JVNDB-2022-000001
Canon laser printers and small office multifunctional printers vulnerable to cross-site scripting
Multiple Canon laser printers and small office multifunctional printers contain a stored cross-site scripting vulnerability (CWE-79). Murashima Masahiro of IERAE SECURITY INC. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Canon
(multiple product)
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is accessing the product settings screen.
[Update the firmware] Update the firmware to the latest version according to the information provided by the developer.
Canon Europe
Cross-site scripting vulnerability for laser printers and multifunction devices for small offices - 11 January 2022
https://www.canon-europe.com/support/product-security-latest-news/
Canon USA
Canon Laser Printer and Small Office Multifunctional Printer related to cross-site scripting
https://www.usa.canon.com/internet/portal/us/home/support/product-advisories/detail/Service-Notice-Canon-Laser-Printer-and-Small-Office-Multifunctional-Printer-related-to-cross-site-scripting
Common Vulnerabilities and Exposures (CVE)
CVE-2021-20877
https://www.cve.org/CVERecord?id=CVE-2021-20877
JVN
JVN#64806328
https://jvn.jp/en/jp/JVN64806328/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-01-19T12:35:43+09:00
[2022/01/19]\n Web page was published
2022-01-19T14:00:43+09:00
2022-01-19T14:00:43+09:00
2022-01-19T00:00:00+09:00
JVNDB-2022-000002
Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master"
WordPress Plugin "Quiz And Survey Master" provided by ExpressTech contains multiple vulnerabilities listed below. * Cross-site request forgery (CWE-352) - CVE-2022-0180 * Reflected cross-site scripting (CWE-79) - CVE-2022-0181 * Stored cross-site scripting (CWE-79) - CVE-2022-0182 CVE-2022-0180, CVE-2022-0181 Daiki Sueyoshi reported these vulnerabilitis to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2022-0182 Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ExpressTech
Quiz And Survey Master
cpe:/a:expresstech:quiz_and_survey_master
versions prior to 7.3.7
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
* If a user who is logging in to the product with the administrative privilege accesses a malicious page, unintended operations may be performed - CVE-2022-0180 * An arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege - CVE-2022-0181 * An arbitrary script may be executed on the web browser of the user who is accessing a website that uses the product - CVE-2022-0182
[Update the plugin] Update the plugin according to the information provided by the developer.
ExpressTech
Powerful quiz and survey for WordPress in few minutes!
https://quizandsurveymaster.com/
ExpressTech
Quiz And Survey Master - Best Quiz, Exam and Survey Plugin for WordPress
https://wordpress.org/plugins/quiz-master-next/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-0180
https://www.cve.org/CVERecord?id=CVE-2022-0180
Common Vulnerabilities and Exposures (CVE)
CVE-2022-0181
https://www.cve.org/CVERecord?id=CVE-2022-0181
Common Vulnerabilities and Exposures (CVE)
CVE-2022-0182
https://www.cve.org/CVERecord?id=CVE-2022-0182
JVN
JVN#72788165
https://jvn.jp/en/jp/JVN72788165/index.html
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-01-12T14:39:25+09:00
[2022/01/12]\n Web page was published
2022-01-12T15:33:11+09:00
2022-01-12T15:33:11+09:00
2022-01-12T00:00:00+09:00
JVNDB-2022-000003
Jimoty App for Android uses a hard-coded API key for an external service
Jimoty App for Android provided by Jimoty, Inc. uses a hard-coded API key for an external service (CWE-798). Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Jimoty, Inc.
Jimoty
cpe:/a:misc:jimoty_jimoty
for Android versions prior to 3.7.42
Low
2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N
Medium
4
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
API key for an external service may be obtained by analyzing data in the app. Note that a user is not directly affected by this vulnerability.
[Update the Application] Update the application to the latest version according to the information provided by the developer. According to the developer, the latest app does not hard-code the API key. The vulnerable API key has been deactivated, therefore information contained in the vulnerable app can not be abused.
JVN
Information from Jimoty, Inc.
https://jvn.jp/en/jp/JVN49047921/996576/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-0131
https://www.cve.org/CVERecord?id=CVE-2022-0131
JVN
JVN#49047921
https://jvn.jp/en/jp/JVN49047921/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-01-12T14:38:06+09:00
[2022/01/12]\n Web page was published
2022-01-12T15:37:59+09:00
2022-01-12T15:37:59+09:00
2022-01-12T00:00:00+09:00
JVNDB-2022-000004
Label printers "TEPRA" PRO SR5900P / SR-R7900P vulnerable to insufficiently protected credentials
Label printers "TEPRA" PRO SR5900P / SR-R7900P provided by KING JIM CO.,LTD. contain an insufficiently protected credentials vulnerability (CWE-522). Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KING JIM CO.,LTD.
Label Printer "Tepra" PRO SR-R7900P
cpe:/o:misc:kingjim_label_printer_tepra_pro_sr-r7900p_software
Ver.1.030 and earlier
KING JIM CO.,LTD.
Label Printer "Tepra" PRO SR5900P
cpe:/o:misc:kingjim_label_printer_tepra_pro_sr5900p_software
Ver.1.080 and earlier
Low
3.3
AV:A/AC:L/Au:N/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
An attacker who can access the products via network may obtain credentials to connect to the Wi-Fi access point with the infrastructure mode.
[Update the Software] Update the software to the latest version according to the information provided by the developer. The developer has released the following versions that address the vulnerability. <ul> <li>Label printer "TEPRA" PRO SR5900P Ver.1.090</li> <li>Label printer "TEPRA" PRO SR-R7900P Ver.1.040</li> </ul> According to the developer, after updating the software to the latest version, it would be unable to change the settings to connect to the Wi-Fi access point or to read the registered information, through the network. Therefore, the developer has released the following software, which removed the function to access the products through the network from the TEPRA Network Config Tool. <ul> <li>TEPRA Lable Editor SPC10 for Windows bundling TEPRA Network Config Tool Ver.3.02</li> <li>SMA3 printer driver "TEPRA Driver" for macOS bundling TEPRA Network Config Tool Ver.1.20</li> </ul> The settings can be changed or read via the USB connection as before.
KING JIM CO.,LTD.
About the vulnerability in Label Printer "TEPRA" PRO SR5900P/SR-R7900P
https://www.kingjim.co.jp/download/security/#sr01
Common Vulnerabilities and Exposures (CVE)
CVE-2022-0184
https://www.cve.org/CVERecord?id=CVE-2022-0184
JVN
JVN#81479705
https://jvn.jp/en/jp/JVN81479705/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-01-13T14:29:28+09:00
[2022/01/13]\n Web page was published
2022-01-13T15:21:46+09:00
2022-01-13T15:21:46+09:00
2022-01-13T00:00:00+09:00
JVNDB-2022-000005
PASSWORD MANAGER "MIRUPASS" PW10 / PW20 missing encryption
PASSWORD MANAGER "MIRUPASS" PW10 / PW20 provided by KING JIM CO.,LTD. contain a missing encryption vulnerability (CWE-311). Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KING JIM CO.,LTD.
Password Manager "MIRUPASS" PW10 firmware
cpe:/o:misc:kingjim_password_manager_mirupass_pw10_firmware
all versions
KING JIM CO.,LTD.
Password Manager "MIRUPASS" PW20 firmware
cpe:/o:misc:kingjim_password_manager_mirupass_pw20_firmware
all versions
Medium
4.9
AV:L/AC:L/Au:N/C:C/I:N/A:N
Medium
4.6
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
A user who can physically access the products may obtain the stored passwords.
[Stop using the products] The developer states that the products are no longer supported, therefore stop using the products. It is highly recommended to erase all stored passwords before disposing the product.
KING JIM CO.,LTD.
About the vulnerability in Password Manager "MIRUPASS" PW10 / PW20
https://www.kingjim.co.jp/download/security/#mirupass
Common Vulnerabilities and Exposures (CVE)
CVE-2022-0183
https://www.cve.org/CVERecord?id=CVE-2022-0183
JVN
JVN#19826500
https://jvn.jp/en/jp/JVN19826500/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-01-13T14:56:08+09:00
[2022/01/13]\n Web page was published
2022-01-13T15:26:01+09:00
2022-01-13T15:26:01+09:00
2022-01-13T00:00:00+09:00
JVNDB-2022-000006
Multiple cross-site scripting vulnerabilities in php_mailform
php_mailform provided by econosys system contains multiple cross-site scripting vulnerabilities listed below. * Reflected cross-site scripting vulnerability regarding the checkbox (CWE-79) - CVE-2022-22142 * Reflected cross-site scripting vulnerability regarding the attached file name (CWE-79) - CVE-2022-21805 apple502j reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
econosys system
php_mailform
cpe:/a:misc:econosys_system_php_mailform
prior to Version 1.40
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is accessing a website that uses php_mailform.
[Update the software] Update the software to the latest version according to the information provided by the developer.
econosys system
econosys-system / php_mailform
https://github.com/econosys-system/php_mailform
Common Vulnerabilities and Exposures (CVE)
CVE-2022-22142
https://www.cve.org/CVERecord?id=CVE-2022-22142
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21805
https://www.cve.org/CVERecord?id=CVE-2022-21805
JVN
JVN#16690037
https://jvn.jp/en/jp/JVN16690037/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-01-20T14:54:07+09:00
[2022/01/20]\n Web page was published
2022-01-20T15:42:12+09:00
2022-01-20T15:42:12+09:00
2022-01-20T00:00:00+09:00
JVNDB-2022-000007
Multiple vulnerabilities in TransmitMail
TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below. * Directory traversal vulnerability due to the improper validation of external input values (CWE-22) - CVE-2022-22146 * Cross-site scripting (CWE-79) - CVE-2022-21193 ishiyuriniwa reported these vulnerabilities to TAGAWA Takao and coordinated. TAGAWA Takao reported these vulnerabilities to IPA to notify users of the solution through JVN.
TAGAWA Takao
TransmitMail
cpe:/a:dounokouno:transmitmail
2.5.0 to 2.6.1
Medium
5
AV:N/AC:M/Au:N/C:P/I:N/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* A remote attacker may obtain arbitrary files on the server - CVE-2022-22146 * An arbitrary script may be executed on the web browser of the user who is accessing a website that uses the product - CVE-2022-21193
[Update the software] Update the software to the latest version according to the information provided by the developer.
TransmitMail
TAGAWA Takao website
https://dounokouno.com/2022/01/25/about-the-vulnerability-of-transmitmail-v2-5-0-v2-6-1/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-22146
https://www.cve.org/CVERecord?id=CVE-2022-22146
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21193
https://www.cve.org/CVERecord?id=CVE-2022-21193
JVN
JVN#70100915
https://jvn.jp/en/jp/JVN70100915/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-01-25T14:53:43+09:00
[2022/01/25]\n Web page was published
2022-01-25T15:31:06+09:00
2022-01-25T15:31:06+09:00
2022-01-25T00:00:00+09:00
JVNDB-2022-000008
i-FILTER vulnerable to improper check for certificate revocation
i-FILTER provided by Digital Arts Inc. is vulnerable to improper check for certificate revocation (CWE-299) . Digital Arts Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Digital Arts Inc. coordinated under the Information Security Early Warning Partnership.
Digital Arts Inc.
i-FILTER
cpe:/a:daj:i-filter
Ver.10.45R01 and earlier
Ver.9.50R10 and earlier
Digital Arts Inc.
i-FILTER Browser & Cloud MultiAgent for Windows
cpe:/a:daj:i-filter_browser%26cloud_multiagent_for_windows
Ver.4.93R04 and earlier
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the software and add settings] Update the software to the latest version according to the information provided by the developer. After updating to the latest version, enable "Check certificate revocation" from i-FILTER's Management console [Option / SSL Adapter / Basic settings].
Digital Arts Inc.
i-FILTER Ver.10 support (Text in Japanese, login required)
https://download.daj.co.jp/user/ifilter/V10/
Digital Arts Inc.
i-FILTER Ver.9 support (Text in Japanese, login required)
https://download.daj.co.jp/user/ifilter/V9/
Digital Arts Inc.
i-FILTER Browser & Cloud support (Text in Japanese, login required)
https://download.daj.co.jp/user/ifb/
Digital Arts Inc.
D-SPA Ver.4 support (Text in Japanese, login required)
https://download.daj.co.jp/user/dspa/V4/
Digital Arts Inc.
D-SPA Ver.3 support (Text in Japanese, login required)
https://download.daj.co.jp/user/dspa/V3/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21170
https://www.cve.org/CVERecord?id=CVE-2022-21170
JVN
JVN#33214411
http://jvn.jp/en/jp/JVN33214411/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-03-04T13:38:52+09:00
[2022/03/04]\n Web page was published\n
2022-03-04T14:12:58+09:00
2022-03-04T14:12:58+09:00
2022-03-04T00:00:00+09:00
JVNDB-2022-000009
CSV+ vulnerable to cross-site scripting
CSV+ provided by Plus one is a tabbed CSV editor. CSV+ contains a cross-site scripting vulnerability (CWE-79). Satoki Tsuji reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Plus one
CSV+
cpe:/a:misc:plus_one_csv_plus
prior to 0.8.1
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
If a CSV file containing a tag is loaded and the link is clicked by the user of the software, an arbitrary script or OS command may be executed.
[Update the Software] Update the software to the latest version according to the information provided by the developer.
Plus one
0.8.1 Fixed a vulnerability
https://github.com/plusone-masaki/csv-plus/releases/tag/v0.8.1
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21241
https://www.cve.org/CVERecord?id=CVE-2022-21241
JVN
JVN#67396225
https://jvn.jp/en/jp/JVN67396225/
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-02-08T16:33:32+09:00
[2022/02/08]\n Web page was published
2022-02-08T16:33:58+09:00
2022-02-08T16:33:58+09:00
2022-02-04T00:00:00+09:00
JVNDB-2022-000010
Multiple vulnerabilities in multiple ELECOM LAN routers
Multiple ELECOM LAN routers provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below. * Hidden functionality (CWE-912) - CVE-2022-21173 * Cross-site scripting (CWE-79) - CVE-2022-21799 CVE-2022-21173 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2022-21799 RyotaK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ELECOM CO.,LTD.
WRC-300FEBK-R firmware
cpe:/o:elecom:wrc-300febk-r
v1.13 and earlier(CVE-2022-21799)
ELECOM CO.,LTD.
WRH-300BK3 firmware
cpe:/o:elecom:wrh-300bk3_firmware
v1.05 and earlier(CVE-2022-21173)
ELECOM CO.,LTD.
WRH-300BK3-S firmware
cpe:/o:elecom:wrh-300bk3-s_firmware
v1.05 and earlier(CVE-2022-21173)
ELECOM CO.,LTD.
WRH-300DR3-S firmware
cpe:/o:elecom:wrh-300dr3-s_firmware
v1.05 and earlier(CVE-2022-21173)
ELECOM CO.,LTD.
WRH-300LB3-S firmware
cpe:/o:elecom:wrh-300lb3-s_firmware
v1.05 and earlier(CVE-2022-21173)
ELECOM CO.,LTD.
WRH-300PN3-S firmware
cpe:/o:elecom:wrh-300pn3-s_firmware
v1.05 and earlier(CVE-2022-21173)
ELECOM CO.,LTD.
WRH-300WH3 firmware
cpe:/o:elecom:wrh-300wh3_firmware
v1.05 and earlier(CVE-2022-21173)
ELECOM CO.,LTD.
WRH-300WH3-S firmware
cpe:/o:elecom:wrh-300wh3-s_firmware
v1.05 and earlier(CVE-2022-21173)
ELECOM CO.,LTD.
WRH-300YG3-S firmware
cpe:/o:elecom:wrh-300yg3-s_firmware
v1.05 and earlier(CVE-2022-21173)
High
8.3
AV:A/AC:L/Au:N/C:C/I:C/A:C
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* A network-adjacent attacker may execute an arbitrary OS command - CVE-2022-21173 * An arbitrary script may be executed on a logged-in user's web browser - CVE-2022-21799
[Apply the appropriate firmware update] Apply the appropriate firmware update according to the information provided by the developer.
ELECOM CO.,LTD
ELECOM CO.,LTD. website
https://www.elecom.co.jp/news/security/20220208-02/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21173
https://www.cve.org/CVERecord?id=CVE-2022-21173
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21799
https://www.cve.org/CVERecord?id=CVE-2022-21799
JVN
JVN#17482543
https://jvn.jp/en/jp/JVN17482543/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-02-08T15:41:11+09:00
[2022/02/08]\n Web page was published
2022-02-08T16:13:17+09:00
2022-02-08T16:13:17+09:00
2022-02-08T00:00:00+09:00
JVNDB-2022-000011
HPE Agentless Management registers unquoted service paths
HP Agentless Management provided by Hewlett Packard Enterprise registers some Windows services with unquoted file paths (CWE-428). Daisuke Ota of PwC Consulting LLC reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hewlett Packard Enterprise Co.
HPE Agentless Management Service
cpe:/o:hp:hpe_agentless_management_service
for Windows x64 - versions prior to 1.44.0.0
Hewlett Packard Enterprise Co.
