interactive Whiteboard D5500
cpe:/o:ricoh:d5500_firmware
Ricoh Co., Ltd
RICOH Interactive Whiteboard D5510
cpe:/o:ricoh:d5510_firmware
Ricoh Co., Ltd
RICOH Interactive Whiteboard D5520
cpe:/o:ricoh:d5520_firmware
Ricoh Co., Ltd
RICOH Interactive Whiteboard D6500
cpe:/o:ricoh:d6500_firmware
Ricoh Co., Ltd
RICOH Interactive Whiteboard D6510
cpe:/o:ricoh:d6510_firmware
Ricoh Co., Ltd
RICOH Interactive Whiteboard D7500
cpe:/o:ricoh:d7500_firmware
Ricoh Co., Ltd
RICOH Interactive Whiteboard D8400
cpe:/o:ricoh:d8400_firmware
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* A remote attacker may execute an arbitrary command with the administrative privilege - CVE-2018-16184 * A remote attacker may execute an altered program - CVE-2018-16185 * An attacker may log in to the administrator settings screen and change the configuration - CVE-2018-16186 * A man-in-the-middle attack allows an attacker to eavesdrop on an encrypted communication - CVE-2018-16187 * A remote attacker may obtain or alter the information in the database - CVE-2018-16188
[Update the Software] Update to the latest version according to the information provided by the developer.
Ricoh
RICOH COMPANY, LTD. website
https://www.ricoh.com/info/2018/1127_1.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16186
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16187
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16187
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16188
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16184
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16185
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16185
JVN
JVN#55263945
https://jvn.jp/en/jp/JVN55263945/index.html
National Vulnerability Database (NVD)
CVE-2018-16188
https://nvd.nist.gov/vuln/detail/CVE-2018-16188
National Vulnerability Database (NVD)
CVE-2018-16184
https://nvd.nist.gov/vuln/detail/CVE-2018-16184
National Vulnerability Database (NVD)
CVE-2018-16185
https://nvd.nist.gov/vuln/detail/CVE-2018-16185
National Vulnerability Database (NVD)
CVE-2018-16186
https://nvd.nist.gov/vuln/detail/CVE-2018-16186
National Vulnerability Database (NVD)
CVE-2018-16187
https://nvd.nist.gov/vuln/detail/CVE-2018-16187
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2018-11-27T14:16:31+09:00
[2018/11/27]\n Web page was published
3
2018-11-29T12:06:11+09:00
[2018/11/29]\n Information under the section "Overview" was added
4
2018-12-07T11:54:44+09:00
[2018/12/07]\n Information under the section "Products Affected" was updated
5
2019-08-27T14:57:48+09:00
[2019/08/27]\n References : Contents were added
2018-11-27T15:26:13+09:00
2019-08-27T17:01:05+09:00
2018-11-27T00:00:00+09:00
JVNDB-2018-000125
The installer of MARKET SPEED may insecurely load Dynamic Link Libraries
The installer of MARKET SPEED provided by Rakuten Securities, Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Takashi Sugawara reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Rakuten Securities, Inc.
MARKETSPEED
cpe:/a:rakuten-sec:market_speed
Ver.16.4 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer provided by the developer. Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only, thus users who have already installed the software do not need to re-install the software.
Rakuten Securities, Inc.
Information from Rakuten Securities, Inc.
https://marketspeed.jp/ms1/download/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16182
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#78422300
https://jvn.jp/en/jp/JVN78422300/index.html
National Vulnerability Database (NVD)
CVE-2018-16182
https://nvd.nist.gov/vuln/detail/CVE-2018-16182
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-28T17:27:19+09:00
[2018/11/28]\n Web page was published
2
2019-08-28T10:00:47+09:00
[2019/08/28]\n References : Content was added
2018-11-28T17:27:19+09:00
2019-08-28T10:01:15+09:00
2018-11-28T00:00:00+09:00
JVNDB-2018-000126
Multiple vulnerabilities in Cybozu Remote Service
Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below. * Upload of arbitrary files in logo setting screen (CWE-434) - CVE-2018-16169 * Directory traversal in used device management screen (CWE-22) - CVE-2018-16170 * Directory traversal in client certificates registration function (CWE-22) - CVE-2018-16171 * Improper countermeasure against clickjacking attack in client certificates management screen (CWE-451) - CVE-2018-16172 Cybozu, Inc. reported CVE-2018-16169 vulnerability to JPCERT/CC to notify users of the solution through JVN. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported CVE-2018-16170 and CVE-2018-16171 vulnerabilities to Cybozu, Inc., and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN. Kanta Nishitani reported CVE-2018-16172 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc.
Remote Service
cpe:/a:cybozu:remote_service
3.0.0 to 3.1.0 (CVE-2018-16169)
3.0.0 to 3.1.8 (CVE-2018-16170, CVE-2018-16171, CVE-2018-16172)
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* Arbitrary Java code may be executed on the server. - CVE-2018-16169, CVE-2018-16171 * Arbitrary files on the server may be deleted. - CVE-2018-16170 * A user is tricked to delete registered client certificates. - CVE-2018-16172
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu infomation
Cybozu, Inc. website
https://cs.cybozu.co.jp/2018/006786.html
Cybozu support
CyVDB-1937
https://kb.cybozu.support/article/35259/
Cybozu support
CyVDB-1946
https://kb.cybozu.support/article/35260/
Cybozu support
CyVDB-1794
https://kb.cybozu.support/article/34311/
Cybozu support
CyVDB-1738
https://kb.cybozu.support/article/34301/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16169
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16170
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16170
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16171
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16171
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16172
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16172
JVN
JVN#23161885
http://jvn.jp/en/jp/JVN23161885/index.html
National Vulnerability Database (NVD)
CVE-2018-16170
https://nvd.nist.gov/vuln/detail/CVE-2018-16170
National Vulnerability Database (NVD)
CVE-2018-16171
https://nvd.nist.gov/vuln/detail/CVE-2018-16171
National Vulnerability Database (NVD)
CVE-2018-16172
https://nvd.nist.gov/vuln/detail/CVE-2018-16172
National Vulnerability Database (NVD)
CVE-2018-16169
https://nvd.nist.gov/vuln/detail/CVE-2018-16169
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-10T14:26:32+09:00
[2018/12/10]\n Web page was published
2
2019-08-27T10:28:16+09:00
[2019/08/27]\n References : Contents were added
2018-12-10T14:26:32+09:00
2019-08-27T11:48:11+09:00
2018-12-10T00:00:00+09:00
JVNDB-2018-000127
EC-CUBE vulnerable to open redirect
EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an open redirect vulnerability (CWE-601). LOCKON CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LOCKON CO.,LTD. coordinated under the Information Security Early Warning Partnership.
EC-CUBE CO.,LTD.
EC-CUBE
cpe:/a:ec-cube:ec-cube
3.0.0
3.0.1
3.0.10
3.0.11
3.0.12
3.0.12-p1
3.0.13
3.0.14
3.0.15
3.0.16
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
When accessing a specially crafted page, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
[Update the software] Update to the latest version according to the information provided by the developer.