HPE ProLiant Agentless Management Service
cpe:/o:hp:hpe_proliant_agentless_management_service
for HPE Apollo, ProLiant and Synergy Gen9 servers - versions prior to 10.96.0.0
Medium
6.8
AV:L/AC:L/Au:S/C:C/I:C/A:C
High
8.2
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
When a registered Windows service path contains spaces and is unquoted, and a malicious executable is placed on a certain path, the executable may be executed with the privilege of the Windows service.
[Update the software] Update the software to the latest version according to the information provided by the developer.
Hewlett Packard Enterprise Development LP
SECURITY BULLETIN: HPESBGN04233 - HPE Agentless Management Service for Windows, Unquoted Search Path
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04233en_us
Common Vulnerabilities and Exposures (CVE)
CVE-2021-29218
https://www.cve.org/CVERecord?id=CVE-2021-29218
JVN
JVN#12969207
https://jvn.jp/en/jp/JVN12969207/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-02-09T13:51:30+09:00
[2022/02/09]\n Web page was published
2022-02-09T15:49:56+09:00
2022-02-09T15:49:56+09:00
2022-02-09T00:00:00+09:00
JVNDB-2022-000013
EC-CUBE plugin "Mail Magazine Management Plugin" vulnerable to cross-site request forgery
EC-CUBE plugin "Mail Magazine Management Plugin" provided by EC-CUBE CO.,LTD. contains a cross-site request forgery vulnerability (CWE-352). Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
EC-CUBE CO.,LTD.
Mail Magazine Management Plugin
cpe:/a:ec-cube:email_newsletters_management
ver1.0.0 to 1.0.4 (for EC-CUBE 3 series)
ver4.0.0 to 4.1.1 (for EC-CUBE 4 series)
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Low
3.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
If a user with an administrative privilege views a malicious page while logged in to EC-CUBE which the plugin is installed, Mail Magazine Templates and/or transmitted history information may be deleted unintendedly.
[Update the plugin] Update the plugin to the latest version according to the information provided by the developer. The developer has released the following versions. * ver4.1.2 (for EC-CUBE 4 series) * ver1.0.5 (for EC-CUBE 3 series)
EC-CUBE
EC-CUBE CO.,LTD. website
https://www.ec-cube.net/info/weakness/20220221/mail_magazine_plugin.php
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21179
https://www.cve.org/CVERecord?id=CVE-2022-21179
JVN
JVN#67108459
https://jvn.jp/en/jp/JVN67108459/index.html
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-02-22T13:38:10+09:00
[2022/02/22]\n Web page was published
2022-02-22T14:09:42+09:00
2022-02-22T14:09:42+09:00
2022-02-22T00:00:00+09:00
JVNDB-2022-000014
Multiple vulnerabilities in a-blog cms
a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. * Cross-site scripting (CWE-79) - CVE-2022-24374 * Cross-site scripting (CWE-79) - CVE-2022-23916 * Template injection (CWE-1336) - CVE-2022-23810 * Authentication bypass (CWE-291) - CVE-2022-21142 CVE-2022-24374 iwama yuu of Secure Sky Technology Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2022-23916 Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2022-23810, CVE-2022-21142 hibiki moriyama of STNet, Incorporated reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
appleple inc.
a-blog cms
cpe:/a:appleple:a-blog_cms
Ver.2.10.x series versions prior to Ver.2.10.43 (CVE-2022-21142)
Ver.2.10.x series versions prior to Ver.2.10.44 (CVE-2022-24374, CVE-2022-23916, CVE-2022-23810)
Ver.2.11.x series versions prior to Ver.2.11.41 (CVE-2022-21142)
Ver.2.11.x series versions prior to Ver.2.11.42 (CVE-2022-24374, CVE-2022-23916, CVE-2022-23810)
Ver.2.8.x series versions prior to Ver.2.8.74 (CVE-2022-21142)
Ver.2.8.x series versions prior to Ver.2.8.75 (CVE-2022-24374, CVE-2022-23916, CVE-2022-23810)
Ver.2.9.x series versions prior to Ver.2.9.39 (CVE-2022-21142)
Ver.2.9.x series versions prior to Ver.2.9.40 (CVE-2022-24374, CVE-2022-23916, CVE-2022-23810)
Ver.3.0.x series versions prior to Ver.3.0.1 (CVE-2022-24374, CVE-2022-23916, CVE-2022-23810)
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
5.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
* An arbitrary script may be executed on the web browser of a logged-in user - CVE-2022-24374 * An arbitrary script may be executed on the web browser of a software administrative user - CVE-2022-23916 * A remote attacker may obtain arbitrary files on the server - CVE-2022-23810 * A remote attacker may bypass authentication under the specific conditions - CVE-2022-21142
[Update the software] Update the software to the latest version according to the information provided by the developer.
appleple inc.
Multiple vulnerabilities have been discovered
https://developer.a-blogcms.jp/blog/news/security-202202.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-24374
https://www.cve.org/CVERecord?id=CVE-2022-24374
Common Vulnerabilities and Exposures (CVE)
CVE-2022-23916
https://www.cve.org/CVERecord?id=CVE-2022-23916
Common Vulnerabilities and Exposures (CVE)
CVE-2022-23810
https://www.cve.org/CVERecord?id=CVE-2022-23810
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21142
https://www.cve.org/CVERecord?id=CVE-2022-21142
JVN
JVN#14706307
https://jvn.jp/en/jp/JVN14706307/index.html
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-02-18T15:22:12+09:00
[2022/02/18]\n Web page was published
2022-02-18T15:55:57+09:00
2022-02-18T15:55:57+09:00
2022-02-18T00:00:00+09:00
JVNDB-2022-000015
EC-CUBE improperly handles HTTP Host header values
EC-CUBE provided by EC-CUBE CO.,LTD. improperly handles HTTP Host header values (CWE-913). EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.
EC-CUBE CO.,LTD.
EC-CUBE
cpe:/a:ec-cube:ec-cube
3.0.0 to 3.0.18-p3 (EC-CUBE 3 series)
4.0.0 to 4.1.1 (EC-CUBE 4 series)
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Low
3.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
A remote attacker may direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.
[Apply Workaround] Apply the following workaround to avoid the impacts of this vulnerability. * Set TRUSTED_HOSTS For more information, refer to the information provided by the developer. [Update the software and add the settings] The developer has released EC-CUBE 4.1.2 (for EC-CUBE 4 series) which provides the user interface to configure TRUSTED_HOSTS. Configure TRUSTED_HOSTS from [Admin Console > Settings > System Settings > Security]. According to the developer, TRUSTED_HOSTS is automatically configured when EC-CUBE 4.1.2 is newly installed.
EC-CUBE
EC-CUBE CO.,LTD. website
https://www.ec-cube.net/info/weakness/20220221/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25355
https://www.cve.org/CVERecord?id=CVE-2022-25355
JVN
JVN#53871926
https://jvn.jp/en/jp/JVN53871926/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-02-22T14:11:58+09:00
[2022/02/22]\n Web page was published
2022-02-22T14:22:10+09:00
2022-02-22T14:22:10+09:00
2022-02-22T00:00:00+09:00
JVNDB-2022-000016
UNIVERGE WA Series vulnerable to OS command injection
UNIVERGE WA Series provided by NEC Platforms, Ltd. contains an OS command injection vulnerability. Remote system maintenance feature of UNIVERGE WA series "Local maintenance console/Remote maintenance console/Web based remote console maintenance" contains an OS command injection vulnerability (CWE-78). NEC Platforms, Ltd. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.
NEC Platforms, Ltd.
UNIVERGE WA Series
cpe:/a:necplatforms:univerge_wa_series
Ver8.2.11 and eariler
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
If an attacker who can access the product sends specific character strings or a specially crafted request to a specific URL, an arbitrary command may be executed or a denial-of-service (DoS) condition may be caused.
[Update the Software] Update the software to the appropriate version according to the information provided by the developer. <ul><li> UNIVERGE WA Series Ver8.2.13 and later</li></ul> To obtain the update, contact the sales representative where you purchased the product. [Apply the workarounds] Applying the following workarounds may mitigate the impacts of this vulnerability. <ul><li>Explicitly create an access rule based on source IP addresses/destination IP addresses/port numbers for network connections to the product.</li> <li>Change a user name and a password for ID/password authentication from initial settings to prevent unauthorized login attemps from a malicious user.</li> <li>Set the password with a strong string (8 or more characters, mixed case/number is recommended).</li></ul>
NEC Platforms, Ltd.
UNIVERGE WA Series vulnerable to OS command injection Status:Vulnerable
https://jvn.jp/en/jp/JVN72801744/6443/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25621
https://www.cve.org/CVERecord?id=CVE-2022-25621
JVN
JVN#72801744
https://jvn.jp/en/jp/JVN72801744/index.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-03-10T12:31:47+09:00
[2022/03/10]\n Web page was published
2022-03-10T14:31:09+09:00
2022-03-10T14:31:09+09:00
2022-03-10T00:00:00+09:00
JVNDB-2022-000017
Norton Security for Mac improperly processes ICMP packets
Norton Security for Mac provided by NortonLifeLock Inc. is antivirus software. Norton Security for Mac improperly processes ICMP packets, which may result in OS to crash (CWE-20). Yuki Meguro of Tohoku Information Systems Company, Incorporated reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
NortonLifeLock Inc.
Norton Security
cpe:/a:norton:nortonlifelock_norton_security
for Mac versions prior to 8.6.6
Medium
4.9
AV:L/AC:L/Au:N/C:N/I:N/A:C
High
7.1
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
An unprivileged user may cause a denial-of-service (DoS) condition on the OS.
[Update the Software] Update the software to the latest version according to the information provided by the developer. The developer states that the vulnerability does not exist if the product is updated to version 8.6.6 or later, with macOS 10.15 or later.
NortonLifeLock Inc.
Norton Security for Mac 8.6.6 is now available!
https://community.norton.com/en/blogs/product-service-announcements/norton-security-mac-866-now-available
NortonLifeLock Inc.
Introducing Norton 360
https://us.norton.com/360
JVN
JVN#87683137
http://jvn.jp/en/jp/JVN87683137/index.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-03-03T13:43:40+09:00
[2022/03/03]\n Web page was published\n
2022-03-03T14:32:52+09:00
2022-03-03T14:32:52+09:00
2022-03-03T00:00:00+09:00
JVNDB-2022-000018
MarkText vulnerable to cross-site scripting
MarkText is a Markdown editor. MarkText contains a cross-site scripting vulnerability (CWE-79). Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Mark Text
MarkText
cpe:/a:marktext:marktext
versions prior to v0.17.0
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
5
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the PC of the user using the product.
[Update the Software] Update the software to the latest version according to the information provided by the developer.
GitHub
MarkText Release 0.17.0
https://github.com/marktext/marktext/releases/tag/v0.17.0
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21158
https://www.cve.org/CVERecord?id=CVE-2022-21158
JVN
JVN#89524240
http://jvn.jp/en/jp/JVN89524240/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-03-03T13:57:24+09:00
[2022/03/03]\n Web page was published\n
2022-03-03T14:40:10+09:00
2022-03-03T14:40:10+09:00
2022-03-03T00:00:00+09:00
JVNDB-2022-000019
pfSense-pkg-WireGuard vulnerable to directory traversal
pfSense-pkg-WireGuard provided by pfSense is an add-on package for pfSense CE and pfSense Plus. pfSense-pkg-WireGuard contains a directory traversal vulnerability (CWE-22). Yutaka WATANABE of Ierae Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Electric Sheep Fencing
pfSense-pkg-WireGuard
cpe:/a:electric_sheep_fencing:pfsense_pfsense-pkg-wireguard
0.1.5 versions prior to 0.1.5_4
0.1.6 versions prior to 0.1.6_1
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
pfSense users may view files in the private folders which they do not have privileges to access.
[Update the add-on package] Update the add-on package to the latest version according to the information provided by the developer.
pfSense
pfSense-pkg-WireGuard
https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-WireGuard
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21132
https://www.cve.org/CVERecord?id=CVE-2022-21132
JVN
JVN#85572374
https://jvn.jp/en/jp/JVN85572374/index.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-03-03T14:33:17+09:00
[2022/03/03]\n Web page was published
2022-03-03T15:08:35+09:00
2022-03-03T15:08:35+09:00
2022-03-03T00:00:00+09:00
JVNDB-2022-000020
Multiple vulnerabilities in pfSense
pfSense software provided by Netgate contains multiple vulnerabilities listed below. * Cross-site scripting (CWE-79) - CVE-2021-20729 * Improper access control (CWE-284) - CVE-2022-26019 * Improper input validation (CWE-20) - CVE-2022-24299 Yutaka WATANABE of Ierae Security Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Electric Sheep Fencing
pfSense CE
cpe:/a:electric_sheep_fencing:pfsense_pfsense_ce
versions prior to 2.6.0 (CVE-2022-26019, CVE-2022-24299)
versions 2.5.2 and earlier (CVE-2021-20729)
Electric Sheep Fencing
pfSense Plus
cpe:/a:electric_sheep_fencing:pfsense_pfsense_plus
versions 21.05 and earlier (CVE-2021-20729)
versions prior to 22.01 (CVE-2022-26019, CVE-2022-24299)
Critical
9
AV:N/AC:L/Au:S/C:C/I:C/A:C
High
7.2
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* An arbitrary script may be executed on a user's web browser when following a malicious URL to visit the captive portal login page - CVE-2021-20729 * A user with the privilege to change NTP GPS settings may rewrite existing files on the file system, resulting to arbitrary command execution - CVE-2022-26019 * A user with the privilege to change OpenVPN client or server settings may execute arbitrary commands - CVE-2022-24299
[Update the software] Update the software to the latest version according to the information provided by the developer.
pfSense
pfSense-SA-21_02.captiveportal - XSS vulnerability in the WebGUI
https://docs.netgate.com/downloads/pfSense-SA-21_02.captiveportal.asc
pfSense
pfSense-SA-22_01.webgui - File overwrite vulnerability in the WebGUI
https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc
pfSense
pfSense-SA-22_03.webgui - Multiple vulnerabilities in the WebGUI
https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc
pfSense
pfSense Open Source Firewall
https://www.pfsense.org/
pfSense
Releases
https://docs.netgate.com/pfsense/en/latest/releases/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2021-20729
https://www.cve.org/CVERecord?id=CVE-2021-20729
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26019
https://www.cve.org/CVERecord?id=CVE-2022-26019
Common Vulnerabilities and Exposures (CVE)
CVE-2022-24299
https://www.cve.org/CVERecord?id=CVE-2022-24299
JVN
JVN#87751554
https://jvn.jp/en/jp/JVN87751554/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-03-15T13:49:47+09:00
[2022/03/15]\n Web page was published
2022-03-15T14:58:16+09:00
2022-03-15T14:58:16+09:00
2022-03-15T00:00:00+09:00
JVNDB-2022-000021
Multiple vulnerabilities in KINGSOFT "WPS Office" and "KINGSOFT Internet Security"
"WPS Office" and "KINGSOFT Internet Security" provided by KINGSOFT JAPAN, INC. contain multiple vulnerabilities listed below. * Stack-based buffer overflow (CWE-121) - CVE-2022-25949 * Insecurely loading Dynamic Link Libraries (CWE-427) - CVE-2022-26081, CVE-2022-25969, CVE-2022-26511 These vulnerabilities are reported by the following reporters, and JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2022-26949: Satoshi Tanda CVE-2022-26081, CVE-2022-26511: Eiji James Yoshida of Security Professionals Network Inc. CVE-2022-25969: Tomohisa Hasegawa
KINGSOFT, INC.
Installer of WPS Office
cpe:/a:kingsoft:installer_of_kingsoft_wps_office
(Reported for Version 10.8.0.5745 and Version 10.8.0.6186)
KINGSOFT, INC.
KINGSOFT Internet Security 9 Plus
cpe:/a:kingsoft:internet_security_9_plus
(Reported for Version 2010.06.23.247)
KINGSOFT, INC.
WPS Presentation
cpe:/a:kingsoft:kingsoft_wps_presentation
(Reported for Version 11.8.0.5745)
Medium
6.8
AV:L/AC:L/Au:S/C:C/I:C/A:C
High
8.8
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
* A user who can log in to the system where the affected product is installed may obtain the administrative privilege. As a result, arbitrary code may be executed in kernel mode - CVE-2022-25949 * Arbitrary code may be executed with the privilege of the user invoking the installer - CVE-2022-26081, CVE-2022-25969 * Arbitrary code may be executed with the privilege of the running program - CVE-2022-26511
[Stop using the products and Switch to alternative products] The developer states that the affected products are no longer supported, and recommends to use alternative unaffected products listed below. CVE-2022-25949 * KINGSOFT Internet Security20 11.1.6.121416.1905 or later versions CVE-2022-26081, CVE-2022-25969 * WPS Office2 for Windows 11.82.8498 or later versions CVE-2022-26511 * WPS Office 2 for Windows Premium Presentation 11.82.8498 or later versions For more information, refer to the information provided by the developer.
KINGSOFT, INC.