LOCKON CO.,LTD
LOCKON CO.,LTD. website
https://www.ec-cube.net/info/weakness/20181113/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16191
JVN
JVN#25359688
https://jvn.jp/en/jp/JVN25359688/index.html
National Vulnerability Database (NVD)
CVE-2018-16191
https://nvd.nist.gov/vuln/detail/CVE-2018-16191
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-28T17:24:38+09:00
[2018/11/28]\n Web page was published
2018-11-28T17:24:38+09:00
2019-08-28T09:42:43+09:00
2018-11-28T00:00:00+09:00
JVNDB-2018-000128
Multiple vulnerabilities in multiple SEIKO EPSON printers and scanners
Multiple printers and scanners provided by SEIKO EPSON CORPORATION contain multiple vulnerabilities listed below. * Open Redirect (CWE-601) - CVE-2018-0688 * HTTP header injection (CWE-113) - CVE-2018-0689 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SEIKO EPSON CORPORATION
DS-570W
cpe:/a:epson:ds-570w
firmware versions released prior to March 13, 2018
SEIKO EPSON CORPORATION
DS-780N
cpe:/a:epson:ds-780n
firmware versions released prior to March 13, 2018
SEIKO EPSON CORPORATION
EP-10VA
cpe:/a:epson:ep-10va
firmware versions released prior to September 4, 2017
SEIKO EPSON CORPORATION
EP-30VA
cpe:/a:epson:ep-30va
firmware versions released prior to June 19, 2017
SEIKO EPSON CORPORATION
EP-707A
cpe:/a:epson:ep-707a
firmware versions released prior to August 1, 2017
SEIKO EPSON CORPORATION
EP-708A
cpe:/a:epson:ep-708a
firmware versions released prior to August 7, 2017
SEIKO EPSON CORPORATION
EP-709A
cpe:/a:epson:ep-709a
firmware versions released prior to June 12, 2017
SEIKO EPSON CORPORATION
EP-777A
cpe:/a:epson:ep-777a
firmware versions released prior to August 1, 2017
SEIKO EPSON CORPORATION
EP-807AB/AW/AR
cpe:/a:epson:ep-807ab_aw_ar
firmware versions released prior to August 1, 2017
SEIKO EPSON CORPORATION
EP-808AB/AW/AR
cpe:/a:epson:ep-808ab_aw_ar
firmware versions released prior to August 7, 2017
SEIKO EPSON CORPORATION
EP-879AB/AW/AR
cpe:/a:epson:ep-879ab_aw_ar
firmware versions released prior to June 12, 2017
SEIKO EPSON CORPORATION
EP-907F
cpe:/a:epson:ep-907f
firmware versions released prior to August 1, 2017
SEIKO EPSON CORPORATION
EP-977A3
cpe:/a:epson:ep-977a3
firmware versions released prior to August 1, 2017
SEIKO EPSON CORPORATION
EP-978A3
cpe:/a:epson:ep-978a3
firmware versions released prior to August 7, 2017
SEIKO EPSON CORPORATION
EP-979A3
cpe:/a:epson:ep-979a3
firmware versions released prior to June 12, 2017
SEIKO EPSON CORPORATION
EP-M570T
cpe:/a:epson:ep-m570t
firmware versions released prior to September 6, 2017
SEIKO EPSON CORPORATION
EW-M5071FT
cpe:/a:epson:ew-m5071ft
firmware versions released prior to November 2, 2017
SEIKO EPSON CORPORATION
EW-M660FT
cpe:/a:epson:ew-m660ft
firmware versions released prior to April 19, 2018
SEIKO EPSON CORPORATION
EW-M770T
cpe:/a:epson:ew-m770t
firmware versions released prior to September 6, 2017
SEIKO EPSON CORPORATION
PF-70
cpe:/a:epson:pf-70
firmware versions released prior to April 20, 2018
SEIKO EPSON CORPORATION
PF-71
cpe:/a:epson:pf-71
firmware versions released prior to July 18, 2017
SEIKO EPSON CORPORATION
PF-81
cpe:/a:epson:pf-81
firmware versions released prior to September 14, 2017
SEIKO EPSON CORPORATION
PX-048A
cpe:/a:epson:px-048a
firmware versions released prior to July 4, 2017
SEIKO EPSON CORPORATION
PX-049A
cpe:/a:epson:px-049a
firmware versions released prior to September 11, 2017
SEIKO EPSON CORPORATION
PX-437A
cpe:/a:epson:px-437a
firmware versions released prior to July 24, 2017
SEIKO EPSON CORPORATION
PX-M350F
cpe:/a:epson:px-m350f
firmware versions released prior to February 23, 2018
SEIKO EPSON CORPORATION
PX-M5040F
cpe:/a:epson:px-m5040f
firmware versions released prior to November 20, 2017
SEIKO EPSON CORPORATION
PX-M5041F
cpe:/a:epson:px-m5041f
firmware versions released prior to November 20, 2017
SEIKO EPSON CORPORATION
PX-M650A
cpe:/a:epson:px-m650a
firmware versions released prior to October 17, 2017
SEIKO EPSON CORPORATION
PX-M650F
cpe:/a:epson:px-m650f
firmware versions released prior to October 17, 2017
SEIKO EPSON CORPORATION
PX-M680F
cpe:/a:epson:px-m680f
firmware versions released prior to June 29, 2017
SEIKO EPSON CORPORATION
PX-M7050F
cpe:/a:epson:px-m7050f
firmware versions released prior to October 13, 2017
SEIKO EPSON CORPORATION
PX-M7050FP
cpe:/a:epson:px-m7050fp
firmware versions released prior to October 13, 2017
SEIKO EPSON CORPORATION
PX-M7050FX
cpe:/a:epson:px-m7050fx
firmware versions released prior to November 7, 2017
SEIKO EPSON CORPORATION
PX-M7070FX
cpe:/a:epson:px-m7070fx
firmware versions released prior to April 27, 2017
SEIKO EPSON CORPORATION
PX-M740F
cpe:/a:epson:px-m740f
firmware versions released prior to December 4, 2017
SEIKO EPSON CORPORATION
PX-M741F
cpe:/a:epson:px-m741f
firmware versions released prior to December 4, 2017
SEIKO EPSON CORPORATION
PX-M780F
cpe:/a:epson:px-m780f
firmware versions released prior to June 29, 2017
SEIKO EPSON CORPORATION
PX-M781F
cpe:/a:epson:px-m781f
firmware versions released prior to June 27, 2017
SEIKO EPSON CORPORATION
PX-M840F
cpe:/a:epson:px-m840f
firmware versions released prior to November 16, 2017
SEIKO EPSON CORPORATION
PX-M840FX
cpe:/a:epson:px-m840fx
firmware versions released prior to December 8, 2017
SEIKO EPSON CORPORATION
PX-M860F
cpe:/a:epson:px-m860f
firmware versions released prior to October 25, 2017
SEIKO EPSON CORPORATION
PX-S05B/W
cpe:/a:epson:px-s05b_w
firmware versions released prior to March 9, 2018
SEIKO EPSON CORPORATION
PX-S350
cpe:/a:epson:px-s350
firmware versions released prior to February 23, 2018
SEIKO EPSON CORPORATION
PX-S5040
cpe:/a:epson:px-s5040
firmware versions released prior to November 20, 2017
SEIKO EPSON CORPORATION
PX-S7050
cpe:/a:epson:px-s7050
firmware versions released prior to February 21, 2018
SEIKO EPSON CORPORATION
PX-S7050PS
cpe:/a:epson:px-s7050ps
firmware versions released prior to February 21, 2018
SEIKO EPSON CORPORATION
PX-S7050X
cpe:/a:epson:px-s7050x
firmware versions released prior to November 7, 2017
SEIKO EPSON CORPORATION
PX-S7070X
cpe:/a:epson:px-s7070x
firmware versions released prior to April 27, 2017
SEIKO EPSON CORPORATION
PX-S740
cpe:/a:epson:px-s740
firmware versions released prior to December 3, 2017
SEIKO EPSON CORPORATION
PX-S840
cpe:/a:epson:px-s840
firmware versions released prior to November 16, 2017
SEIKO EPSON CORPORATION
PX-S840X
cpe:/a:epson:px-s840x
firmware versions released prior to December 8, 2017
SEIKO EPSON CORPORATION
PX-S860
cpe:/a:epson:px-s860
firmware versions released prior to December 7, 2017
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
* The product's web interface may be abused to redirect web browsers to any web site. - CVE-2018-0688 * The product's web interface may be abused to show fake information or execute arbitrary script on web browsers. - CVE-2018-0689
[Update the Firmware] Apply the firmware update according to the information provided by the developer.
EPSON
SEIKO EPSON CORPORATION website
https://www.epson.jp/support/misc/20181203_oshirase.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0688
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0688
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0689
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0689
JVN
JVN#89767228
https://jvn.jp/en/jp/JVN89767228/index.html
National Vulnerability Database (NVD)
CVE-2018-0688
https://nvd.nist.gov/vuln/detail/CVE-2018-0688
National Vulnerability Database (NVD)
CVE-2018-0689
https://nvd.nist.gov/vuln/detail/CVE-2018-0689
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-06T16:19:11+09:00
[2018/12/06]\n Web page was published
2
2019-09-27T09:54:20+09:00
[2019/09/27]\n References : Contents were added
2018-12-06T16:19:11+09:00
2019-09-27T09:55:35+09:00
2018-12-06T00:00:00+09:00
JVNDB-2018-000129
Multiple vulnerabilities in i-FILTER
i-FILTER provided by Digital Arts Inc. contains multiple vulnerabilities listed below. * Cross-site scripting (CWE-79) - CVE-2018-16180 * HTTP header injection (CWE-113) - CVE-2018-16181 Keigo Yamazaki of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Digital Arts Inc.
i-FILTER
cpe:/a:daj:i-filter
Ver.9.50R05 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* An arbitrary script may be executed on the user's web browser. - CVE-2018-16180 * An HTTP response splitting attack may allow an attacker to execute an arbitrary script or set arbitrary cookie values. - CVE-2018-16181
[Update the Software] Update to the latest version according to the information provided by the developer.
Digital Arts Inc.
Digital Arts Inc. website
https://download.daj.co.jp/user/ifilter/V9/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16180
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16181
JVN
JVN#32155106
https://jvn.jp/en/jp/JVN32155106/index.html
National Vulnerability Database (NVD)
CVE-2018-16180
https://nvd.nist.gov/vuln/detail/CVE-2018-16180
National Vulnerability Database (NVD)
CVE-2018-16181
https://nvd.nist.gov/vuln/detail/CVE-2018-16181
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-07T14:12:26+09:00
[2018/12/07]\n Web page was published
2
2019-08-27T11:22:18+09:00
[2019/08/27]\n References : Contents were added
2018-12-07T14:30:58+09:00
2019-08-27T11:45:59+09:00
2018-12-07T00:00:00+09:00
JVNDB-2018-000130
Cybozu Garoon access restriction bypass vulnerability
Single sign-on function of Cybozu Garoon provided by Cybozu, Inc. contains a restriction bypass vulnerability (CWE-284). Kanta Nishitani reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
3.0.0 to 4.10.0
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
High
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
An attacker who can access the product may bypass authentication of Single sign-on function and view the information which is available only for sign-on users.
[Apply the Patch] Apply the patch according to the information provided by the developer. [Updated on 2019 April 22] [Update the Software] Update to the latest version according to the information provided by the developer. According to developer, this vulnerability was addressed in Cybozu Garoon 4.10.1.
Cybozu infomation
Cybozu, Inc. website
https://cs.cybozu.co.jp/2018/006790.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16178
JVN
JVN#25385698
http://jvn.jp/en/jp/JVN25385698/index.html
National Vulnerability Database (NVD)
CVE-2018-16178
https://nvd.nist.gov/vuln/detail/CVE-2018-16178
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-10T14:14:11+09:00
[2018/12/10]\n Web page was published
2
2019-04-22T12:24:17+09:00
[2019/04/22]\n Solution was modified
3
2019-08-27T16:53:27+09:00
[2019/08/27]\n References : Content was added
2018-12-10T14:14:11+09:00
2019-08-27T16:54:24+09:00
2018-12-10T00:00:00+09:00
JVNDB-2018-000131
Multiple vulnerabilities in Aterm WF1200CR and Aterm WG1200CR
Aterm WF1200CR and Aterm WG1200CR provided by NEC Corporation contain multiple vulnerabilities listed below. * Information disclosure (CWE-200) - CVE-2018-16192 * Stored cross-site scripting (CWE-79) - CVE-2018-16193 * OS command injection (CWE-78) - CVE-2018-16194 * OS command injection in SOAP interface of UPnP (CWE-78) - CVE-2018-16195 Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NEC Corporation
Aterm WF1200CR firmware
cpe:/o:nec:aterm_wf1200cr_firmware
firmware Ver1.1.1 and earlier
NEC Corporation
Aterm WG1200CR firmware
cpe:/o:nec:aterm_wg1200cr_firmware
firmware Ver1.0.1 and earlier
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* An attacker with access to the device may obtain registered information on the device. - CVE-2018-16192 * An arbitrary script may be executed on a logged in user's web browser. - CVE-2018-16193 * An attacker who can log in the device may execute an arbitrary OS command. - CVE-2018-16194 * By having the device to load an invalid parameter using UPnP function, an attacker with access to the device may execute an arbitrary OS command. - CVE-2018-16195
[Update the Firmware] Apply the appropriate firmware update according to the information provided by the developer.