Notice regarding vulnerability:WPS Office,KINGSOFT Internet Security
https://support.kingsoft.jp/support-info/weakness.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25949
https://www.cve.org/CVERecord?id=CVE-2022-25949
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26081
https://www.cve.org/CVERecord?id=CVE-2022-26081
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25969
https://www.cve.org/CVERecord?id=CVE-2022-25969
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26511
https://www.cve.org/CVERecord?id=CVE-2022-26511
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVN
JVN#21234459
https://jvn.jp/en/jp/JVN21234459/index.html
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-03-16T13:46:01+09:00
[2022/03/16]\n Web page was published
2022-03-16T14:46:08+09:00
2022-03-16T14:46:08+09:00
2022-03-16T00:00:00+09:00
JVNDB-2022-000022
AttacheCase may insecurely load Dynamic Link Libraries
AttacheCase may insecurely load Dynamic Link Libraries. AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
HiBARA Software
AttacheCase
cpe:/a:hibara:attachecase
ver.3.6.1.0 and earlier - CVE-2022-28128
ver.4.0.2.7 and earlier - CVE-2022-25348
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege to run the software.
[Update the software] Update the software to the latest version according to the information provided by the developer.
HiBARA Software
HiBARA Software website
https://hibara.org/software/attachecase/?lang=en
Common Vulnerabilities and Exposures (CVE)
CVE-2022-28128
https://www.cve.org/CVERecord?id=CVE-2022-28128
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25348
https://www.cve.org/CVERecord?id=CVE-2022-25348
JVN
JVN#10140834
https://jvn.jp/en/jp/JVN10140834/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-03-30T12:17:54+09:00
[2022/03/30]\n Web page was published
2022-03-30T14:00:08+09:00
2022-03-30T14:00:08+09:00
2022-03-30T00:00:00+09:00
JVNDB-2022-000023
WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization
WordPress Plugin "Advanced Custom Fields" provided by Delicious Brains contains a missing authorization vulnerability (CWE-862). Keitaro Yamazaki of Ierae Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Delicious Brains
Advanced Custom Fields
cpe:/a:advancedcustomfields:advanced_custom_fields
versions prior to 5.12.1
Delicious Brains
Advanced Custom Fields Pro
cpe:/a:advancedcustomfields:advanced_custom_fields_pro
versions prior to 5.12.1
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Users of this product (Editor, Author, Contributor) may view the information on the database without the access permission.
[Update the plugin] Update the plugin according to the information provided by the developer. The developer has released the versions listed below that address the vulnerabilities. * Advanced Custom Fields 5.12.1 * Advanced Custom Fields Pro 5.12.1
Advanced Custom Fields
Edit content with Advanced Custom Fields for WordPress Developers.
https://www.advancedcustomfields.com/
Advanced Custom Fields
Advanced Custom Fields
https://wordpress.org/plugins/advanced-custom-fields/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-23183
https://www.cve.org/CVERecord?id=CVE-2022-23183
JVN
JVN#42543427
https://jvn.jp/en/jp/JVN42543427/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-03-30T13:47:13+09:00
[2022/03/30]\n Web page was published
2022-03-30T15:23:38+09:00
2022-03-30T15:23:38+09:00
2022-03-30T00:00:00+09:00
JVNDB-2022-000024
Zero-channel BBS Plus vulnerable to cross-site scripting
Zero-channel BBS Plus by Zero-Channel BBS Plus Developers is a bulletin board CGI script. Zero-channel BBS Plus contains a cross-site scripting vulnerability (CWE-79). Zero-Channel BBS Plus Developers reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Zero-Channel BBS Plus Developers coordinated under the Information Security Early Warning Partnership.
Zero-Channel BBS Plus Developers
Zero-channel BBS Plus
cpe:/a:misc:zerochannel_plus_developers_zerochannelplus
v0.7.4 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is accessing the management screen of the product, which may lead to the creation of a management account. As a result, a remote attacker may view the sender's information on the bulletin board, change the settings, edit/delete the posts.
[Update the Software] Update the software to the latest version according to the information provided by the developer.
Zero-Channel BBS Plus Developers
zerochplus 0.7.5
https://osdn.net/projects/zerochplus/releases/77053
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27496
https://www.cve.org/CVERecord?id=CVE-2022-27496
JVN
JVN#59576930
https://jvn.jp/en/jp/JVN59576930/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-03-30T14:23:34+09:00
[2022/03/30]\n Web page was published
2022-03-30T15:36:13+09:00
2022-03-30T15:36:13+09:00
2022-03-30T00:00:00+09:00
JVNDB-2022-000026
WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" vulnerable to cross-site request forgery
WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" provided by VideoWhisper contains a cross-site request forgery vulnerability (CWE-352). Kosuke Sakai reported and coordinated with the developer to fix this vulnerability. After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership. This JVN publication was delayed to 2022/4/15 after the developer's fix was published.
VideoWhisper.com
MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership
cpe:/a:videowhisper:micropayments_paid_author_subscriptions_content_downloads_membership
versions prior to 1.9.6
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
If a user views a malicious page while logged in with the administrative privilege, unintended operations may be performed.
[Update the plugin] Update the plugin according to the information provided by the developer. The developer has released the versions listed below that address the vulnerabilities. * "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" 1.9.6
VideoWhisper
Changes in paid-membership [2345274:2362275]
https://plugins.trac.wordpress.org/changeset?new=2362275%40paid-membership&old=2345274%40paid-membership
VideoWhisper
MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership
https://wordpress.org/plugins/paid-membership/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27629
https://www.cve.org/CVERecord?id=CVE-2022-27629
JVN
JVN#31606885
http://jvn.jp/en/jp/JVN31606885/index.html
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-04-15T12:28:55+09:00
[2022/04/15]\n Web page was published
2022-04-15T13:15:46+09:00
2022-04-15T13:15:46+09:00
2022-04-15T00:00:00+09:00
JVNDB-2022-000027
Hammock AssetView missing authentication for critical functions
AssetView provided by Hammock Corporation misses authentication for some critical functions (CWE-306) on the managing server. Denis Faiustov, Ruslan Sayfiev of GMO Cyber Security by IERAE reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hammock Corporation
AssetView
cpe:/a:hammock:assetview
prior to Ver.13.2.0
Critical
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Critical
9
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
With some knowledge on the system configuration, a remote attacker may upload a crafted configuration file to the managing server, which results in the managed clients to execute arbitrary code with the administrative privilege.
[Apply the Patch] Apply the patch according to the information provided by the developer. The developer has released a patch listed below that contains a fix for this vulnerability. <ul><li>AssetView Server Communication module Hotfix</li></ul> According to the developer, patch for the versions prior to Ver.11.0.0 will not be released as the versions are no longer supported. Therefore, update to Ver.11.0.0 or later, and then apply the patch. For more information, refer to the<a href="https://assetview.hammock.jp/hc/ja/articles/5527356312089"> information provided by the developer</a>(Text in Japanese).
HAMMOCK
JVN#54857505 : AssetView Server Communication Module of Vulnerability (Text in Japanese)
https://www.hammock.jp/assetview/info/220422.html
HAMMOCK
AssetView Server Communication Module Hotfix (JVN#54857505) (Text in Japanese, login required)
https://assetview.hammock.jp/hc/ja/articles/5527356312089
Common Vulnerabilities and Exposures (CVE)
CVE-2022-28719
https://www.cve.org/CVERecord?id=CVE-2022-28719
JVN
JVN#54857505
https://jvn.jp/en/jp/JVN54857505/index.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-04-22T12:27:19+09:00
[2022/04/22]\n Web page was published
2022-04-22T13:53:52+09:00
2022-04-22T13:53:52+09:00
2022-04-22T00:00:00+09:00
JVNDB-2022-000028
Multiple vulnerabilities in multiple MEIKYO ELECTRIC products
Multiple MEIKYO ELECTRIC products provided by MEIKYO ELECTRIC CO.,LTD. contain multiple vulnerabilities listed below. * Cross-site request forgery (CWE-352) - CVE-2022-27632 * Cross-site scripting (CWE-79) - CVE-2022-28717 Takayuki Sasaki of Yokohama National University reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
MEIKYO ELECTRIC CO.,LTD.
PoE BOOT nino PoE8M2
cpe:/a:misc:meikyoelectric_poe_boot_nino_poe8m2
firmware version 1.00A to 1.20A
MEIKYO ELECTRIC CO.,LTD.
POSE SE10-8A7B1
cpe:/a:misc:meikyoelectric_pose_se10-8a7b1
firmware version 1.00A to 1.20A
MEIKYO ELECTRIC CO.,LTD.
SignageRebooter RPC-M4HSi
cpe:/a:misc:meikyoelectric_signagerebooter_rpc-m4hsi
firmware version 1.00A
MEIKYO ELECTRIC CO.,LTD.
TIME BOOT mini RSC-MT4H
cpe:/a:misc:meikyoelectric_time_boot_mini_rsc-mt4h
[End of Sale] all firmware versions
MEIKYO ELECTRIC CO.,LTD.
TIME BOOT mini RSC-MT4HS
cpe:/a:misc:meikyoelectric_time_boot_mini_rsc-mt4hs
firmware version 1.00A to 1.10A
MEIKYO ELECTRIC CO.,LTD.
TIME BOOT RSC-MT8F
cpe:/a:misc:meikyoelectric_time_boot_rsc-mt8f
[End of Sale] all firmware versions
MEIKYO ELECTRIC CO.,LTD.
TIME BOOT RSC-MT8FP
cpe:/a:misc:meikyoelectric_time_boot_rsc-mt8fp
[End of Sale] all firmware versions
MEIKYO ELECTRIC CO.,LTD.
TIME BOOT RSC-MT8FS
cpe:/a:misc:meikyoelectric_time_boot_rsc-mt8fs
firmware version 1.00A to 1.00E
MEIKYO ELECTRIC CO.,LTD.
WATCH BOOT L-zero RPC-M4L
cpe:/a:misc:meikyoelectric_watch_boot_l-zero_rpc-m4l
[End of Sale] all firmware versions
MEIKYO ELECTRIC CO.,LTD.
WATCH BOOT L-zero RPC-M4LS
cpe:/a:misc:meikyoelectric_watch_boot_l-zero_rpc-m4ls
firmware version 1.00A to 1.20A
MEIKYO ELECTRIC CO.,LTD.
WATCH BOOT light RPC-M5C
cpe:/a:misc:meikyoelectric_watch_boot_light_rpc-m5c
[End of Sale] all firmware versions
MEIKYO ELECTRIC CO.,LTD.
WATCH BOOT light RPC-M5CS
cpe:/a:misc:meikyoelectric_watch_boot_light_rpc-m5cs
firmware version 1.00A to 1.00D
MEIKYO ELECTRIC CO.,LTD.
WATCH BOOT mini RPC-M4H
cpe:/a:misc:meikyoelectric_watch_boot_mini_rpc-m4h
[End of Sale] all firmware versions
MEIKYO ELECTRIC CO.,LTD.
WATCH BOOT nino RPC-M2C
cpe:/a:misc:meikyoelectric_watch_boot_nino_rpc-m2c
[End of Sale] all firmware versions
MEIKYO ELECTRIC CO.,LTD.
WATCH BOOT nino RPC-M2CS
cpe:/a:misc:meikyoelectric_watch_boot_nino_rpc-m2cs
firmware version 1.00A to 1.00D
Medium
4
AV:N/AC:H/Au:N/C:N/I:P/A:P
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
* If a user views a malicious page while logged in to the product's web interface, unintended operations may be performed - CVE-2022-27632 * An arbitrary script may be executed on the web browser of the user who is accessing the product's web interface - CVE-2022-28717
CVE-2022-27632 [Apply the Workaround] Apply the following workaround to avoid the impacts of this vulnerability. <ul><li>Do not browse pages other than the product's web interface on the same web browser while logging in to the web interface</li></ul> CVE-2022-28717 [Update the firmware] Apply the appropriate firmware update according to the information provided by the developer. For more information, refer to <a href="https://www.meikyo.co.jp/vln/" target="blank">the information provided by the developer</a>. [Stop using the products and Switch to alternative products] The developer states that the following products are no longer supported, and recommends to use alternative unaffected products. <ul><li>Rebooter</li><ul><li>WATCH BOOT nino RPC-M2C</li><li>WATCH BOOT light RPC-M5C</li><li>WATCH BOOT L-zero RPC-M4L</li><li>WATCH BOOT mini RPC-M4H</li></ul><li>Scheduler</li><ul><li>TIME BOOT mini RSC-MT4H</li><li>TIME BOOT RSC-MT8F</li><li>TIME BOOT RSC-MT8FP</li></ul></ul>
MEIKYO ELECTRIC CO.,LTD.
Multiple vulnerabilities in MEIKYO Rebooter, Scheduler, Contact Converter
https://www.meikyo.co.jp/vln/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27632
https://www.cve.org/CVERecord?id=CVE-2022-27632
Common Vulnerabilities and Exposures (CVE)
CVE-2022-28717
https://www.cve.org/CVERecord?id=CVE-2022-28717
JVN
JVN#58266015
http://jvn.jp/en/jp/JVN58266015/index.html
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-09T12:21:09+09:00
[2022/05/09]\n Web page was published
2022-05-09T14:31:32+09:00
2022-05-09T14:31:32+09:00
2022-05-09T00:00:00+09:00
JVNDB-2022-000029
KOYO Electronics Screen Creator Advance2 vulnerable to authentication bypass
Screen Creator Advance2 provided by KOYO ELECTRONICS INDUSTRIES CO., LTD. is a screen development tool for KOYO ELECTRONICS's HMI. Screen Creator Advance2 contains an authentication bypass vulnerability (CWE-807) due to the improper check for the Remote control setting's account names. KOYO ELECTRONICS INDUSTRIES CO., LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and KOYO ELECTRONICS INDUSTRIES CO., LTD. coordinated under the Information Security Early Warning Partnership.
JTEKT ELECTRONICS CORPORATION
Screen Creator Advance 2
cpe:/a:misc:koyoelectronicsindustries_screen_creator_advance_2
prior to Ver.0.1.1.3 Build01
Low
2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N
Medium
4
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
An attacker who can access the HMI from Real time remote monitoring and control tool may perform arbitrary operations on the HMI. As a result, the information stored in the HMI may be disclosed, deleted or altered, and/or the equipment may be illegally operated via the HMI.
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer has released the following version. * Screen Creator Advance2 Ver.0.1.1.3 Build01 [Apply the workaround] According to the developer, if Remote control function is not use, applying the following workaround to the product may mitigate the impact of this vulnerability. * Stop using Remote control function * Change the permission of Remote control setting from "True" to "False" and overwrite the settings on HMI For more information, refer to the information provided by the developer.
KOYO ELECTRONICS INDUSTRIES CO., LTD.
[Update notice] Screen Creator Advance 2 software of GC-A2 Series
https://www.koyoele.co.jp/en/topics/202205095016/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29518
https://www.cve.org/CVERecord?id=CVE-2022-29518
JVN
JVN#50337155
http://jvn.jp/en/jp/JVN50337155/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-09T14:06:48+09:00
[2022/05/09]\n Web page was published
2022-05-09T14:43:53+09:00
2022-05-09T14:43:53+09:00
2022-05-09T00:00:00+09:00
JVNDB-2022-000030
Multiple vulnerabilities in Operation management interface of FUJITSU Network IPCOM
FUJITSU Network IPCOM provided by FUJITSU LIMITED is an integrated network appliance. Operation management interface used to operate FUJITSU Network IPCOM contains multiple vulnerabilities listed below. * OS command injection in the web console (CWE-78) - CVE-2022-29516 * Buffer overflow in the Command Line Interface (CWE-120) - CVE-2020-10188 FUJITSU LIMITED reported these vulnerabilities to IPA to notify users of its solution through JVN. JPCERT/CC and FUJITSU LIMITED coordinated under the Information Security Early Warning Partnership.
FUJITSU
IPCOM EX series
cpe:/a:fujitsu:ipcom_ex
FUJITSU
IPCOM EX2 series
cpe:/a:fujitsu:ipcom_ex2
FUJITSU
IPCOM VA2/VE1 series
cpe:/a:fujitsu:ipcom_va2%2fve1
FUJITSU
IPCOM VE2 series
cpe:/a:fujitsu:ipcom_ve2
Critical
10
AV:N/AC:L/Au:N/C:C/I:C/A:C
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* A remote attacker may execute an arbitrary OS command. * A remote attacker may obtain and/or alter sensitive information. * A remote attackerr may be able to cause a denial-of-service (DoS).