NEC Security Information
Information from NEC Corporation
https://jpn.nec.com/security-info/secinfo/nv18-021.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16194
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16194
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16195
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16192
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16192
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16193
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16193
JVN
JVN#87535892
http://jvn.jp/en/jp/JVN87535892/index.html
National Vulnerability Database (NVD)
CVE-2018-16192
https://nvd.nist.gov/vuln/detail/CVE-2018-16192
National Vulnerability Database (NVD)
CVE-2018-16193
https://nvd.nist.gov/vuln/detail/CVE-2018-16193
National Vulnerability Database (NVD)
CVE-2018-16194
https://nvd.nist.gov/vuln/detail/CVE-2018-16194
National Vulnerability Database (NVD)
CVE-2018-16195
https://nvd.nist.gov/vuln/detail/CVE-2018-16195
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-14T14:53:06+09:00
[2018/12/14]\n Web page was published
2
2019-08-27T11:08:08+09:00
[2019/08/27]\n References : Contents were added\n
2018-12-14T14:53:06+09:00
2019-08-27T11:33:52+09:00
2018-12-14T00:00:00+09:00
JVNDB-2018-000132
Multiple vulnerabilities in Toshiba Lighting & Technology Corporation Home gateway
Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below. * Improper access control (CWE-284) - CVE-2018-16197 * Hidden functionality (CWE-912) - CVE-2018-16198 * Cross-site scripting (CWE-79) - CVE-2018-16199 * OS command injection (CWE-78) - CVE-2018-16200 * Hard-coded credentials (CWE-798) - CVE-2018-16201 The following researchers reported the vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2018-16197 Toshitsugu Yoneyama, Yutaka Kokubu, and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. CVE-2018-16198, CVE-2018-16199 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. CVE-2018-16200, CVE-2018-16201 Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc.
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW16A
cpe:/o:toshiba:hem-gw16a_firmware
1.2.9 and earlier
TOSHIBA LIGHTING & TECHNOLOGY CORPORATION
TOSHIBA Home Gateway HEM-GW26A
cpe:/o:toshiba:hem-gw26a_firmware
1.2.9 and earlier
High
8.3
AV:A/AC:L/Au:N/C:C/I:C/A:C
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* The information and files stored on the affected device may be accessed. - CVE-2018-16197, CVE-2018-16201 * The affected device may be operated by an attacker. - CVE-2018-16198, CVE-2018-16201 * An arbitrary script may be executed on the user's web browser. - CVE-2018-16199 * An arbitrary OS command may be executed on the affected device. - CVE-2018-16200, CVE-2018-16201
[Update the Firmware] Apply the firmware update according to the information provided by the developer.
Toshiba Lighting & Technology Corporation
Toshiba Lighting & Technology Corporation website
http://www.tlt.co.jp/tlt/information/seihin/notice/defect/20181219/20181219.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16199
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16200
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16200
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16201
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16201
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16197
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16198
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16198
JVN
JVN#99810718
http://jvn.jp/en/jp/JVN99810718/index.html
National Vulnerability Database (NVD)
CVE-2018-16201
https://nvd.nist.gov/vuln/detail/CVE-2018-16201
National Vulnerability Database (NVD)
CVE-2018-16197
https://nvd.nist.gov/vuln/detail/CVE-2018-16197
National Vulnerability Database (NVD)
CVE-2018-16198
https://nvd.nist.gov/vuln/detail/CVE-2018-16198
National Vulnerability Database (NVD)
CVE-2018-16199
https://nvd.nist.gov/vuln/detail/CVE-2018-16199
National Vulnerability Database (NVD)
CVE-2018-16200
https://nvd.nist.gov/vuln/detail/CVE-2018-16200
JVNDB
CWE-255
Credentials Management
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-19T15:20:43+09:00
[2018/12/19]\n Web page was published
2
2019-08-28T10:44:50+09:00
[2019/08/28]\n References : Contents were added
2018-12-19T15:20:43+09:00
2019-08-28T10:45:13+09:00
2018-12-19T00:00:00+09:00
JVNDB-2018-000133
cordova-plugin-ionic-webview vulnerable to path traversal
cordova-plugin-ionic-webview provided by npm, Inc. contains a path traversal vulnerability (CWE-22) . This vulnerability was first reported to npm, Inc. by the below reporters then also reported to IPA. Based on the coordination request made by the reporters, JPCERT/CC coordinated with npm, Inc. and published this advisory on JVN. Reporters: Tatsuya Sakamto and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.
Ionic
cordova-plugin-ionic-webview
cpe:/a:ionic:cordova-plugin-ionic-webview
versions prior to 2.2.0
Medium
4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
A remote attacker may obtain an arbitrary file such as a file related to an application on iOS device. As a result, contents of the file may be disclosed.
[Recreate iOS application incorporating the latest version of cordova-plugin-ionic-webview] This vulnerability has been addressed in cordova-plugin-ionic-webview 2.2.0 and upper versions. The developers of iOS applications using cordova-plugin-ionic-webview are recommended to recreate the applications incorporating the latest version of cordova-plugin-ionic-webview to resolve this vulnerability.
ionic-team
ionic-team/cordova-plugin-ionic-webview
https://github.com/ionic-team/cordova-plugin-ionic-webview
npm, Inc.
Path Traversal cordova-plugin-ionic-webview
https://www.npmjs.com/advisories/746
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16202
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16202
JVN
JVN#69812763
http://jvn.jp/en/jp/JVN69812763/index.html
National Vulnerability Database (NVD)
CVE-2018-16202
https://nvd.nist.gov/vuln/detail/CVE-2018-16202
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-21T14:17:41+09:00
[2018/12/21]\n Web page was published
2
2019-08-28T10:04:16+09:00
[2019/08/28]\n References : Content was added
2018-12-21T14:17:41+09:00
2019-08-28T10:04:46+09:00
2018-12-21T00:00:00+09:00
JVNDB-2018-000134
PgpoolAdmin fails to restrict access permissions
PgpoolAdmin provided by PgPool Global Development Group fails to restrict access permissions (CWE-264). Fotios Rogkotis of DarkMatter reported this vulnerability to PgPool Global Development Group, and PgPool Global Development Group reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and PgPool Global Development Group coordinated under the Information Security Early Warning Partnership.
PgPool Global Development Group
PgpoolAdmin
cpe:/a:pgpool:pgpooladmin
4.0 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
A remote attacker may bypass the login authentication and obtain the administrative privilege of the PostgreSQL database.
[Update the Software] Update to the latest version according to the information provided by the developer.