[Update the Firmware] Update the firmware to the latest version according to the information provided by the developer. These vulnerabilities have been already addressed in the following firmware versions. * IPCOM EX2 V01L05 NF0501 * IPCOM EX2 V01L20 NF0301 * IPCOM EX2 V02L21 NF0201 * IPCOM EX E20L33 NF1101 * IPCOM EX E30L11 NF0501 * IPCOM VE2 V01L05 NF0303 * IPCOM VA2/VE1 E20L33 NF0902 [Apply the Workaround] Apply one of the following workarounds to prevent unauthorized access from other than authorized Operation management terminal: * Prepare a dedicated network to deploy Operation management interface and allow access to the Operation management interface only from the network * Set individual permissions for Operation management terminal For more information, refer to the <a href="https://www.fujitsu.com/jp/products/network/support/2022/ipcom-01/" target="blank">information provided by the developer</a>. (Text in Japanese)
FUJITSU
FUJITSU LIMITED website
https://www.fujitsu.com/jp/products/network/support/2022/ipcom-01/
Common Vulnerabilities and Exposures (CVE)
CVE-2020-10188
https://www.cve.org/CVERecord?id=CVE-2020-10188
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29516
https://www.cve.org/CVERecord?id=CVE-2022-29516
JPCERT REPORT
JPCERT-AT-2022-0013
https://www.jpcert.or.jp/english/at/2022/at220013.html
JVN
JVN#96561229
http://jvn.jp/en/jp/JVN96561229/index.html
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-09T14:45:31+09:00
[2022/05/09]\n Web page was published
2
2022-05-10T14:25:56+09:00
[2022/05/10]\n References : Content was added
3
2022-05-19T15:50:35+09:00
[2022/05/19]\n Solution was modified
4
2022-05-30T14:12:51+09:00
[2022/05/30]\n Solution was modified
5
2022-06-03T14:44:59+09:00
[2022/06/03]\n Solution was modified
6
2022-06-10T14:12:27+09:00
[2022/06/10]\n Solution was modified
7
2022-06-16T14:12:14+09:00
[2022/06/16]\n Solution was modified
2022-05-09T15:02:47+09:00
2022-06-16T15:45:36+09:00
2022-05-09T00:00:00+09:00
JVNDB-2022-000031
GENEREX RCCMD vulnerable to directory traversal
RCCMD provided by GENEREX SYSTEMS Computervertriebsgesellschaft mbH contains a directory traversal vulnerability (CWE-22). Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
GENEREX
RCCMD
cpe:/a:generex:rccmd
4.26 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
High
7.2
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Arbitrary files on the server may be viewed or altered by an attacker.
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer states that the below version released in 2021 Fall addresses the vulnerability. * RCCMD 4.28
GENEREX
Download Center - RCCMD | Generex
https://www.generex.de/support/downloads/software/rccmd/update
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26041
https://www.cve.org/CVERecord?id=CVE-2022-26041
JVN
JVN#60801132
http://jvn.jp/en/jp/JVN60801132/index.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-10T15:22:53+09:00
[2022/05/10]\n Web page was published
2022-05-10T15:47:34+09:00
2022-05-10T15:47:34+09:00
2022-05-10T00:00:00+09:00
JVNDB-2022-000032
Installer of Trend Micro Password Manager may insecurely load Dynamic Link Libraries
Installer of Trend Micro Password Manager provided by Trend Micro Incorporated contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Trend Micro, Inc.
Password Manager
cpe:/a:trendmicro:password_manager
prior to Versions 3.7.0.1223
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer by following the latest guidance] Use the latest installer along with the latest installation guidance provided by the developer. Users who already have installed the software do not need to re-install, because this issue affects the installers only. The developer states that the vulnerability is addressed in versions 3.7.0.1223, however recommends user to use alternative unaffected product Password Manager 5.x because 3.x is no longer supported.
Trend Micro
SECURITY BULLETIN: Password Manager's Software Downloader has DLL Side-loading Vulnerability
https://helpcenter.trendmicro.com/ja-jp/article/TMKA-10977
Common Vulnerabilities and Exposures (CVE)
CVE-2022-28394
https://www.cve.org/CVERecord?id=CVE-2022-28394
JVN
JVN#60037444
http://jvn.jp/en/jp/JVN60037444/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-11T12:18:09+09:00
[2022/05/11]\n Web page was published
2022-05-11T15:21:20+09:00
2022-05-11T15:21:20+09:00
2022-05-11T00:00:00+09:00
JVNDB-2022-000033
Strapi vulnerable to cross-site scripting
Strapi contains a stored cross-site scripting vulnerability (CWE-79) in the file upload function. Yuta Morioka of Information Science College reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
strapi
strapi
cpe:/a:strapi:strapi
v3.x.x versions and earlier
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.
[Update the Software] Update the software to the latest version according to the information provided by the developer. According to the developer, this vulnerability is fixed in Strapi v4.x.x versions and v3.x.x versions are planned to be end-of-life in September, 2022.
GitHub
GitHub - strapi/strapi
https://github.com/strapi/strapi
strapi
Strapi - Open source Node.jp Headless CMS
https://strapi.io/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29894
https://www.cve.org/CVERecord?id=CVE-2022-29894
JVN
JVN#44550983
http://jvn.jp/en/jp/JVN44550983/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-13T13:56:51+09:00
[2022/05/13]\n Web page published
2022-05-13T16:45:56+09:00
2022-05-13T16:45:56+09:00
2022-05-13T00:00:00+09:00
JVNDB-2022-000034
EC-CUBE plugin "Easy Blog for EC-CUBE4" vulnerable to cross-site request forgery
EC-CUBE plugin "Easy Blog for EC-CUBE4" provided by COREMOBILE Co. Ltd. contains a cross-site request forgery vulnerability (CWE-352). Furukawa Natsumi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
COREMOBILE Inc.
EC-CUBE plugin "Easy Blog for EC-CUBE4"
cpe:/a:misc:coremobile_kantan_blog_for_ec-cube4
Ver.1.0.1 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
If a site administrator who is logging in to the management screen of EC-CUBE on which the plug-in is installed accesses a specially crafted page, a blog article or a category may be deleted.
[Update the software] Update the software to the latest version according to the information provided by the developer.
COREMOBILE Inc.
COREMOBILE Co. Ltd. website
https://www.ec-cube.net/products/detail.php?product_id=2217
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27174
https://www.cve.org/CVERecord?id=CVE-2022-27174
JVN
JVN#46241173
http://jvn.jp/en/jp/JVN46241173/index.html
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-13T13:53:59+09:00
[2022/05/13]\n Web page published
2022-05-13T16:31:54+09:00
2022-05-13T16:31:54+09:00
2022-05-13T00:00:00+09:00
JVNDB-2022-000035
Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. * [CyVDB-1584][CyVDB-2670] Operation restriction bypass vulnerability in Bulletin (CWE-285) - CVE-2022-28718 * [CyVDB-1865][CyVDB-2692] Operation restriction bypass vulnerability in Workflow (CWE-285) - CVE-2022-27661 * [CyVDB-2660] Improper input validation vulnerability in Space (CWE-20) - CVE-2022-29892 * [CyVDB-2667] Cross-site scripting vulnerability in Scheduler (CWE-79) - CVE-2022-29513 * [CyVDB-2685] Browse restriction bypass vulnerability in Bulletin (CWE-284) - CVE-2022-29471 * [CyVDB-2689] Operation restriction bypass vulnerability in Portal (CWE-285) - CVE-2022-26051 * [CyVDB-2718] Improper input validation vulnerability in Scheduler (CWE-20) - CVE-2022-28692 * [CyVDB-2839] Improper input validation vulnerability in Space (CWE-20) - CVE-2022-27803 * [CyVDB-2841] Browse restriction bypass and operation restriction bypass vulnerability in Cabinet (CWE-285) - CVE-2022-26368 * [CyVDB-2889] Cross-site scripting vulnerability in Organization's Information (CWE-79) - CVE-2022-27627 * [CyVDB-2897] Operation restriction bypass vulnerability in Link (CWE-285) - CVE-2022-26054 * [CyVDB-2906] Improper input validation vulnerability in Link (CWE-20) - CVE-2022-27807 * [CyVDB-2932] Address information disclosure vulnerability (CWE-200) - CVE-2022-29467 * [CyVDB-2940] Improper authentication vulnerability in Scheduler (CWE-287) - CVE-2022-28713 * [CyVDB-3001] Operation restriction bypass vulnerability in Space (CWE-285) - CVE-2022-29484 * [CyVDB-2911] Browse restriction bypass vulnerability in Cabinet (CWE-284) - CVE-2022-31472 CVE-2022-27627 Masato Kinugawa reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. CVE-2022-26054, CVE-2022-26368, CVE-2022-31472 Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN. CVE-2022-26051, CVE-2022-27661, CVE-2022-27803, CVE-2022-27807, CVE-2022-28692, CVE-2022-28713, CVE-2022-28718, CVE-2022-29467, CVE-2022-29471, CVE-2022-29484, CVE-2022-29513, CVE-2022-29892 Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
4.0.0 to 5.5.1 [CyVDB-1584], [CyVDB-1865], [CyVDB-2670], [CyVDB-2660], [CyVDB-2689], [CyVDB-2692], [CyVDB-2718], [CyVDB-2839], [CyVDB-2841], [CyVDB-2897], [CyVDB-2906], [CyVDB-2911]
4.0.0 to 5.9.0 [CyVDB-3001]
4.10.0 to 5.5.1 [CyVDB-2667], [CyVDB-2940]
4.10.2 to 5.5.1 [CyVDB-2889]
4.2.0 to 5.5.1 [CyVDB-2932]
4.6.0 to 5.9.0 [CyVDB-2685]
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* [CyVDB-1584], [CyVDB-2670]: A user who can log in to the product may alter the data of Bulletin. * [CyVDB-1865], [CyVDB-2692]: A user who can log in to the product may alter the data of Workflow. * [CyVDB-2660]: A user who can log in to the product may repeatedly display errors in certain functions and cause a denial-of-service (DoS). * [CyVDB-2667], [CyVDB-2889]: An arbitrary script may be executed on a logged-in user's web browser. * [CyVDB-2685]: A user who can log in to the product may obtain the data of Bulletin. * [CyVDB-2689]: A user who can log in to the product may alter the data of Portal. * [CyVDB-2718]: A user who can log in to the product may alter the data of Scheduler. * [CyVDB-2839]: A user who can log in to the product may alter the data of Space. * [CyVDB-2841]: A user who can log in to the product may alter and/or obtain the data of Cabinet. * [CyVDB-2897]: A user who can log in to the product may alter the data of Link. * [CyVDB-2906]: A user who can log in to the product may make it impossible to add Categories. * [CyVDB-2932]: A user who can log in to the product may obtain some data of Address. * [CyVDB-2940]: A user may obtain some data of Facility Information without logging in to the product. * [CyVDB-3001]: A user who can log in to the product may delete the data of Space. * [CyVDB-2911]: A user who can log in to the product may obtain the data of Cabinet.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
Cybozu, Inc. website
https://cs.cybozu.co.jp/2022/007429.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-28692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28692
Common Vulnerabilities and Exposures (CVE)
CVE-2022-28713
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28713
Common Vulnerabilities and Exposures (CVE)
CVE-2022-31472
https://www.cve.org/CVERecord?id=CVE-2022-31472
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26051
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26054
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26054
Common Vulnerabilities and Exposures (CVE)
CVE-2022-28718
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28718
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26368
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26368
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29467
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29467
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27627
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29471
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27661
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29484
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27803
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29513
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27807
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29892
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29892
JVN
JVN#73897863
http://jvn.jp/en/jp/JVN73897863/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-05-16T12:28:56+09:00
[2022/05/16]\n Web page was published\n
3
2022-07-04T12:34:00+09:00
[2022/07/04]\n Overview was modified\n CVSS Severity was modified\n Affected Products : Product version was modified\n Impact was modified\n References : Content was added
4
2022-07-06T17:16:13+09:00
[2022/07/06]\n Impact was modified
2022-05-16T14:25:24+09:00
2022-07-06T17:39:49+09:00
2022-05-16T00:00:00+09:00
JVNDB-2022-000036
Multiple vulnerabilities in Rakuten Casa
Rakuten Casa provided by Rakuten Mobile, Inc. contains multiple vulnerabilities listed below. * Use of Hard-coded Credentials (CWE-798) - CVE-2022-29525 * Improper Access Control (CWE-284) - CVE-2022-28704 * Improper Access Control (CWE-284) - CVE-2022-26834 CVE-2022-29525 Narumi Hirai of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2022-28704 Hiroki Oshiro and Tagawa, Masaki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2022-26834 Tagawa, Masaki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Rakuten Mobile, Inc.
Rakuten Casa
cpe:/a:misc:rakuten_mobile_rakuten_casa
version AP_F_V1_4_1 or AP_F_V2_0_0
High
7.8
AV:N/AC:L/Au:N/C:C/I:N/A:N
High
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* An attacker who can obtain information about the product housing may log in with the root privileges and perform arbitrary operations - CVE-2022-29525 * If the product is in its default settings in which is set to accept SSH connections from the WAN side, and is also connected to the Internet with the authentication information unchanged from the default settings, a remote attacker may log in with the root privileges and perform arbitrary operations - CVE-2022-28704 * The information stored in the product may be obtained as the product is set to accept HTTP connections from the WAN side by default - CVE-2022-26834
[Update the software] According to the developer, the fixed software for these vulnerabilities has been released in August 2021, and in the case where the product housing is properly set in accordance with Terms of Installation, the update is applied automatically.
Rakuten Mobile, Inc.
Rakuten Mobile, Inc. website
https://network.mobile.rakuten.co.jp/information/news/product/1033/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29525
https://www.cve.org/CVERecord?id=CVE-2022-29525
Common Vulnerabilities and Exposures (CVE)
CVE-2022-28704
https://www.cve.org/CVERecord?id=CVE-2022-28704
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26834
https://www.cve.org/CVERecord?id=CVE-2022-26834
JVN
JVN#46892984
http://jvn.jp/en/jp/JVN46892984/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-05-19T12:18:49+09:00
[2022/5/19]\n Web Page was published
2022-05-19T15:13:35+09:00
2022-05-19T15:13:35+09:00
2022-05-19T00:00:00+09:00
JVNDB-2022-000037
Spring Security OAuth (spring-security-oauth2) vulnerable to denial-of-service (DoS)
Spring Security OAuth (spring-security-oauth2) provided by VMware, Inc. contains a denial-of-service vulnerability due to uncontrolled resource consumption (CWE-400). Note that Spring Security OAuth (spring-security-oauth2) is no longer supported, therefore Spring Security has been developed as the alternative, and the similar vulnerability known as CVE-2021-22119 was identified but has been addressed. Macchinetta/TERASOLUNA Framework Development Team:NTT DATA Corporation, NTT COMWARE, and NTT reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
VMware
Spring Security OAuth (spring-security-oauth2)
cpe:/a:vmware:spring_security_oauth
2.5.1 and earlier
Medium
4
AV:N/AC:L/Au:S/C:N/I:N/A:P
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
A website that provides OAuth client functionality using Spring Security OAuth (spring-security-oauth2) may fall into a denial-of-service condition.
[Update the software] Update the software to the latest version according to the information provided by the developer.
NTT DATA Corporation
TERASOLUNA Server Framework for Java (5.x)
https://terasolunaorg.github.io/
VMware
Spring Security OAuth
https://spring.io/projects/spring-security-oauth
VMware Tanzu
CVE-2022-22969: Denial-of-Service (DoS) in spring-security-oauth2
https://tanzu.vmware.com/security/cve-2022-22969
Common Vulnerabilities and Exposures (CVE)
CVE-2022-22969
https://www.cve.org/CVERecord?id=CVE-2022-22969
JVN
JVN#15317878
https://jvn.jp/en/jp/JVN15317878/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-20T16:27:58+09:00
[2022/05/20]\n Web page was published
2022-05-20T17:04:12+09:00
2022-05-20T17:04:12+09:00
2022-05-20T00:00:00+09:00
JVNDB-2022-000038
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
WordPress plugin "WP Statistics" provided by VeronaLabs contains a cross-site scripting vulnerability (CWE-79). Shogo Kumamaru of LAC CyberLink Co., Ltd reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
VeronaLabs
WP Statistics
cpe:/a:veronalabs:wp_statistics
versions prior to 13.2.0
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is logging in to the web site using the product.
[Update the plugin] Update the plugin according to the information provided by the developer.
WP Statistics
WP Statistics
https://wordpress.org/plugins/wp-statistics/
WP Statistics
Changelog
https://wordpress.org/plugins/wp-statistics/#developers
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27231
https://www.cve.org/CVERecord?id=CVE-2022-27231
JVN
JVN#15241647
http://jvn.jp/en/jp/JVN15241647/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-24T14:08:40+09:00
[2022/05/24]\n Web page was published
2022-05-24T15:00:54+09:00
2022-05-24T15:00:54+09:00
2022-05-24T00:00:00+09:00
JVNDB-2022-000039
RevoWorks incomplete filtering of MS Office v4 macros
RevoWorks SCVX, RevoWorks Browser and RevoWorks Desktop provided by J's Communication Co., Ltd. enables users to execute web browsers, accessing drives, folders, files and registries in a sandboxed environment. Users can download files from the internet to the sandboxed environment, sanitizing through "File Sanitization Library" or "File Sanitization Option", and import to the local environment. "File Sanitization Library" and "File Sanitization Option" are implemented with some third-party component, but the component's filtering functionality is incomplete, fails to detect nor remove Microsoft Excel 4.0 (XLM) Macros (CWE-791). The developer reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and the developer coordinated under the Information Security Early Warning Partnership.
J's Communication Co., Ltd.
RevoWorks Browser
cpe:/a:jscom:revoworks_browser
2.2.67 and prior versions (when using "File Sanitization Option")
J's Communication Co., Ltd.
RevoWorks Desktop
cpe:/a:jscom:revoworks_desktop
2.1.84 and prior versions (when using "File Sanitization Option")
J's Communication Co., Ltd.
RevoWorks SCVX
cpe:/a:jscom:revoworks_scvx
1.043 and prior versions
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Medium
5.2
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
When downloading and importing a file to the local environment and open it, some malicious macros may be executed.
[Update the Software] Update the product according to the information provided by the developer. The developer provides the following fixed versions: <ul><li>RevoWorks SCVX using "File Sanitization Library" 1.044 and later</li><li>RevoWorks Browser 2.2.69 and later</li><li>RevoWorks Desktop 2.1.85 and later</li></ul>
J's Communication Co., Ltd.