PgPool Global Development Group
Pgpool Wiki
https://pgpool.net/mediawiki/index.php/Main_Page
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16203
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16203
JVN
JVN#13199224
http://jvn.jp/en/jp/JVN13199224/index.html
National Vulnerability Database (NVD)
CVE-2018-16203
https://nvd.nist.gov/vuln/detail/CVE-2018-16203
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-21T14:10:28+09:00
[2018/12/21]\n Web page was published
2
2019-08-27T15:56:49+09:00
[2019/08/27]\n References : Content was added
2018-12-21T14:10:28+09:00
2019-08-27T17:41:16+09:00
2018-12-21T00:00:00+09:00
JVNDB-2018-000135
WordPress plugin "Google XML Sitemaps" vulnerable to cross-site scripting
The WordPress plugin "Google XML Sitemaps" provided by Arne Brachhold contains a stored cross-site scripting vulnerability (CWE-79). takagisan reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Arne Brachhold
Google XML Sitemaps
cpe:/a:arnebrachhold:google_xml_sitemaps
Version 4.0.9 and earlier
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
In the case where multiple administrators manage the WordPress site with the affected plugin, an administrator with malicious intent may embed an arbitrary script into the plugin settings page. The embedded script may be executed when another administrator logs in and browses the page.
[Update the plugin] Update the plugin according to the information provided by the developer.
Arne Brachhold
WordPress Plugins - Google XML Sitemaps - Changelog
https://wordpress.org/plugins/google-sitemap-generator/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16204
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16204
JVN
JVN#27052429
https://jvn.jp/en/jp/JVN27052429/index.html
National Vulnerability Database (NVD)
CVE-2018-16204
https://nvd.nist.gov/vuln/detail/CVE-2018-16204
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-25T13:46:05+09:00
[2018/12/25]\n Web page was published
2
2019-08-27T12:01:23+09:00
[2019/08/27]\n References : Contents were added
2018-12-25T16:19:52+09:00
2019-08-27T15:12:33+09:00
2018-12-25T00:00:00+09:00
JVNDB-2018-000136
Installer of Mapping Tool may insecurely load Dynamic Link Libraries
Installer of Mapping Tool provided by Japan Atomic Energy Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Takashi Sugawara reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Japan Atomic Energy Agency
Mapping Tool
cpe:/a:jaea:mapping_tool
2.0.1.6 and 2.0.1.7
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer provided by the developer. Also when executing the installer, be sure to check there are no suspicious files in the directory where the installer resides. Note that this vulnerability affects the installer only, thus users who have already installed the software do not need to re-install the software.
Japan Atomic Energy Agency
Japan Atomic Energy Agency website
https://emdb.jaea.go.jp/emdb/en/mappingtool.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16176
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#33677949
https://jvn.jp/en/jp/JVN33677949/index.html
National Vulnerability Database (NVD)
CVE-2018-16176
https://nvd.nist.gov/vuln/detail/CVE-2018-16176
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-25T14:02:25+09:00
[2018/12/25]\n Web page was published
2
2019-08-27T14:07:22+09:00
[2019/08/27]\n References : Contents were added
2018-12-25T16:18:59+09:00
2019-08-27T16:36:37+09:00
2018-12-25T00:00:00+09:00
JVNDB-2018-000137
GROWI vulnerable to cross-site scripting
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79). The settings option for enabling and disabling the measures against cross-site scripting ("Enable XSS prevention" option) was introduced in v3.1.12. However, there was an issue with the implementation where the option looks enabled although the measures are disabled. This vulnerability was addressed in v3.2.4 according to the developer. Takashi Yoneuchi of The University of Tokyo College of Arts and Sciences reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
WESEEK, Inc.
GROWI
cpe:/a:weseek:growi
v3.2.3 and earlier
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the user's web browser.
[Update the Software] Update to the latest version according to the information provided by the developer. Another cross-site scripting vulnerability due to a flaw in the processing of "New Page modal" (CVE-2018-16205) was also addressed in v3.2.5. [Apply a Workaround] If you are using GROWI v3.1.12 and later, and for a certain reason you cannot update or have difficulty with updating the product, log in as an administrator and follow the steps below to properly reflect the settings of "Enable XSS prevention" option. 1. Access Markdown settings (/admin/markdown) 2. Turn "Enable XSS Prevention" option OFF and save 3. Turn "Enable XSS Prevention" option ON, select "Recommended Setting" and save
WESEEK, Inc.
WESEEK, Inc. website
https://weseek.co.jp/security/2018/12/25/growi-prevent-xss2/
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0698
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16205
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16205
JVN
JVN#96493183
https://jvn.jp/en/jp/JVN96493183/index.html
National Vulnerability Database (NVD)
CVE-2018-0698
https://nvd.nist.gov/vuln/detail/CVE-2018-0698
National Vulnerability Database (NVD)
CVE-2018-16205
https://nvd.nist.gov/vuln/detail/CVE-2018-16205
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-26T15:30:42+09:00
[2018/12/26]\n Web page was published
2
2019-08-27T11:23:34+09:00
[2019/08/27]\n References : Contents were added
2018-12-26T16:36:08+09:00
2019-08-27T15:07:53+09:00
2018-12-26T00:00:00+09:00
JVNDB-2018-000900
ArsenoL vulnerable to cross-site scripting
ArsenoL provided by FlaFla... is software that can be downloaded from the Internet. ArsenoL is a dictionay software that is placed on a website used to post words and their meanings. ArsenoL contains a cross-site scripting vulnerability (CWE-79) where an arbitrary script may be executed when the victim accesses a malicious page created by an attacker. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
FlaFla...
ArsenoL
cpe:/a:arsenol_project:arsenol
Version 0.5
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Due to this vulnerability, a victim being tricked into accessing a malicious link may have the webpage display altered or Cookie information in the victim's web browser may be leaked.
[Consider stop using ArsenoL Version 0.5] Since the developer was unreachable, existence of any mitigations are unknown.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0534
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0534
JVN
JVN#30864198
https://jvn.jp/en/jp/JVN30864198/index.html
National Vulnerability Database (NVD)
CVE-2018-0534
https://nvd.nist.gov/vuln/detail/CVE-2018-0534
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-13T16:46:59+09:00
[2018/03/13]\n Web page was published
2
2018-06-14T11:17:22+09:00
[2018/06/14]\n References : Content was added
2018-03-13T16:46:59+09:00
2018-06-14T13:58:49+09:00
2018-03-13T00:00:00+09:00
JVNDB-2018-000901
QQQ SYSTEMS vulnerable to cross-site scripting
QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. quiz.cgi of QQQ SYSTEMS contains a cross-site scripting vulnerability (CWE-79). When a user accesses a malicious page and is redirected to a page created with the product, an arbitrary script may be executed on the user's browser. Note that this vulnerability is different either from JVN#96655441 or JVN#46471407. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
Gundam Cult QQQ
QQQ SYSTEMS
cpe:/a:qqq_systems_project:qqq_systems
ver2.24
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
A fake page may be shown on a user's browser. Sensitive information may be retrieved such as Cookie data.
[Consider stop using QQQ SYSTEMS ver2.24] Since the developer was unreachable, existence of any mitigations are unknown.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0536
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0536
JVN
JVN#64990648
https://jvn.jp/en/jp/JVN64990648/index.html
National Vulnerability Database (NVD)
CVE-2018-0536
https://nvd.nist.gov/vuln/detail/CVE-2018-0536
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-13T16:43:39+09:00
[2018/03/13]\n Web page was published
2
2018-06-14T10:28:17+09:00
[2018/06/14]\n References : Content was added
2018-03-13T16:43:39+09:00
2018-06-14T12:31:06+09:00
2018-03-13T00:00:00+09:00
JVNDB-2018-000902
QQQ SYSTEMS vulnerable to cross-site scripting
QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. quiz_op.cgi of QQQ SYSTEMS contains a cross-site scripting vulnerability (CWE-79). When a user accesses a malicious page and is redirected to a page created with the product, an arbitrary script may be executed on the user's browser. Note that this vulnerability is different either from JVN#64990648 or JVN#46471407. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
Gundam Cult QQQ
QQQ SYSTEMS
cpe:/a:qqq_systems_project:qqq_systems
ver2.24
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
A fake page may be shown on a user's browser. Sensitive information may be retrieved such as Cookie data.
[Consider stop using QQQ SYSTEMS ver2.24] Since the developer was unreachable, it is unknown whether any mitigations exist.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0537
JVN
JVN#96655441
http://jvn.jp/en/jp/JVN96655441/index.html
National Vulnerability Database (NVD)
CVE-2018-0537
https://nvd.nist.gov/vuln/detail/CVE-2018-0537
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-13T16:43:40+09:00
[2018/03/13]\n Web page was published
2
2018-06-14T10:32:59+09:00
[2018/06/14]\n References : Content was added
2018-03-13T16:43:40+09:00
2018-06-14T13:39:49+09:00
2018-03-13T00:00:00+09:00
JVNDB-2018-000903
QQQ SYSTEMS vulnerable to cross-site scripting
QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. QQQ SYSTEMS contains a stored cross-site scripting vulnerability (CWE-79). When an administrative user of the software accesses a malicious page created by an attacker, an arbitrary script may be executed. Note that this vulnerability is different either from JVN#64990648 or JVN#96655441. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
Gundam Cult QQQ
QQQ SYSTEMS
cpe:/a:qqq_systems_project:qqq_systems
ver2.24
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
High
8.2
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Due to this vulnerability, a victim being tricked into accessing a malicious link may have the web display altered or Cookie information in the victim's browser may be leaked.
[Consider stop using QQQ SYSTEMS ver2.24] Since the developer was unreachable, existence of any mitigations are unknown.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0538
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0538
JVN
JVN#46471407
http://jvn.jp/en/jp/JVN46471407/index.html
National Vulnerability Database (NVD)
CVE-2018-0538
https://nvd.nist.gov/vuln/detail/CVE-2018-0538
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-13T16:43:42+09:00
[2018/03/13]\n Web page was published
2
2018-06-14T11:23:36+09:00
[2018/06/14]\n References : Content was added
2018-03-13T16:43:42+09:00
2018-06-14T14:03:44+09:00
2018-03-13T00:00:00+09:00
JVNDB-2018-000904
PHP 2chBBS vulnerable to cross-site scripting
PHP 2chBBS provided by Kagaminokuni is software that can be downloaded from the Internet. PHP 2chBBS is a bulletin board software that can be used by placing it on a website. PHP 2chBBS contains a cross-site scripting vulnerability (CWE-79). During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
Kagaminokuni
PHP 2chBBS
cpe:/a:php_2chbbs_project:php_2chbbs
version bbs18c
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Due to this vulnerability, a victim being tricked into accessing a malicious link may have the webpage display altered or Cookie information in the victim's web browser may be leaked.
[Consider stop using PHP 2chBBS version bbs18c] Since the developer was unreachable, existence of any mitigations are unknown.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0535
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0535
JVN
JVN#48774168
https://jvn.jp/en/jp/JVN48774168/index.html
National Vulnerability Database (NVD)
CVE-2018-0535
https://nvd.nist.gov/vuln/detail/CVE-2018-0535
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-13T16:47:01+09:00
[2018/03/13]\n Web page was published
2
2018-06-14T11:41:57+09:00
[2018/06/14]\n References : Content was added
2018-03-13T16:47:01+09:00
2018-06-14T13:55:29+09:00
2018-03-13T00:00:00+09:00
JVNDB-2018-000905
ViX may insecurely load Dynamic Link Libraries
ViX provided by K_OKADA is a Graphics Viewer Software for Windows. ViX contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries contained in the same directory as an image file (CWE-427). During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
K_OKADA
ViX
cpe:/a:vix_project:vix
version 2.21.148.0
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privileges of the running application.
[Consider stop using ViX version 2.21.148.0] Since the developer was unreachable, existence of any mitigations are unknown.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0540
JVN
JVN#56764650
http://jvn.jp/en/jp/JVN56764650/index.html
National Vulnerability Database (NVD)
CVE-2018-0540
https://nvd.nist.gov/vuln/detail/CVE-2018-0540
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-13T16:48:50+09:00
[2018/03/13]\n Web page was published
2
2018-06-14T12:12:26+09:00
[2018/06/14]\n References : Content was added
2018-03-13T16:48:50+09:00
2018-06-14T13:52:21+09:00
2018-03-13T00:00:00+09:00
JVNDB-2018-000906
TinyFTP Daemon vulnerable to buffer overflow
TinyFTP Daemon provided by Hisayuki Nomura is a FTP (File Transfer Protocol) server. TinyFTP Daemon contains a buffer overflow vulnerability (CWE-121). During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
Hisayuki Nomura
Tiny FTP Daemon
cpe:/a:tinyftp_project:tinyftp
Ver0.52d
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An attacker may be able to cause a denial-of-service (DoS) condition or execute arbitrary code.
[Consider stop using Tiny FTP Daemon Ver0.52d] Since the developer was unreachable, existence of any mitigations are unknown.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0541
JVN
JVN#92259864
http://jvn.jp/en/jp/JVN92259864/index.html
National Vulnerability Database (NVD)
CVE-2018-0541
https://nvd.nist.gov/vuln/detail/CVE-2018-0541
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-13T16:48:52+09:00
[2018/03/13]\n Web page was published
2
2018-06-14T11:35:50+09:00
[2018/06/14]\n References : Content was added
2018-03-13T16:48:52+09:00
2018-06-14T14:12:53+09:00
2018-03-13T00:00:00+09:00
JVNDB-2018-000907
QQQ SYSTEMS vulnerable to arbitrary command injection
QQQ SYSTEMS provided by Gundam Cult QQQ is a perl CGI script to create quiz pages. QQQ SYSTEMS contains an OS command injection vulnerability (CWE-78). During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
Gundam Cult QQQ
QQQ SYSTEMS
cpe:/a:qqq_systems_project:qqq_systems
version 2.24
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
An attacker may execute an arbitrary OS command with the web server's execution privilege.