RevoWorks vulnerability information for file sanitization of MS Excel V4 macros
https://jscom.jp/news-20220527/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27176
https://www.cve.org/CVERecord?id=CVE-2022-27176
JVN
JVN#27256219
http://jvn.jp/en/jp/JVN27256219/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-27T16:09:14+09:00
[2022/05/27]\n Web page was published
2022-05-27T16:09:14+09:00
2022-05-27T16:09:14+09:00
2022-05-27T00:00:00+09:00
JVNDB-2022-000040
Mobaoku-Auction & Flea Market App for iOS vulnerable to improper server certificate verification
Mobaoku-Auction & Flea Market App for iOS provided by DeNA Co., Ltd. is vulnerable to improper server certificate verification (CWE-295). Okazawa Yoshihiro reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
DeNA Co.,Ltd.
Mobaoku Auction & Flea Market App
cpe:/a:dena:dena_mobaoku_auction%26flea_market_app
iOS versions prior to 5.5.16
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the application] Update the application to the latest version according to the information provided by the developer. The developer released the following version that fixes the vulnerability on February 21, 2022: * Mobaoku-Auction & Flea Market App for iOS version 5.5.16
JVN
Information from DeNA Co., Ltd.
http://jvn.jp/en/jp/JVN13878856/995314/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29482
https://www.cve.org/CVERecord?id=CVE-2022-29482
JVN
JVN#13878856
http://jvn.jp/en/jp/JVN13878856/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-05-27T15:48:30+09:00
[2022/05/27]\n Web page was published
2022-05-27T15:48:30+09:00
2022-05-27T15:48:30+09:00
2022-05-27T00:00:00+09:00
JVNDB-2022-000041
WordPress Plugin "Modern Events Calendar Lite" vulnerable to cross-site scripting
WordPress Plugin "Modern Events Calendar Lite" provided by Webnus contains a stored cross-site scripting vulnerability (CWE-79). Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Webnus
Modern Events Calendar Lite
cpe:/a:webnus:modern_events_calendar_lite
prior to 6.3.0
Medium
4
AV:N/AC:L/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is accessing the website using the plugin.
[Update the plugin] Update the plugin to the latest version according to the information provided by the developer.
Webnus
Modern Events Calendar Lite Free Download
https://webnus.net/modern-events-calendar/lite/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30533
https://www.cve.org/CVERecord?id=CVE-2022-30533
JVN
JVN#04155116
http://jvn.jp/en/jp/JVN04155116/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-06-01T12:23:54+09:00
[2022/06/01]\n Web page was published
2022-06-01T13:39:30+09:00
2022-06-01T13:39:30+09:00
2022-06-01T00:00:00+09:00
JVNDB-2022-000042
T&D Data Server and THERMO RECORDER DATA SERVER contain a directory traversal vulnerability.
T&D Data Server and THERMO RECORDER DATA SERVER provided by T&D Corporation contain a directory traversal vulnerability (CWE-22). Shun Asai of FiveDrive, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
T&D Corporation
T&D Data Server
cpe:/a:misc:tandd_tandd_data_sever
(English Edition) Ver.2.30 and earlier
(Japanese Edition) Ver.2.22 and earlier
T&D Corporation
THERMO RECORDER DATA SERVER
cpe:/a:misc:tandd_thermo_recorder_date_server
(English Edition) Ver.2.13 and earlier
(Japanese Edition) Ver.2.13 and earlier
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
High
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Arbitrary files on the server may be viewed by a remote attacker.
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer has released fixed versions listed below. * T&D Data Server (Japanese Edition) Ver.2.31 * T&D Data Server (English Edition) Ver.2.31 * THERMO RECORDER DATA SERVER (Japanese Edition) Ver.2.31 * THERMO RECORDER DATA SERVER (English Edition) Ver.2.31
T&D Corporation website
Vulnerability in "T&D Data Server" and "THERMO RECORDER DATA SERVER"
https://tandd.com/news/detail.html?id=696
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29509
https://www.cve.org/CVERecord?id=CVE-2022-29509
JVN
JVN#28659051
https://jvn.jp/en/jp/JVN28659051/index.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-06-01T16:12:28+09:00
[2022/06/01]\n Web page was published
2022-06-01T16:12:28+09:00
2022-06-01T16:12:28+09:00
2022-06-01T00:00:00+09:00
JVNDB-2022-000043
SHIRASAGI vulnerable to cross-site scripting
SHIRASAGI provided by SHIRASAGI Project contains a cross-site scripting vulnerability (CWE-79). hibiki moriyama of STNet, Incorporated reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SHIRASAGI Project
SHIRASAGI
cpe:/a:ss-proj:shirasagi
v1.0.0 to v1.14.2
v1.15.0
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is using the product.
[Update the Software] Update to the latest version according to the information provided by the developer. The developer has released the versions listed below that address the vulnerabilities. * SHIRASAGI v1.14.3 (for v1.14.2 or earlier) * SHIRASAGI v1.16.0 (for v1.15.0)
GitHub
SHIRASAGI
https://github.com/shirasagi/shirasagi
SHIRASAGI Official Website
JVN#32962443 SHIRASAGI vulnerable to cross-site scripting
https://www.ss-proj.org/support/843.html
SHIRASAGI Official Website
SHIRASAGI Official Website
https://www.ss-proj.org/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29485
https://www.cve.org/CVERecord?id=CVE-2022-29485
JVN
JVN#32962443
http://jvn.jp/en/jp/JVN32962443/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-06-09T12:17:18+09:00
[2022/06/09]\n Web page was published
2022-06-09T13:31:39+09:00
2022-06-09T13:31:39+09:00
2022-06-09T00:00:00+09:00
JVNDB-2022-000044
Cisco Catalyst 2940 Series Switches vulnerable to cross-site scripting
Cisco Catalyst 2940 Series Switches provided by Cisco Systems, Inc., with firmware versions prior to 12.2(50)SY, improperly processes user input and generates error pages, leading to a cross-site scripting vulnerability (CWE-79). The vulnerability has been addressed on 12.2(50)SY released in 2011 (Cisco bug id: CSCek36997), and Cisco Catalyst 2940 Series Switches has been End-of-Support since 2015. Imaoka Ryo of Cyber Security Research Team reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Cisco Systems, Inc.
Cisco Catalyst 2940 Series Switch
cpe:/h:cisco:catalyst_2940
firmware versions prior to 12.2(50)SY
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is using the product.
[Stop using the products and Switch to alternative products] The developer states that the affected products are no longer supported, and recommends to use alternative unaffected products.
Cisco Systems Inc
Cisco Catalyst 2940 Series Switches - Retirement Notification
https://www.cisco.com/c/en/us/obsolete/switches/cisco-catalyst-2940-series-switches.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-31734
https://www.cve.org/CVERecord?id=CVE-2022-31734
JVN
JVN#94363766
http://jvn.jp/en/jp/JVN94363766/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-06-14T12:18:52+09:00
[2022/06/14]\n Web page was published
2022-06-14T13:46:23+09:00
2022-06-14T13:46:23+09:00
2022-06-14T00:00:00+09:00
JVNDB-2022-000045
FreeBSD vulnerable to denial-of-service (DoS)
FreeBSD contains a denial-of-service (DoS) vulnerability (CWE-400) due to improper handling of TSopt on TCP connections.
FreeBSD Project.
FreeBSD
cpe:/o:freebsd:freebsd
versions prior to 7.0
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
A remote attacker may be able to cause a denial-of-service (DoS) condition.
[Update the software] Update the software to the latest version according to the information provided by the developer. This vulnerability was fixed in 2006 September 25 by the following FreeBSD commit. <ul><li>commit 4dc630cdd2f7a790604d2724ecb19c6aa95130a7</li><li>Author: John-Mark Gurney <jmg@FreeBSD.org></li><li>Date: Mon Sep 25 07:22:39 2006 +0000</li></ul>
FreeBSD
commit 4dc630cdd2f7a790604d2724ecb19c6aa95130a7
https://cgit.freebsd.org/src/commit/?id=4dc630cdd2f7a790604d2724ecb19c6aa95130a7
FreeBSD
The FreeBSD Project
https://www.freebsd.org/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-32264
https://www.cve.org/CVERecord?id=CVE-2022-32264
JVN
JVN#20930118
http://jvn.jp/en/jp/JVN20930118/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-06-15T12:11:21+09:00
[2022/06/15]\n Web page was published\n
2022-06-15T12:28:00+09:00
2022-06-15T12:28:00+09:00
2022-06-15T00:00:00+09:00
JVNDB-2022-000046
Gitlab vulnerable to server-side request forgery
Gitlab contains a server-side request forgery vulnerability (CWE-918) through the Project Import feature. Kanta Nishitani of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to the developer and coordinated. After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
GitLab.org
GitLab
cpe:/a:gitlab:gitlab
versions 10.5 to the version prior to 14.5.4
versions 14.6 to the version prior to 14.6.4
versions 14.7 to the version prior to 14.7.1
Medium
5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
The vulnerability allows an attacker to make arbitrary HTTP/HTTPS or git requests inside a GitLab instance's network.
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer has released the following versions that address the vulnerability. <ul><li>Gitlab 14.7.1</li><li>Gitlab 14.6.4</li><li>Gitlab 14.5.4</li>
GitLab
GitLab Security Release: 14.7.1, 14.6.4, and 14.5.4 | Blind SSRF Through Project Import
https://about.gitlab.com/releases/2022/02/03/security-release-gitlab-14-7-1-released/#blind-ssrf-through-project-import
Common Vulnerabilities and Exposures (CVE)
CVE-2022-0136
https://www.cve.org/CVERecord?id=CVE-2022-0136
JVN
JVN#93667442
http://jvn.jp/en/jp/JVN93667442/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-06-17T12:12:28+09:00
[2022/06/17]\n Web page was published
2022-06-17T12:26:23+09:00
2022-06-17T12:26:23+09:00
2022-06-17T00:00:00+09:00
JVNDB-2022-000047
web2py vulnerable to open redirect
web2py contains an open redirect vulnerability (CWE-601). Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
web2py
web2py
cpe:/a:web2py:web2py
versions prior to 2.22.5
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
[Update the Software] Update the software to the latest version according to the information provided by the developer.
GitHub
web2py improved open redirect prevention
https://github.com/web2py/web2py/commit/d9805606f88f00c0be56438247605cefde73e14e#diff-c1d01f37ee54d813815718760b9c4d7b274e2be7ad18f65552cd564336ab593bR110
GitHub
web2py added validation of send attribute in admin
https://github.com/web2py/web2py/commit/a181b855a43cb8b479d276b082cfcde385768451
web2py
web2py Web Framework
http://web2py.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-33146
https://www.cve.org/CVERecord?id=CVE-2022-33146
JVN
JVN#02158640
https://jvn.jp/en/jp/JVN02158640/index.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-06-23T13:42:56+09:00
[2022/06/23]\n Web page was published
2022-06-23T14:21:13+09:00
2022-06-23T14:21:13+09:00
2022-06-23T00:00:00+09:00
JVNDB-2022-000048
L2Blocker Sensor setup screen vulnerable to authentication bypass
L2Blocker provided by SOFTCREATE CORP. contains a vulnerability (CWE-288) in which the login authentication is bypassed by using alternative paths or channels for Sensor. Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SOFTCREATE CORP.
L2Blocker
cpe:/a:misc:softcreate_l2blocker
(Cloud) Ver4.8.5 and earlier
(on-premise) Ver4.8.5 and earlier
Medium
4.8
AV:A/AC:L/Au:N/C:P/I:P/A:N
Medium
5.4
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
An attacker who can access the device may perform an unauthorized login and obtain the stored information or cause a malfunction of the device.
[Update the Software] Update to the latest version according to the information provided by the developer. The developer released the following version that fixes the vulnerability. <ul><li>L2Blocker Ver4.8.6</li></ul> According the developer, L2Blocker(Cloud) has already been updated by the developer, therefore no user update is required.
SOFTCREATE CORP.
Authentication bypass vulnerability in L2Blocker sensor setup screen
https://www.softcreate.co.jp/news/detail/210
Common Vulnerabilities and Exposures (CVE)
CVE-2022-33202
https://www.cve.org/CVERecord?id=CVE-2022-33202
JVN
JVN#51464799
https://jvn.jp/en/jp/JVN51464799/index.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-06-24T13:59:50+09:00
[2022/06/24]\n Web page was published
2022-06-24T14:21:19+09:00
2022-06-24T14:21:19+09:00
2022-06-24T00:00:00+09:00
JVNDB-2022-000049
HOME SPOT CUBE2 vulnerable to OS command injection
HOME SPOT CUBE2 provided by KDDI CORPORATION contains an OS command injection vulnerability (CWE-78) due to improper processing of data received from DHCP server. Alice Rose reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KDDI
HOME SPOT CUBE2
cpe:/h:kddi:home_spot_cube_2
V102 and earlier
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An arbitrary OS command may be executed on the product if a malicious DHCP server is placed on the WAN side of the product.
[Apply the workaround] Applying following workaround may mitigate the impact of this vulnerability. <ul><li>Connect the WAN port of the product to a trusted ISP line</li></ul> The developer states that an attack exploiting this vulnerability is not realistic if the WAN port of the product is connected to a trusted ISP line.
KDDI CORPORATION
HOME SPOT CUBE2
https://www.au.com/support/service/mobile/guide/wlan/home_spot_cube_2/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-33948
https://www.cve.org/CVERecord?id=CVE-2022-33948
JVN
JVN#41017328
http://jvn.jp/en/jp/JVN41017328/index.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-06-29T12:38:44+09:00
[2022/06/29]\n Web page was published
2022-06-29T13:42:39+09:00
2022-06-29T13:42:39+09:00
2022-06-29T00:00:00+09:00
JVNDB-2022-000050
LiteCart vulnerable to cross-site scripting
LiteCart contains a cross-site scripting vulnerability (CWE-79). Satoshi Horikoshi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
LiteCart.net
LiteCart
cpe:/a:litecart:litecart
prior to 2.4.2
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is accessing the web site using the product.
[Update the software] Update the software to the latest version according to the information provided by the developer.
GitHub
GitHub - LiteCart
https://github.com/litecart/litecart
GitHub
Escape HTML characters 2.4.2
https://github.com/litecart/litecart/commit/050fea86cc162f3da2f7824f586602125a0f6d63
LiteCart.net
LiteCart - Free shopping cart platform
https://www.litecart.net/en/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27168
https://www.cve.org/CVERecord?id=CVE-2022-27168
JVN
JVN#32625020
http://jvn.jp/en/jp/JVN32625020/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-04T13:52:43+09:00
[2022/07/04]\n Web page was published
2022-07-04T14:12:31+09:00
2022-07-04T14:12:31+09:00
2022-07-04T00:00:00+09:00
JVNDB-2022-000051
Multiple vulnerabilities in Cybozu Garoon
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. * [CyVDB-2909] Operation restriction bypass in multiple applications (CWE-285) - CVE-2022-30602 * [CyVDB-3042] Information disclosure in multiple applications (CWE-200) - CVE-2022-29512 <s>* [CyVDB-3111] Improper input validation in multiple applications (CWE-20) - CVE-2022-29926</s> * [CyVDB-3143] Browsing restriction bypass vulnerability in Bulletin (CWE-284) - CVE-2022-30943 CVE-2022-30602 Shuichi Uruma reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. CVE-2022-30943 Yuji Tounai reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. CVE-2022-29512 Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. [Updated on 2022 July 6] The developer identified that [CyVDB-3111] was not a vulnerability after the further investigation. Therefore the JVN advisory was updated by crossing out the description regarding [CyVDB-3111].
Cybozu, Inc.
Cybozu Garoon
cpe:/a:cybozu:garoon
4.0.0 to 5.9.1
Medium
5.5
AV:N/AC:L/Au:S/C:N/I:P/A:P
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
* [CyVDB-2909]: A user who can log in to the product may alter the file information and/or delete the files. * [CyVDB-3042]: A user who can log in to the product may obtain the data without the viewing privilege. <s>* [CyVDB-3111]: A user who can log in to the product may cause a denial-of-service (DoS) condition.</s> * [CyVDB-3143]: A user who can log in to the product may obtain the data of Bulletin.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
Cybozu, Inc. website
https://cs.cybozu.co.jp/2022/007682.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30602
https://www.cve.org/CVERecord?id=CVE-2022-30602
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29512
https://www.cve.org/CVERecord?id=CVE-2022-29512
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29926
https://www.cve.org/CVERecord?id=CVE-2022-29926
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30943
https://www.cve.org/CVERecord?id=CVE-2022-30943
JVN
JVN#14077132
http://jvn.jp/en/jp/JVN14077132/index.html
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-04T13:43:09+09:00
[2022/07/04]\n Web page was published
2
2022-07-06T17:27:01+09:00
[2022/07/06]\n Overview was modified\n CVSS Severity was modified\n Impact was modified\n CWE was modified
2022-07-04T14:17:29+09:00
2022-07-06T17:45:13+09:00
2022-07-04T00:00:00+09:00
JVNDB-2022-000052
Passage Drive vulnerable to insufficient data verification
Passage Drive provided by Yokogawa Rental & Lease Corporation contains an insufficient data verification vulnerability for interprocess communication (CWE-20). Yokogawa Rental & Lease Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Yokogawa Rental & Lease Corporation coordinated under the Information Security Early Warning Partnership.