[Consider stop using QQQ SYTEMS 2.24] Since the developer was unreachable, it is unknown whether any mitigations exist.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0539
JVN
JVN#22536871
http://jvn.jp/en/jp/JVN22536871/index.html
National Vulnerability Database (NVD)
CVE-2018-0539
https://nvd.nist.gov/vuln/detail/CVE-2018-0539
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-13T16:43:44+09:00
[2018/03/13]\n Web page was published
2
2018-06-14T11:33:16+09:00
[2018/06/14]\n References : Content was added
2018-03-13T16:43:44+09:00
2018-06-14T13:53:27+09:00
2018-03-13T00:00:00+09:00
JVNDB-2018-000908
WebProxy vulnerable to directory traversal
WebProxy provided by LunarNight Laboratory is software for creating a proxy server. WebProxy contains a directory traversal vulnerability (CWE-22) due to a flaw in processing certain requests. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate
LunarNight Laboratory
WebProxy
cpe:/a:ln-lab:webproxy
version 1.7.8
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
A remote attacker may create an arbitrary file on the server where the product is running.
[Consider stop using WebProxy version 1.7.9] Since the developer was unreachable, existence of any mitigations are unknown.
Common Vulnerabilities and Exposures (CVE)
CVE-2018-0542
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0542
JVN
JVN#87226910
http://jvn.jp/en/jp/JVN87226910/index.html
National Vulnerability Database (NVD)
CVE-2018-0542
https://nvd.nist.gov/vuln/detail/CVE-2018-0542
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-03-13T16:48:53+09:00
[2018/03/13]\n Web page was published
2
2018-06-14T11:08:20+09:00
[2018/06/14]\n References : Content was added
2018-03-13T16:48:53+09:00
2018-06-14T13:51:36+09:00
2018-03-13T00:00:00+09:00
JVNDB-2018-001388
Multiple Vulnerabilities in Hitachi Command Suite
Multiple vulnerabilities have been found in Hitachi Command Suite. * Cross-site Scripting * Open Redirect
Hitachi, Ltd
Hitachi Device Manager
cpe:/a:hitachi:device_manager
Software
Hitachi, Ltd
Hitachi Replication Manager
cpe:/a:hitachi:replication_manager
Software
Medium
5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-108
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-108/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
https://cwe.mitre.org/data/definitions/601.html
0
2018-02-17T10:37:53+09:00
[2018/02/14]\n Web page was published
1
2018-03-01T15:08:58+09:00
[2018/03/01]\n CVSS Severity was modified
2018-02-14T14:58:59+09:00
2018-03-01T15:20:56+09:00
2018-02-13T00:00:00+09:00
JVNDB-2018-001389
XXE Vulnerability in Hitachi Device Manager
An XXE (XML External Entity) Vulnerability was found in Hitachi Device Manager. This vulnerability only affects the Linux cluster environment.
Hitachi, Ltd
Hitachi Device Manager
cpe:/a:hitachi:device_manager
High
7.8
AV:N/AC:M/Au:N/C:P/I:N/A:C
High
7.4
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-109
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-109/index.html
JVNDB
CWE-611
Improper Restriction of XML External Entity Reference
https://cwe.mitre.org/data/definitions/611.html
0
2018-02-17T10:37:53+09:00
[2018/02/14]\n Web page was published
1
2018-03-01T15:07:40+09:00
[2018/03/01]\n CVSS Severity was modified
2018-02-14T14:59:00+09:00
2018-03-01T15:20:58+09:00
2018-02-13T00:00:00+09:00
JVNDB-2018-002257
DoS Vulnerability in JP1/ServerConductor/Deployment Manager and Hitachi Compute Systems Manager
A DoS Vulnerability was found in JP1/ServerConductor/Deployment Manager and Hitachi Compute Systems Manager (Deployment Manager Plug-in).
Hitachi, Ltd
Hitachi Compute Systems Manager
cpe:/a:hitachi:compute_systems_manager
Hitachi, Ltd
JP1/ServerConductor/Deployment Manager
cpe:/a:hitachi:jp1_serverconductor_deployment_manager
Enterprise Edition
Standard Edition
Hitachi, Ltd
ServerConductor/Deployment Manager
cpe:/a:hitachi:serverconductor_deployment_manager
Enterprise Edition
Standard Edition
High
7.8
AV:N/AC:L/Au:N/C:N/I:N/A:C
High
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-110
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-110/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-04-05T10:22:16+09:00
[2018/04/05]\n Web page was published
2
2018-04-10T10:51:16+09:00
[2018/04/10]\n CVSS Severity was modified
2018-04-05T10:22:16+09:00
2018-04-10T10:55:53+09:00
2018-04-03T00:00:00+09:00
JVNDB-2018-003030
Access Control Vulnerability in Hitachi Infrastructure Analytics Advisor
An Access Control Vulnerability was found in Hitachi Infrastructure Analytics Advisor.
Hitachi, Ltd
Hitachi Infrastructure Analytics Advisor
cpe:/a:hitachi:infrastructure_analytics_advisor
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-114
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-114/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-10T15:10:24+09:00
[2018/05/10]\n Web page was published
2
2018-07-31T11:03:59+09:00
[2018/07/31]\n CVSS Severity was modified
2018-05-10T15:30:11+09:00
2018-07-31T12:12:55+09:00
2018-05-09T00:00:00+09:00
JVNDB-2018-003553
Information Disclosure Vulnerability in Hitachi Automation Director
An Information Disclosure Vulnerability was found in Hitachi Automation Director.
Hitachi, Ltd
Hitachi Automation Director
cpe:/a:hitachi:automation_director
(English version)
(Japanese version)
Low
3.5
AV:N/AC:M/Au:S/C:P/I:N/A:N
Low
3.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-116
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-116/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-05-28T12:00:18+09:00
[2018/05/28]\n Web page was published
2
2018-07-31T11:08:30+09:00
[2018/07/31]\n CVSS Severity was modified
2018-05-28T12:13:32+09:00
2018-07-31T12:16:59+09:00
2018-05-25T00:00:00+09:00
JVNDB-2018-006236
Information Disclosure Vulnerability in Hitachi Command Suite
An Information Disclosure Vulnerability was found in Hitachi Command Suite.
Hitachi, Ltd
Hitachi Compute Systems Manager
cpe:/a:hitachi:compute_systems_manager
Hitachi, Ltd
Hitachi Device Manager
cpe:/a:hitachi:device_manager
Hitachi, Ltd
Hitachi Replication Manager
cpe:/a:hitachi:replication_manager
Hitachi, Ltd
Hitachi Tiered Storage Manager
cpe:/a:hitachi:tiered_storage_manager
Hitachi, Ltd
Hitachi Tuning Manager
cpe:/a:hitachi:tuning_manager
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-123
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-123/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-14735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14735
National Vulnerability Database (NVD)
CVE-2018-14735
https://nvd.nist.gov/vuln/detail/CVE-2018-14735
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2018-08-14T10:05:10+09:00
[2018/08/14]\n Web page was published
3
2018-09-03T14:27:44+09:00
[2018/09/03]\n CVSS Severity was modified
4
2019-07-24T17:01:35+09:00
[2019/07/24]\n References : Contents were added
2018-08-14T10:04:13+09:00
2019-07-24T17:02:13+09:00
2018-08-08T00:00:00+09:00
JVNDB-2018-006459
Path Traversal Vulnerability in JP1/Automatic Operation
A Path Traversal Vulnerability was found in JP1/Automatic Operation.
Hitachi, Ltd
JP1/Automatic Operation
cpe:/a:hitachi:jp1_automatic_operation
Medium
5.5
AV:N/AC:L/Au:S/C:N/I:P/A:P
High
7.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-127
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-127/index.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-22T17:11:02+09:00
[2018/08/22]\n Web page was published
2
2018-09-03T14:44:34+09:00
[2018/09/03]\n CVSS Severity was modified
2018-08-22T17:11:02+09:00
2018-08-22T17:11:02+09:00
2018-08-21T00:00:00+09:00
JVNDB-2018-006460
Path Traversal Vulnerability in Hitachi Automation Director
A Path Traversal Vulnerability was found in Hitachi Automation Director.
Hitachi, Ltd
Hitachi Automation Director
cpe:/a:hitachi:automation_director
(English version)
(Japanese version)
Medium
5.5
AV:N/AC:L/Au:S/C:N/I:P/A:P
High
7.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-126
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-126/index.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-08-22T17:11:54+09:00
[2018/08/22]\n Web page was published
2
2018-09-03T14:37:11+09:00
[2018/09/03]\n CVSS Severity was modified
2018-08-22T17:11:54+09:00
2018-08-22T17:11:54+09:00
2018-08-21T00:00:00+09:00
JVNDB-2018-008547
Clickjacking Vulnerability in Hitachi Device Manager
A Clickjacking Vulnerability was found in Hitachi Device Manager.
Hitachi, Ltd
Hitachi Device Manager
cpe:/a:hitachi:device_manager
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-129
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-129/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-22T17:44:35+09:00
[2018/10/22]\n Web page was published
2
2018-11-20T10:24:00+09:00
[2018/11/20]\n CVSS Severity was modified
2018-10-23T13:53:13+09:00
2018-11-20T18:14:36+09:00
2018-10-19T00:00:00+09:00
JVNDB-2018-008573
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor.
Hitachi, Ltd
Hitachi Infrastructure Analytics Advisor
cpe:/a:hitachi:infrastructure_analytics_advisor
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-130
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-130/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-1000613
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613
National Vulnerability Database (NVD)
CVE-2018-1000613
https://nvd.nist.gov/vuln/detail/CVE-2018-1000613
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-10-23T14:33:30+09:00
[2018/10/23]\n Web page was published
2
2018-11-20T10:33:00+09:00
[2018/11/20]\n CVSS Severity was modified
2018-10-23T15:15:08+09:00
2018-11-20T18:15:27+09:00
2018-10-22T00:00:00+09:00
JVNDB-2018-009328
Multiple Vulnerabilities in JP1/VERITAS
Multiple vulnerabilities have been found in JP1/VERITAS.
Hitachi, Ltd
JP1/VERITAS NetBackup
cpe:/a:hitachi:jp1_veritas_netbackup
7.7
8.0
8.1
Veritas Technologies LLC.
Veritas NetBackup
cpe:/a:veritas:netbackup
7.7
8.0
8.1
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-133
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-133/index.html
Support
Article ID:100000477
https://www.veritas.com/support/en_US/article.100000477.html
Support
Article ID:100043979
https://www.veritas.com/support/en_US/article.100043979.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-11-15T17:16:48+09:00
[2018/11/15]\n Web page was published
2
2018-11-20T10:39:53+09:00
[2018/11/20]\n CVSS Severity was modified
2018-11-15T17:16:48+09:00
2018-11-20T18:16:03+09:00
2018-11-14T00:00:00+09:00
JVNDB-2018-009387
Mizuho Bank Mizuho Direct App for Android fails to verify SSL server certificates
Mizuho Bank Mizuho Direct App for Android fails to verify SSL server certificates. Mizuho Bank Mizuho Direct App for Android provided by Mizuho Bank, Ltd. fails to verify SSL server certificates (CWE-295). Reo Yoshida reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
Mizuho Bank, Ltd.
Mizuho Direct App
cpe:/a:mizuhobank:mizuho_direct_application
for Android version 3.13.0 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the Application] Update to the latest version according to the information provided by the developer.
JVN
Information from Mizuho Bank, Ltd.
http://jvn.jp/en/vu/JVNVU91640357/995535/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2018-16179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16179
JVN
JVNVU#91640357
http://jvn.jp/en/vu/JVNVU91640357/index.html
National Vulnerability Database (NVD)
CVE-2018-16179
https://nvd.nist.gov/vuln/detail/CVE-2018-16179
JVNDB
CWE-295
Improper Certificate Validation
https://cwe.mitre.org/data/definitions/295.html
1
2018-11-19T15:44:02+09:00
[2018/11/19]\n Web page was published
2
2019-08-27T12:01:10+09:00
[2019/08/27]\n References : Contents were added
2018-11-19T15:44:02+09:00
2019-08-27T16:48:37+09:00
2018-11-16T00:00:00+09:00
JVNDB-2018-010027
Problem with directory permissions in JP1/Operations Analytics
A problem with directory permissions was found in JP1/Operations Analytics.
Hitachi, Ltd
JP1/Operations Analytics
cpe:/a:hitachi:jp1_operation_analytics
Low
3.5
AV:L/AC:H/Au:S/C:P/I:P/A:P
Medium
4.9
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Regarding the impact of the vulnarability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-135
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-135/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-04T16:43:36+09:00
[2018/12/04]\n Web page was published
2
2019-01-24T10:43:33+09:00
[2019/01/24]\n CVSS Severity was modified
2018-12-04T16:53:41+09:00
2019-01-24T18:36:28+09:00
2018-12-03T00:00:00+09:00
JVNDB-2018-010028
Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor.
Hitachi, Ltd
Hitachi Infrastructure Analytics Advisor
cpe:/a:hitachi:infrastructure_analytics_advisor
Low
3.5
AV:L/AC:H/Au:S/C:P/I:P/A:P
Medium
4.9
CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-134
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-134/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-04T16:39:33+09:00
[2018/12/04]\n Web page was published
2
2019-01-24T10:26:38+09:00
[2019/01/24]\n CVSS Severity was modified
2018-12-04T16:53:39+09:00
2019-01-24T18:35:24+09:00
2018-12-03T00:00:00+09:00
JVNDB-2018-010851
Clickjacking Vulnerability in Hitachi Automation Director
A Clickjacking Vulnerability was found in Hitachi Automation Director.
Hitachi, Ltd
Hitachi Automation Director
cpe:/a:hitachi:automation_director
(English version)
(Japanese version)
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2018-137
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-137/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2018-12-26T12:09:32+09:00
[2018/12/26]\n Web page was published
2
2019-01-24T10:52:01+09:00
[2019/01/24]\n CVSS Severity was modified
2018-12-26T12:09:32+09:00
2019-01-24T18:37:23+09:00
2018-12-25T00:00:00+09:00