Yokogawa Rental & Lease Corporation
Passage Drive
cpe:/a:misc:yokogawa_renta_lease_passage_drive
v1.4.0 to v1.5.1.0
Yokogawa Rental & Lease Corporation
Passage Drive for Box
cpe:/a:misc:yokogawa_renta_lease_passage_drive_for_box
v1.0.0
Critical
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
High
8.6
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
By running a malicious program, an arbitrary OS command may be executed with LocalSystem privilege of the Windows system where the product is running.
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer has released the following versions. * Passage Drive v1.5.1.1 * Passage Drive for Box v1.0.1
Yokogawa Rental & Lease Corporation
Data validation vulnerability in Passage Drive
https://www.yrl.com/fwp_support/info/a1hrbt0000002037.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-34866
https://www.cve.org/CVERecord?id=CVE-2022-34866
JVN
JVN#23766146
http://jvn.jp/en/jp/JVN23766146/index.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-08T12:25:59+09:00
[2022/07/08]\n Web page was published
2022-07-08T13:42:46+09:00
2022-07-08T13:42:46+09:00
2022-07-08T00:00:00+09:00
JVNDB-2022-000053
Django Extract and Trunc functions vulnerable to SQL injection
Django provided by Django Software Foundation is a Web application framework. Extract and Trunc functions of Django used to treat date data contain an SQL injection vulnerability(CWE-89). Takuto Yoshikai of Aeye Security Lab reported this vulnerability to the developer and coordinated. After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
Django Software Foundation
Django
cpe:/a:djangoproject:django
3.2
4.0
4.1 (currently at beta status)
main development branch
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
An attacker may execute an arbitrary SQL command. Data in websites built using the product may be altered or deleted by an attacker.
[Update the software] Update the software to the latest version according to the information provided by the developer.
Django Software Foundation
Download
https://www.djangoproject.com/download/
Django Software Foundation
Django security releases issued: 4.0.6 and 3.2.14
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-34265
https://www.cve.org/CVERecord?id=CVE-2022-34265
JVN
JVN#12610194
https://jvn.jp/en/jp/JVN12610194/index.html
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-12T13:47:36+09:00
[2022/07/12]\n Web page was published
2022-07-12T13:47:36+09:00
2022-07-12T13:47:36+09:00
2022-07-12T00:00:00+09:00
JVNDB-2022-000054
Multiple vulnerabilities in Cybozu Office
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below. * [CyVDB-839][CyVDB-2300][CyVDB-3109] Browse restriction bypass vulnerability in Cabinet (CWE-284) - CVE-2022-32283 * [CyVDB-1795] Operation restriction bypass vulnerability in Project (CWE-285) - CVE-2022-32544 * [CyVDB-1800][CyVDB-2798][CyVDB-2927] Browse restriction bypass vulnerability in Custom App (CWE-284) - CVE-2022-29891 * [CyVDB-1849] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-33151 * [CyVDB-1851][CyVDB-1856][CyVDB-1873][CyVDB-1944][CyVDB-2173] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-28715 * [CyVDB-1859] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-30604 * [CyVDB-2030] HTTP header injection vulnerability (CWE-113) - CVE-2022-32453 * [CyVDB-2152][CyVDB-2153][CyVDB-2154][CyVDB-2155] Information disclosure vulnerability in the system configuration (CWE-200) - CVE-2022-30693 * [CyVDB-2693] Operation restriction bypass vulnerability in Scheduler (CWE-285) - CVE-2022-32583 * [CyVDB-2695][CyVDB-2819] Browse restriction bypass vulnerability in Scheduler (CWE-284) - CVE-2022-25986 * [CyVDB-2770] Browse restriction bypass vulnerability in Address Book (CWE-284) - CVE-2022-33311 * [CyVDB-2939] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-29487 CVE-2022-28715, CVE-2022-30604, CVE-2022-32453, CVE-2022-33151 Masato Kinugawa reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN. CVE-2022-29891, CVE-2022-32544, CVE-2022-32583 Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN. CVE-2022-30693 Kanta Nishitani of Ierae Security Inc. reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. CVE-2022-29487, CVE-2022-25986, CVE-2022-32283, CVE-2022-33311 Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.
Cybozu, Inc.
Cybozu Office
cpe:/a:cybozu:office
10.0.0 to 10.8.5
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* [CyVDB-839], [CyVDB-2300], [CyVDB-3109]: A user who can log in to the product may obtain the data of Cabinet. * [CyVDB-1795]: A user who can log in to the product may alter the data of Project. * [CyVDB-1800], [CyVDB-2798], [CyVDB-2927]: A user who can log in to the product may obtain the data of Custom App. * [CyVDB-1849], [CyVDB-1851], [CyVDB-1856], [CyVDB-1859], [CyVDB-1873], [CyVDB-1944], [CyVDB-2173], [CyVDB-2939]: An arbitrary script may be executed on a logged-in user's web browser. * [CyVDB-2030]: A remote attacker may obtain and/or alter the data of the product. * [CyVDB-2152], [CyVDB-2153], [CyVDB-2154], [CyVDB-2155]: A remote attacker may obtain the data of the product. * [CyVDB-2693]: A user who can log in to the product may alter the data of Scheduler. * [CyVDB-2695], [CyVDB-2819]: A user who can log in to the product may obtain the data of Scheduler. * [CyVDB-2770]: A user who can log in to the product may obtain the data of Address Book.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
Cybozu, Inc. website
https://cs.cybozu.co.jp/2022/007584.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-32453
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32453
Common Vulnerabilities and Exposures (CVE)
CVE-2022-32544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32544
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25986
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25986
Common Vulnerabilities and Exposures (CVE)
CVE-2022-28715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28715
Common Vulnerabilities and Exposures (CVE)
CVE-2022-32583
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32583
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29487
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29487
Common Vulnerabilities and Exposures (CVE)
CVE-2022-33151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33151
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29891
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29891
Common Vulnerabilities and Exposures (CVE)
CVE-2022-33311
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33311
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30604
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30693
Common Vulnerabilities and Exposures (CVE)
CVE-2022-32283
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32283
JVN
JVN#20573662
https://jvn.jp/en/jp/JVN20573662/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-20T16:39:22+09:00
[2022/07/20]\n Web page was published
2
2022-07-21T15:42:55+09:00
[2022/07/21]\n Overview : Content was modified\n CWE : Content was modified
2022-07-20T17:28:50+09:00
2022-07-21T16:50:48+09:00
2022-07-20T00:00:00+09:00
JVNDB-2022-000055
Booked vulnerable to open redirect
Booked provided by Twinkle Toes Software contains an open redirect vulnerability (CWE-601). Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Twinkle Toes Software
Booked
cpe:/a:twinkletoessoftware:booked
prior to 3.3
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer has released Booked 3.3 that addresses the vulnerability.
Booked
Booked
https://www.bookedscheduler.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30706
https://www.cve.org/CVERecord?id=CVE-2022-30706
JVN
JVN#75063798
https://jvn.jp/en/jp/JVN75063798/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-22T12:36:07+09:00
[2022/07/22]\n Web page was published
2022-07-22T13:40:32+09:00
2022-07-22T13:40:32+09:00
2022-07-22T00:00:00+09:00
JVNDB-2022-000056
Multiple vulnerabilities in Nintendo Wi-Fi Network Adaptor WAP-001
Nintendo Wi-Fi Network Adaptor provided by Nintendo Co.,Ltd. contains multiple vulnerabilities listed below. * OS command injection (CWE-78) - CVE-2022-36381 * Buffer overflow (CWE-121) - CVE-2022-36293 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Nintendo Co., Ltd
Nintendo Wi-Fi Network Adptor WAP-001
cpe:/h:nintendo:nintendo_wi-fi_network_adaptor_wap-001
all versions
Medium
5.2
AV:A/AC:L/Au:S/C:P/I:P/A:P
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
<ul><li>A user who can access the administrative page of the product may execute an arbitrary OS command - CVE-2022-36381<li>A user who can access the administrative page of the product may execute an arbitrary code - CVE-2022-36293</ul>
[Stop using the product] The developer states that the product is no longer supported, therefore recommends users to stop using the product.
Nintendo Co., Ltd
Request to stop using "Nintendo Wi-Fi Network Adaptor" and "Nintendo Wi-Fi USB Connector"
https://www.nintendo.co.jp/support/information/2022/0720.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-36381
https://www.cve.org/CVERecord?id=CVE-2022-36381
Common Vulnerabilities and Exposures (CVE)
CVE-2022-36293
https://www.cve.org/CVERecord?id=CVE-2022-36293
JVN
JVN#17625382
http://jvn.jp/en/jp/JVN17625382/index.html
JVNDB
CWE-119
Buffer Errors
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-29T13:43:50+09:00
[2022/07/29]\n Web page was published
2022-07-29T13:43:50+09:00
2022-07-29T13:43:50+09:00
2022-07-29T00:00:00+09:00
JVNDB-2022-000057
WordPress Plugin "Newsletter" vulnerable to cross-site scripting
WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability (CWE-79). Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Stefano Lissa & The Newsletter Team
Newsletter
cpe:/a:thenewsletterplugin:newsletter
prior to 7.4.5
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin with the administrative privilege.
[Update the plugin] Update the plugin to the latest version according to the information provided by the developer.
Stefano Lissa & The Newsletter Team
Newsletter - Send awesome emails from WordPress
https://ja.wordpress.org/plugins/newsletter/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-1756
https://www.cve.org/CVERecord?id=CVE-2022-1756
JVN
JVN#77850327
http://jvn.jp/en/jp/JVN77850327/index.html
Related document
WPScan Vulnerability Database : WordPress Plugin Vulnerabilities | Newsletter < 7.4.5 - Reflected Cross-Site Scripting
https://wpscan.com/vulnerability/6ad407fe-db2b-41fb-834b-dd8c4f62b072
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-25T12:42:28+09:00
[2022/07/25]\n Web page published
2022-07-25T14:30:02+09:00
2022-07-25T14:30:02+09:00
2022-07-25T00:00:00+09:00
JVNDB-2022-000058
Multiple vulnerabilities in untangle
untangle provided by Christian Stefanescu is a Python library for processing XML documents. untangle contains multiple vulnerabilities listed below. * Improper Restriction of Recursive Entity References in DTDs (CWE-776) - CVE-2022-33977 * Improper Restriction of XML External Entity Reference (CWE-611) - CVE-2022-31471</li></ul> Taichi Kotake of Sterra Security Co.,Ltd. / Akatsuki Games Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Christian Stefanescu
untangle
cpe:/a:misc:christian_stefanescu_untangle
1.2.0 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:N/A:P
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
<ul><li>An attacker may be able to cause a denial-of-service (DoS) condition on the server on which the product is running - CVE-2022-33977</li><li>An attacker may be able to read the contents of local files - CVE-2022-31471</li></ul>
[Update the software] Update the software to the latest version according to the information provided by the developer.
Christian Stefanescu
untangle
https://github.com/stchris/untangle
Christian Stefanescu
Release 1.2.1
https://github.com/stchris/untangle/releases/tag/1.2.1
Common Vulnerabilities and Exposures (CVE)
CVE-2022-33977
https://www.cve.org/CVERecord?id=CVE-2022-33977
Common Vulnerabilities and Exposures (CVE)
CVE-2022-31471
https://www.cve.org/CVERecord?id=CVE-2022-31471
JVN
JVN#30454777
http://jvn.jp/en/jp/JVN30454777/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-25T12:57:38+09:00
[2022/07/25]\n Web page published
2022-07-25T14:18:26+09:00
2022-07-25T14:18:26+09:00
2022-07-25T00:00:00+09:00
JVNDB-2022-000059
"Hulu" App for Android uses a hard-coded API key for an external service
"Hulu" App for Android provided by HJ Holdings, Inc. uses a hard-coded API key for an external service (CWE-798). Ryo Sato of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
HJ Holdings, Inc.
Hulu
cpe:/a:misc:hj_holdings_hulu
App for Android version 3.0.47 or later, and prior to 3.1.2
Low
2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N
Medium
4
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
The hard-coded API key may be retrieved via reverse-engineering the application binary. Note that the application users are not directly affected by this vulnerability.
The hard-coded API key has been revoked by the developer on June 7, 2022 and this vulnerability is not exploitable now. The developer has released "Hulu" App for Android version 3.1.2 without any API key hard-coded.
JVN
Information from HJ Holdings, Inc.
http://jvn.jp/en/jp/JVN40907489/996644/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-35734
https://www.cve.org/CVERecord?id=CVE-2022-35734
JVN
JVN#40907489
http://jvn.jp/en/jp/JVN40907489/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-07-28T09:14:22+09:00
[2022/07/28]\n Web page was published
2022-07-28T09:14:35+09:00
2022-07-28T09:14:35+09:00
2022-07-27T00:00:00+09:00
JVNDB-2022-000060
"Hulu" App for iOS vulnerable to improper server certificate verification
"Hulu" App for iOS provided by HJ Holdings, Inc. is vulnerable to improper server certificate verification (CWE-295). Shungo Kumasaka of GMO Cyber Security by IERAE reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
HJ Holdings, Inc.
Hulu
cpe:/a:misc:hj_holdings_hulu
App for iOS versions prior to 3.0.81
Medium
4
AV:N/AC:H/Au:N/C:P/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.
[Update the application] Update the application to the latest version according to the information provided by the developer.
HJ Holdings, Inc.
HJ Holdings, Inc. website
https://help.hulu.jp/hc/ja/articles/8358166490649/
JVN
Information from HJ Holdings, Inc.
http://jvn.jp/en/jp/JVN81563390/996644/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-34156
https://www.cve.org/CVERecord?id=CVE-2022-34156
JVN
JVN#81563390
http://jvn.jp/en/jp/JVN81563390/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-28T09:49:42+09:00
[2022/07/28]\n Web page was published
2022-07-28T09:51:47+09:00
2022-07-28T09:51:47+09:00
2022-07-27T00:00:00+09:00
JVNDB-2022-000061
"JustSystems JUST Online Update for J-License" starts a program with an unquoted file path
"JustSystems JUST Online Update for J-License" is bundled with multiple products for corporate users provided by JustSystems Corporation, as in Ichitaro through Pro5 and others, and it is registered as a Windows service. "JustSystems JUST Online Update for J-License" starts another program with an unquoted file path (CWE-428). Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
JustSystems Corporation
JUST Online Update
cpe:/a:justsystems:just_online_update
for J-License (for corporate users)
Medium
6.8
AV:L/AC:L/Au:S/C:C/I:C/A:C
High
8.8
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
A malicious file may be executed with the privilege of the Windows service.
[Update the software] Update the software to the latest version according to the information provided by the developer.
JustSystems Corporation
Vulnerability measures for the Online Update function attached to the corporation products
https://www.justsystems.com/jp/corporate/info/js22001.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-36344
https://www.cve.org/CVERecord?id=CVE-2022-36344
JVN
JVN#57073973
http://jvn.jp/en/jp/JVN57073973/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-07-28T12:27:16+09:00
[2022/07/28]\n Web page was published
2022-07-28T13:40:18+09:00
2022-07-28T13:40:18+09:00
2022-07-28T00:00:00+09:00
JVNDB-2022-000062
Kaitai Struct: compiler vulnerable to denial-of-service (DoS)
Kaitai Struct: compiler provided by Kaitai team contains SnakeYAML library version 1.25, which is used in parsing .ksy files. SnakeYAML version 1.25 expands recursive aliases unlimitedly (CWE-674), hence Katai Struct: compiler is vulnerable to a denial-of-service (DoS) attack by Billion Laughs Attack. Taichi Kotake of Sterra Security Co.,Ltd. / Akatsuki Games Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Kaitai team
Kaitai Struct: compiler
cpe:/a:misc:kaitai_team_kaitai_struct_compiler
0.9 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P
Medium
5.5
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Processing untrusted .ksy files may cause a denial-of-service (DoS) condition.
[Update the software] Update the software to the latest version according to the information provided by the developer. According to the developer, this vulnerability has been fixed at version 0.10 by updating the bundled SnakeYAML library.
Kaitai team
kaitai-io / kaitai_struct_compiler
https://github.com/kaitai-io/kaitai_struct_compiler
Kaitai team
Update SnakeYAML to 1.29 (was 1.25: vulnerable to "billion laughs")
https://github.com/kaitai-io/kaitai_struct_compiler/commit/50f80d7eca36983ca0b7f354d12656ec62e639eb
Common Vulnerabilities and Exposures (CVE)
CVE-2017-18640
https://www.cve.org/CVERecord?id=CVE-2017-18640
JVN
JVN#42883072
https://jvn.jp/en/jp/JVN42883072/index.html
Related document
Preventing YAML parsing vulnerabilities with snakeyaml in Java
https://snyk.io/blog/java-yaml-parser-with-snakeyaml/
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-08-04T15:14:30+09:00
[2022/08/04]\n Web page was published
2022-08-04T15:14:30+09:00
2022-08-04T15:14:30+09:00
2022-08-04T00:00:00+09:00
JVNDB-2022-000063
PukiWiki vulnerable to cross-site scripting
PukiWiki provided by PukiWiki Developers Team contains a stored cross-site scripting vulnerability (CWE-79). Ryuhoh Ide of Department of Applied Physics, School of Engineering, The University of Tokyo reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
PukiWiki Developers Team.
PukiWiki
cpe:/a:pukiwiki:pukiwiki
versions 1.3.1 to 1.5.3
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who accessed the site using the product.
[Update the Software] Update the Software to the latest version according to the information provided by the developer. According to the developer, this vulnerability has been fixed in version 1.5.4.
PukiWiki Errata
PukiWiki/Errata
https://pukiwiki.osdn.jp/?PukiWiki/Errata
Common Vulnerabilities and Exposures (CVE)
CVE-2022-36350
https://www.cve.org/CVERecord?id=CVE-2022-36350
JVN
JVN#43979089
https://jvn.jp/en/jp/JVN43979089/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-08-23T12:26:50+09:00
[2022/08/23]\n Web page was published
2022-08-23T14:40:25+09:00
2022-08-23T14:40:25+09:00
2022-08-23T00:00:00+09:00
JVNDB-2022-000064
Movable Type XMLRPC API vulnerable to command injection
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability (CWE-74). Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited. Osaka University of Economics reported this vulnerability to Six Apart Ltd. and coordinated. Six Apart Ltd. and JPCERT/CC published respective advisories in order to notify users of this vulnerability. And almost at the same time, SHIGA TAKUMA of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with Six Apart Ltd. under Information Security Early Warning Partnership.
Six Apart, Ltd.
Movable Type
cpe:/a:sixapart:movabletype
6.8.6 and earlier (Movable Type 6 Series)
7 r.5202 and earlier (Movable Type 7 Series)
Six Apart, Ltd.
Movable Type Advanced
cpe:/a:sixapart:movable_type_advanced
6.8.6 and earlier (Movable Type Advanced 6 Series)
7 r.5202 and earlier (Movable Type Advanced 7 Series)
Six Apart, Ltd.
Movable Type Premium
cpe:/a:sixapart:movable_type_premium
1.52 and earlier
Six Apart, Ltd.
Movable Type Premium Advanced
cpe:/a:sixapart:movable_type_premium_advanced
1.52 and earlier
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An arbitrary Perl script may be executed by a remote attacker. As a result, an arbitrary OS command may be executed.
[Update the Software] Apply the appropriate update according to the information provided by the developer. The developer has released the following updates that contain a fix for this vulnerability: * Movable Type 7 r.5301 (Movable Type 7 Series) * Movable Type Advanced 7 r.5301 (Movable Type Advanced 7 Series) * Movable Type 6.8.7 (Movable Type 6 Series) * Movable Type Advanced 6.8.7 (Movable Type Advanced 6 Series) * Movable Type Premium 1.53 * Movable Type Premium Advanced 1.53 [Apply the workaround] Applying workarounds may mitigate the impacts of this vulnerability. The developer recommends applying the following mitigation to the products. * Disabe XMLRPC API function of Movable Type
JVN
Information from Six Apart Ltd.
https://jvn.jp/en/jp/JVN57728859/370331/index.html
MOVABLETYPE NEWS
MOVABLE TYPE 7 R.5301 (V7.9.5), V6.8.7: SECURITY UPDATE
https://movabletype.org/news/2022/08/mt-795-687-released.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-38078
https://www.cve.org/CVERecord?id=CVE-2022-38078
IPA SECURITY ALERTS
JVN#57728859
https://www.ipa.go.jp/security/ciadr/vul/20220824-jvn.html
JPCERT
Alert Regarding Vulnerability in Movable Type XMLRPC API
https://www.jpcert.or.jp/english/at/2022/at220022.html
JVN
JVN#57728859
https://jvn.jp/en/jp/JVN57728859/index.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-08-24T15:00:16+09:00
[2022/08/24]\n Web page was published
2022-08-24T15:58:04+09:00
2022-08-24T15:58:04+09:00
2022-08-24T00:00:00+09:00
JVNDB-2022-000065
Multiple vulnerabilities in Exment
Exment provided by Kajitori Co.,Ltd contains multiple vulnerabilities listed below. * Reflected cross-site scripting (CWE-79) - CVE-2022-38080 * SQL injection (CWE-89) - CVE-2022-37333 * Stored cross-site scripting (CWE-79) - CVE-2022-38089 CVE-2022-38080, CVE-2022-37333 Hibiki Moriyama of STNet, Incorporated reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2022-38089 Yuya Chudo of N.F.Laboratories Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Kajitori Corporation
exceedone/exment
cpe:/a:kajitori:kajitori_exceedone_exment
(PHP7) v4.4.2 and earlier
(PHP8) v5.0.2 and earlier
Kajitori Corporation
exceedone/laravel-admin
cpe:/a:kajitori:kajitori_exceedone_laravel-admin
(PHP7) v2.2.2 and earlier
(PHP8) v3.0.0 and earlier
Medium
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
High
8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* An arbitrary script may be executed on the web browser of the user who is accessing the website using the product - CVE-2022-38080, CVE-2022-38089 * Information in the database may be obtained or altered - CVE-2022-37333
[Update the Software] Update Exment and laravel-admin to the latest version according to the information provided by the developer. The developer has released the below versions that contain the fixes for these vulnerabilities. * For PHP8: exceedone/exment v5.0.3 and exceedone/laravel-admin v3.0.1 * For PHP7: exceedone/exment v4.4.3 and exceedone/laravel-admin v2.2.3 [Apply Workaround] The developer provides the workaround to mitigate the impacts of these vulnerabilities to the users who cannot update the affected product to the latest version. For details of the workaround, refer to the information provided by the developer.
Kajitori Corporation
Vulnerability response Cross-site scripting and SQL injection
https://exment.net/docs/#/weakness/20220817
Kajitori Corporation
Release notes
https://exment.net/docs/#/release_note?id=v503-20220817
Kajitori Corporation
Patch / Vulnerability List
https://exment.net/docs/#/patch_weakness?id=vulnerability-list
Common Vulnerabilities and Exposures (CVE)
CVE-2022-38080
https://www.cve.org/CVERecord?id=CVE-2022-38080
Common Vulnerabilities and Exposures (CVE)
CVE-2022-37333
https://www.cve.org/CVERecord?id=CVE-2022-37333
Common Vulnerabilities and Exposures (CVE)
CVE-2022-38089
https://www.cve.org/CVERecord?id=CVE-2022-38089
JVN
JVN#46239102
https://jvn.jp/en/jp/JVN46239102/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-89
SQL Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-08-24T13:43:14+09:00
[2022/08/24]\n Web page was published
2022-08-24T14:23:38+09:00
2022-08-24T14:23:38+09:00
2022-08-24T00:00:00+09:00
JVNDB-2022-000066
Multiple vulnerabilities in CentreCOM AR260S V2
CentreCOM AR260S V2 provided by Allied Telesis K.K. contains multiple vulnerabilities listed below. * OS command injection vulnerability in GUI setting page (CWE-78) - CVE-2022-35273 * Use of hard-coded credentials for the telnet server (CWE-798) - CVE-2022-38394 * Undocumented hidden command that can be excuted from the telnet function (CWE-912) - CVE-2022-34869 * OS command injection vulnerability in the telnet function (CWE-78) - CVE-2022-38094 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Allied Telesis
CentreCOM AR260S V2 firmware
cpe:/o:allied_telesis_k.k.:centrecom_ar260s_v2_firmware
versions prior to Ver.3.3.7
Critical
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
High
8.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
A remote attacker may execute an arbitrary OS command.
[Update the firmware and Change passwords] Update the firmware to the latest version according to the information provided by the developer, and then change all passwords including "guest" account passwords. [Apply the workaround] Applying the following workarounds may mitigate the impacts of these vulnerabilities. * Enable the Firewall protection * Change all passwords including "guest" account passwords
Allied Telesis
Multiple vulnerabilities in CentreCOM AR260S V2
https://www.allied-telesis.co.jp/support/list/faq/vuls/20220829.html
JVN
Information from Allied Telesis K.K.
https://jvn.jp/en/jp/JVN45473612/522154/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-35273
https://www.cve.org/CVERecord?id=CVE-2022-35273
Common Vulnerabilities and Exposures (CVE)
CVE-2022-38394
https://www.cve.org/CVERecord?id=CVE-2022-38394
Common Vulnerabilities and Exposures (CVE)
CVE-2022-34869
https://www.cve.org/CVERecord?id=CVE-2022-34869
Common Vulnerabilities and Exposures (CVE)
CVE-2022-38094
https://www.cve.org/CVERecord?id=CVE-2022-38094
JVN
JVN#45473612
https://jvn.jp/en/jp/JVN45473612/index.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-08-29T17:09:12+09:00
[2022/08/29]\n Web page was published
2022-08-29T17:37:54+09:00
2022-08-29T17:37:54+09:00
2022-08-29T00:00:00+09:00
JVNDB-2022-000067
Installer of Ricoh Device Software Manager may insecurely load Dynamic Link Libraries
Installer of Device Software Manager provided by RICOH COMPANY, LTD. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Tomohisa Hasegawa of Canon IT Solutions Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ricoh Co., Ltd
Installer of Device Software Manager
cpe:/a:ricoh:driver_installer
prior to Ver.2.20.3.0
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
[Use the latest installer] Use the latest installer provided by the developer. Users who already have installed the software do not need to re-install, because this issue affects the installers only.
JVN
nformation from RICOH COMPANY, LTD.
https://jvn.jp/en/jp/JVN44721267/423626/index.html
RICOH COMPANY, LTD.
Device Software Manager
https://www.ricoh.com/software/dev_soft_manager
Common Vulnerabilities and Exposures (CVE)
CVE-2022-36403
https://www.cve.org/CVERecord?id=CVE-2022-36403
JVN
JVN#44721267
https://jvn.jp/en/jp/JVN44721267/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-08-29T15:30:02+09:00
[2022/08/29]\n Web page was published
2022-08-29T15:57:15+09:00
2022-08-29T15:57:15+09:00
2022-08-29T00:00:00+09:00
JVNDB-2022-000068
SYNCK GRAPHICA Mailform Pro CGI vulnerable to information disclosure
Mailform Pro CGI provided by SYNCK GRAPHICA contains an information disclosure vulnerability (CWE-200). Thanks module of this product saves user input data for a certain period of time. The time is set to 30 seconds by default in configs/thanks.cgi file. To exploit this vulerability, it is requireid for an attacker to access the affected product within in 30 seconds. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SYNCK GRAPHICA
Mailform Pro CGI
cpe:/a:synck_graphica:mailform_pro_cgi
4.3.1 and earlier
Low
2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N
Low
3.1
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
By having a use of the product to access a specially crafted by an attacker, the user input data may be disclosed.
[Update the Software] Update the software to the latest version according to the information provided by the developer. [Apply a workaround] The following workaround may mitigate the impact of this vulnerability. <ul><li>Disable thanks module</li></ul>
SYNCK GRAPHICA
Taking over values to Thanks page (v4.1.2)
https://www.synck.com/downloads/cgi-perl/mailformpro/feature_1381250709.html
SYNCK GRAPHICA
Mailform Pro CGI vulnerable to information disclosure
https://www.synck.com/blogs/news/newsroom/detail_1661907555.html
SYNCK GRAPHICA
Mailform Pro CGI
https://www.synck.com/downloads/cgi-perl/mailformpro/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-38400
https://www.cve.org/CVERecord?id=CVE-2022-38400
JVN
JVN#34205166
http://jvn.jp/en/jp/JVN34205166/index.html
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-09-05T15:22:29+09:00
[2022/09/05]\n Web page was published
2022-09-05T15:22:29+09:00
2022-09-05T15:22:29+09:00
2022-09-05T00:00:00+09:00
JVNDB-2022-000069
PowerCMS XMLRPC API vulnerable to command injection
PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74). Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited. Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
Alfasado Inc.
PowerCMS
cpe:/a:alfasado:powercms
4.51 and earlier (PowerCMS 4 Series)
5.21 and earlier (PowerCMS 5 Series)
6.021 and earlier (PowerCMS 6 Series)
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An arbitrary Perl script may be executed by a remote attacker. As a result, an arbitrary OS command may be executed.
[When XMLRPC API is NOT required: Disable XMLRPC API] <ul> <li>If XMLRPC API is used as CGI/FastCGI <ul> <li>Delete <code>mt-xmlrpc.cgi</code> or remove execute permission of <code>mt-xmlrpc.cgi</code> <ul> <li>According to the developer, when PowerCMS environment variable <code>XMLRPCScript</code> is configured, the file may be renamed. In that case, implement this countermeasure to that renamed file</li> </ul> </li> </ul> </li> <li>If XMLRPC API is used as PSGI <ul> <li>Configure environment variable <code>RestrictedPSGIApp </code>to prohibit XMLRPC application: <code>RestrictedPSGIApp xmlrpc</code></li> </ul> </li> </ul> [When XMLRPC API should be kept available: Apply the patch] Apply the patch according to the information provided by the developer.
Alfasado Inc.
PowerCMS XMLRPC API vulnerable to command injection
https://www.powercms.jp/news/xmlrpc-api-provision-202208.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-33941
https://www.cve.org/CVERecord?id=CVE-2022-33941
JVN
JVN#76024879
https://jvn.jp/en/jp/JVN76024879/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-09-02T15:01:05+09:00
[2022/09/02]\n Web page was published
2022-09-02T15:49:34+09:00
2022-09-02T15:49:34+09:00
2022-09-02T00:00:00+09:00
JVNDB-2022-000070
Movable Type plugin A-Form vulnerable to cross-site scripting
Movable Type plugin A-Form provided by ARK-Web co., ltd. contains a cross-site scripting vulnerability (CWE-79). hibiki moriyama of STNet, Incorporated reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ARK-Web co., ltd
A-Form
cpe:/a:ark-web:a-form
versions prior to 3.9.1 (for Movable Type 6 Series)
versions prior to 4.1.1 (for Movable Type 7 Series)
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who accessed the site using the product.
[Update the Software] Update A-Form to the latest version according to the information provided by the developer.
Movable Type
MT plug-in A series: Notification of new version 4.1.1/3.9.1 (vulnerability fix version) release
https://www.ark-web.jp/blog/archives/2022/09/a-series-411-391.html
Movable Type
Release Note: A-Form PC 4.1.1/3.9.1, A-Member 4.1.1/3.9.1, A-Reserve 4.1.1/3.9.1, A-Member Subscription Pack 1.005
https://www.ark-web.jp/movabletype/blog/2022/09/a-series-411-391.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-38972
https://www.cve.org/CVERecord?id=CVE-2022-38972
JVN
JVN#48120704
http://jvn.jp/en/jp/JVN48120704/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-09-09T15:01:48+09:00
[2022/09/09]\n Web page was published
2022-09-09T15:01:48+09:00
2022-09-09T15:01:48+09:00
2022-09-09T00:00:00+09:00
JVNDB-2022-000071
Multiple vulnerabilities in Trend Micro Apex One and Trend Micro Apex One as a Service
Trend Micro Apex One and Trend Micro Apex One as a Service provided by Trend Micro Incorporated contain multiple vulnerabilities listed below. * Improper validation in some components of the rollback mechanism (CWE-20) - CVE-2022-40139 * Improper access control (CWE-284) - CVE-2022-40140 * Information exposure (CWE-200) - CVE-2022-40141 * Improper link resolution before file access (CWE-59) - CVE-2022-40142 * Improper link resolution before file access (CWE-59) - CVE-2022-40143 * Improper authentication (CWE-287) - CVE-2022-40144 Trend Micro Incorporated states that attacks exploiting CVE-2022-40139 have been observed. CVE-2022-40139, CVE-2022-40140, CVE-2022-40141, CVE-2022-40142, CVE-2022-40143 Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. CVE-2022-40144 Akinori Takeuchi of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Trend Micro, Inc.
Apex One
cpe:/a:trendmicro:apex_one
On Premise (2019)
Trend Micro, Inc.
Apex One as a Service
cpe:/a:trendmicro:apex_one_as_a_service
Medium
6.8
AV:L/AC:L/Au:S/C:C/I:C/A:C
High
7.8
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* An attacker who can log in to the product's administration console may execute an arbitrary code - CVE-2022-40139 * An attacker who can log in to the system where the affected product is installed may be able to cause a denial-of-service (DoS) - CVE-2022-40140 * If certain traffic data is intercepted and decoded, some information related to the server may be obtained - CVE-2022-40141 * An attacker who can log in to the system where the affected product is installed may obtain the administrative privilege - CVE-2022-40142, CVE-2022-40143 * If a remote attacker sends a specially crafted request to the affected product, the product's login authentication may be bypassed - CVE-2022-40144
[Apply the Patch] Apply the patch according to the information provided by the developer. The developer has released the following patch to fix these vulnerabilities. * Trend Micro Apex One On Premise (2019) Service Pack 1 b11092/11088 The issues in Trend Micro Apex One as a Service are already fixed in August 2022 updates. [Apply the Workaround] Applying the following workaround may mitigate the impact of these vulnerabilities. * Permit access to the product only from the trusted network
Trend Micro
CRITICAL SECURITY BULLETIN: September 2022 Security Bulletin for Trend Micro Apex One
https://success.trendmicro.com/dcx/s/solution/000291528?language=en_US
Trend Micro
[Alert] Apply Service Pack; An attack exploiting the vulnerability (CVE-2022-40139) in Trend Micro Apex One has been observed
https://appweb.trendmicro.com/SupportNews/NewsDetail.aspx?id=4553
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40139
https://www.cve.org/CVERecord?id=CVE-2022-40139
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40140
https://www.cve.org/CVERecord?id=CVE-2022-40140
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40141
https://www.cve.org/CVERecord?id=CVE-2022-40141
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40142
https://www.cve.org/CVERecord?id=CVE-2022-40142
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40143
https://www.cve.org/CVERecord?id=CVE-2022-40143
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40144
https://www.cve.org/CVERecord?id=CVE-2022-40144
IPA SECURITY ALERTS
JVN#36454862
https://www.ipa.go.jp/security/ciadr/vul/20220913-jvn.html
JPCERT
JPCERT-AT-2022-0023
https://www.jpcert.or.jp/english/at/2022/at220023.html
JVN
JVN#36454862
https://jvn.jp/en/jp/JVN36454862/index.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-59
Link Following
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-09-14T10:31:44+09:00
[2022/09/14]\n Web page was published
2022-09-14T18:15:31+09:00
2022-09-14T18:15:31+09:00
2022-09-14T00:00:00+09:00
JVNDB-2022-000072
EC-CUBE plugin "Product Image Bulk Upload Plugin" vulnerable to insufficient verification in uploading files
EC-CUBE plugin "Product Image Bulk Upload Plugin", a plugin that enables to upload image files, provided by EC-CUBE CO.,LTD. contains an insufficient verification vulnerability when uploading files (CWE-20). Exploiting this vulnerability allows a remote unauthenticated attacker to upload arbitrary files other than image files. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning Partnership.
EC-CUBE CO.,LTD.
EC-CUBE plugin "Product Image Bulk Upload Plugin"
cpe:/a:ec-cube:product_image_upload_plugin
1.0.0
4.1.0
Medium
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
One of the attack scenarios and the possible impacts is as follows: If a user with an administrative privilege of EC-CUBE where the vulnerable plugin is installed is led to uploads a specially crafted file, an arbitrary script may be executed on the system.
[Update the plugin] Update the plugin to the latest version according to the information provided by the developer.
EC-CUBE CO.,LTD.
EC-CUBE CO.,LTD. website
https://www.ec-cube.net/info/weakness/20220909/product_images_uploader.php
JVN
Information from EC-CUBE CO.,LTD.
http://jvn.jp/en/jp/JVN30900552/491122/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-37346
https://www.cve.org/CVERecord?id=CVE-2022-37346
JVN
JVN#30900552
http://jvn.jp/en/jp/JVN30900552/index.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-09-15T14:52:29+09:00
[2022/09/15]\n Web page was published
2022-09-15T16:13:16+09:00
2022-09-15T16:13:16+09:00
2022-09-15T00:00:00+09:00
JVNDB-2022-000073
Multiple vulnerabilities in EC-CUBE
EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below. * Directory traversal vulnerability (CWE-22) - CVE-2022-40199 * DOM-based cross-site scripting vulnerability (CWE-79) - CVE-2022-38975 Noriaki Iwasaki of Cyber Defense Institute, Inc. reported these vulnerabilities to EC-CUBE CO.,LTD. and EC-CUBE CO.,LTD. reported them to JPCERT/CC to notify users of the solutions through JVN.
EC-CUBE CO.,LTD.
EC-CUBE
cpe:/a:ec-cube:ec-cube
3.0.0 to 3.0.18-p4 (EC-CUBE 3 series) (CVE-2022-40199)
4.0.0 to 4.1.2 (EC-CUBE 4 series) (CVE-2022-40199, CVE-2022-38975)
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Low
2.7
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
* A remote attacker who can log in to the product may obtain the product's directory structure information - CVE-2022-40199 * If a remote attacker leads an administrator of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the administrator's web browser - CVE-2022-38975
[Update the software] An update is available for EC-CUBE 4 series. Update to the latest version according to the information provided by the developer. For EC-CUBE 3 series, there is no update but a patch is available. [Apply the patch] Patches are available for both EC-CUBE 3 and EC-CUBE 4 series. For more information, refer to the information provided by the developer.
EC-CUBE CO.,LTD.
EC-CUBE CO.,LTD. website
https://www.ec-cube.net/info/weakness/20220909/
JVN
Information from EC-CUBE CO.,LTD.
http://jvn.jp/en/jp/JVN21213852/491122/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40199
https://www.cve.org/CVERecord?id=CVE-2022-40199
Common Vulnerabilities and Exposures (CVE)
CVE-2022-38975
https://www.cve.org/CVERecord?id=CVE-2022-38975
JVN
JVN#21213852
http://jvn.jp/en/jp/JVN21213852/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-09-15T15:30:34+09:00
[2022/09/15]\n Web page was published
3
2022-09-21T10:01:20+09:00
[2022/09/21]\n Overview was modified
2022-09-15T16:30:42+09:00
2022-09-21T10:21:13+09:00
2022-09-15T00:00:00+09:00
JVNDB-2022-000074
BookStack vulnerable to cross-site scripting
BookStack contains a cross-site scripting vulnerability (CWE-79). Kenichi Okuno of Mitsui Bussan Secure Directions, Inc reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
BookStack project
BookStack
cpe:/a:bookstackapp:bookstack
versions prior to v22.09
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is accessing the site using the API of the product.
[Update the Software] Update the software to the latest version according to the information provided by the developer. According to the developer, when using BookStack content via its API, it is necessary to check the following documentation and add the recommended protections as necessary. <a href="https://www.bookstackapp.com/docs/admin/security/#using-bookstack-content-externally" target="_blank">https://www.bookstackapp.com/docs/admin/security/#using-bookstack-content-externally</a>
BookStack
BookStack Release v22.09
https://www.bookstackapp.com/blog/bookstack-release-v22-09/
BookStack
Admin Documentation | Security | Using BookStack Content Externally
https://www.bookstackapp.com/docs/admin/security/#using-bookstack-content-externally
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40690
https://www.cve.org/CVERecord?id=CVE-2022-40690
JVN
JVN#78862034
http://jvn.jp/en/jp/JVN78862034/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-09-30T14:13:00+09:00
[2022/09/30]\n Web page was published
2022-09-30T14:48:00+09:00
2022-09-30T14:48:00+09:00
2022-09-30T00:00:00+09:00
JVNDB-2022-000075
IPFire WebUI vulnerable to cross-site scripting
The web user interface of IPFire provided by IPFire Project contains multiple stored cross-site scripting vulnerabilities (CWE-79). This analysis assumes a scenario where one administrative user prepares malicious content, and then another administrative user accesses this content, resulting in a cross-site scripting attack. Satoshi Horikoshi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
IPFire
IPFire
cpe:/a:ipfire:ipfire
versions prior to 2.27 - Core Update 170
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is using the product.
[Update the Software] Update the Software to the latest version according to the information provided by the developer.
GitHub
ipfire-2.x
https://github.com/ipfire/ipfire-2.x
IPFire
IPFire 2.27 - Core Update 170 released
https://blog.ipfire.org/post/ipfire-2-27-core-update-170-released
IPFire Bugzilla
Bug 12925 - JVN#15411362 Inquiry on vulnerability found in IPFire
https://bugzilla.ipfire.org/show_bug.cgi?id=12925
Common Vulnerabilities and Exposures (CVE)
CVE-2022-36368
https://www.cve.org/CVERecord?id=CVE-2022-36368
JVN
JVN#15411362
http://jvn.jp/en/jp/JVN15411362/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-10-06T12:17:47+09:00
[2022/10/06]\n Web page was published
2022-10-06T13:05:16+09:00
2022-10-06T13:05:16+09:00
2022-10-06T00:00:00+09:00
JVNDB-2022-000076
Growi vulnerable to improper access control
GROWI provided by WESEEK, Inc. contains an improper access control vulnerability (CWE-284). Kenta Yamamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
WESEEK, Inc.
GROWI
cpe:/a:weseek:growi
versions prior to v4.5.25 (v4 series)
versions prior to v5.1.4 (v5 series)
Medium
4
AV:N/AC:L/Au:S/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
A user who can login to the affected product may download the markdown data from the pages set to private by the other users.
[Update the software] Update the software to the following versions according to the information provided by the developer. * GROWI v5.1.4 or later (v5 series) * GROWI v4.5.25 or later (v4 series)
JVN
Information from WESEEK, Inc.
http://jvn.jp/en/jp/JVN00845253/996210/index.html
WESEEK, Inc.
GROWI Vulnerability Response Notice (JVN#00845253)
https://weseek.co.jp/en/news/2022/10/07/growi-private-page-can-be-viewed/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41799
https://www.cve.org/CVERecord?id=CVE-2022-41799
JVN
JVN#00845253
http://jvn.jp/en/jp/JVN00845253/index.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-10-07T12:14:28+09:00
[2022/10/07]\n Web page was published
2
2022-10-14T17:52:05+09:00
[2022/10/14]\n Vendor Information : Contents were added
2022-10-07T14:30:16+09:00
2022-10-14T17:59:42+09:00
2022-10-07T00:00:00+09:00
JVNDB-2022-000077
The installer of Sony Content Transfer may insecurely load Dynamic Link Libraries
The installer of Content Transfer (for Windows) provided by Sony Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Tomohisa Hasegawa of Canon IT Solutions Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Sony Corporation
Content Transfer (for Windows)
cpe:/a:sony:content_transfer_for_windows
Ver.1.3 and prior
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privileges of the installer.
[Do not execute the installer] The developer states that the download service for the product has already ended. If the affected installer exists in the device, delete the installer. Be sure to check there are no suspicious files in the same directory where the installer resides if the affected installer is being executed.
Sony
Content Transfer | Software for music | Support | Sony (sony.jp) (Text in Japanese)
https://www.sony.jp/support/audiosoftware/contenttransfer/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41796
https://www.cve.org/CVERecord?id=CVE-2022-41796
JVN
JVN#40620121
https://jvn.jp/en/jp/JVN40620121/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-10-11T15:08:38+09:00
[2022/10/11]\n Web page was published
2022-10-11T15:08:38+09:00
2022-10-11T15:08:38+09:00
2022-10-11T00:00:00+09:00
JVNDB-2022-000078
bingo!CMS vulnerable to authentication bypass
bingo!CMS provided by Shift Tech Inc. contains an authentication bypass vulnerability (CWE-288) in some of the management functions. Shift Tech Inc. states that attacks exploiting this vulnerability have been observed. Shift Tech Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Shift Tech Inc. coordinated under the Information Security Early Warning Partnership.
Shift Tech Inc.
bingo!CMS
cpe:/a:misc:shif-tech_bingo%21cms
version 1.7.4.1 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
High
7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Accessing a specific URL directly may allow a remote unauthenticated attacker to upload an arbitrary file without authentication. As a result, an arbitrary script may be executed and/or a file may be altered.
[Update the software] Update the software to the latest version according to the information provided by the developer. This vulnerability has been addressed in version 1.7.4.2.
Shift Tech Inc.
[Important / Action Required] Please take action regarding the bingo!CMS authentication bypass vulnerability
https://www.bingo-cms.jp/information/20221011.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-42458
https://www.cve.org/CVERecord?id=CVE-2022-42458
IPA SECURITY ALERTS
Security Updates Available for bingo!CMS (JVN#74592196)
https://www.ipa.go.jp/security/ciadr/vul/20221011-jvn.html
JPCERT
JPCERT-AT-2022-0026
https://www.jpcert.or.jp/english/at/2022/at220026.html
JVN
JVN#74592196
http://jvn.jp/en/jp/JVN74592196/index.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-10-11T17:49:04+09:00
[2022/10/11]\n Web page was published
2022-10-11T17:49:04+09:00
2022-10-11T17:49:04+09:00
2022-10-11T00:00:00+09:00
JVNDB-2022-000079
Multiple vulnerabilities in the web interfaces of Kyocera Document Solutions MFPs and printers
The web interface "Command Center" of multiple MFPs and printers provided by KYOCERA Document Solutions Inc. contain multiple vulnerabilities listed below. <ul> <li><b>Session Information Easily Guessable (CWE-287)</b> - CVE-2022-41798</li> <li><b>Missing authorization (CWE-425)</b> - CVE-2022-41807</li> <li><b>Stored cross-site scripting (CWE-79)</b> - CVE-2022-41830</li> </ul> Takayuki Sasaki, Takaya Noma and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KYOCERA Document Solutions
(multiple product)
cpe:/a:misc:kyocera_document_solutions_multiple_product
Medium
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P
Medium
6.3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
<ul> <li>A network-adjacent attacker may log in to the product - CVE-2022-41798 <li>A network-adjacent attacker may modify the product settings without authentication - CVE-2022-41807 <li>An arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege - CVE-2022-41830 </ul>
[Update the firmware] Update the firmware to the latest version according to the information provided by the developer. For more information, contact your distributor. [Apply the workaround] Ensure the network connection is safe to avoid access from any untrusted peers. <ul> <li>Connect to a firewall-protected network <li>Connect to a network with a private IP address </ul>
KYOCERA Document Solutions Inc.
Security vulnerabilities in our products
https://www.kyoceradocumentsolutions.com/en/our-business/security/information/2022-11-01.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41798
https://www.cve.org/CVERecord?id=CVE-2022-41798
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41807
https://www.cve.org/CVERecord?id=CVE-2022-41807
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41830
https://www.cve.org/CVERecord?id=CVE-2022-41830
JVN
JVN#46345126
https://jvn.jp/en/jp/JVN46345126/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-01T14:35:10+09:00
[2022/11/01]\n Web page was published
2022-11-01T14:51:58+09:00
2022-11-01T14:51:58+09:00
2022-11-01T00:00:00+09:00
JVNDB-2022-000080
Android App "IIJ SmartKey" vulnerable to information disclosure
Android App "IIJ SmartKey" provided by Internet Initiative Japan Inc. contains an information disclosure vulnerability (CWE-200). Naoaki Iwakiri reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Internet Initiative Japan Inc.
IIJ SmartKey
cpe:/a:iij:iij_smartkey
versions prior to 2.1.4
Low
2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N
Low
3.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Under certain conditions, an attacker may obtain a one-time password issued by the product.
[Update the application] Update the application to the latest version according to the information provided by the developer. This vulneravility was fixed in version 2.1.4 released on June 16, 2020.
Google Play
IIJ SmartKey
https://play.google.com/store/apps/details?id=jp.ad.iij.smartkey2
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41986
https://www.cve.org/CVERecord?id=CVE-2022-41986
JVN
JVN#74534998
https://jvn.jp/en/jp/JVN74534998/index.html
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-10-14T13:57:21+09:00
[2022/10/14]\n Web page was published
2022-10-14T13:57:21+09:00
2022-10-14T13:57:21+09:00
2022-10-14T00:00:00+09:00
JVNDB-2022-000081
Lemon8 App fails to restrict access permissions
Lemon8 by ByteDance K.K. provides the function to access a requested URL using Custom URL Scheme/DeepLink. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites. Ryo Sato of BroadBand Security,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
ByteDance
Lemon8
cpe:/a:misc:bytedance_lemon8
App for Android versions prior to 3.3.5
App for iOS versions prior to 3.3.5
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.
[Update the Application] Update the application to the latest version according to the information provided by the developer. The developer has released the following versions: <ul><li>Lemon8 App for Android version 3.3.5</li> <li>Lemon8 App for iOS version 3.3.5</li></ul>
App Store
App Store Lemon8
https://apps.apple.com/jp/app/lemon8-%E3%83%AC%E3%83%A2%E3%83%B3%E3%82%A8%E3%82%A4%E3%83%88/id1498607143
Google Play
Google Play Lemon8
https://play.google.com/store/apps/details?id=com.bd.nproject&hl=ja&gl=US
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41797
https://www.cve.org/CVERecord?id=CVE-2022-41797
JVN
JVN#10921428
https://jvn.jp/en/jp/JVN10921428/index.html
JVNDB
CWE-264
Permissions
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-10-19T13:54:05+09:00
[2022/10/19]\n Web page was published
2022-10-19T14:08:15+09:00
2022-10-19T14:08:15+09:00
2022-10-19T00:00:00+09:00
JVNDB-2022-000082
Multiple vulnerabilities in nadesiko3
Nadesiko3 provided by kujirahand contains multiple vulnerabilities listed below. <ul> <li>OS command injection vulnerability in processing compression and decompression (CWE-78) - CVE-2022-41642 </li> <li>Improper check or handling of exceptional conditions in nako3edit (CWE-703) - CVE-2022-41777 </li> <li>OS command injection vulnerability via "file" parameter in nako3edit (CWE-78) - CVE-2022-42496 </li> </ul> Satoki Tsuji reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
kujirahand
Nadesiko3 (PC Version)
cpe:/a:kujirahand:nadesiko3_pc-version
v3.3.68 and earlier (CVE-2022-41642)
kujirahand
Nako3edit, editor component of nadesiko3 (PC Version)
v3.3.74 and earlier (CVE-2022-41777, CVE-2022-42496)
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
<ul> <li>An arbitrary OS command may be executed on the product if compression and/or decompression is executed - CVE-2022-41642</li> <li>Injecting an invalid value to decodeURIComponent of nako3edit may lead the server to crash - CVE-2022-41777</li> <li>An arbitrary OS command may be executed on the product via "file" parameter in nako3edit if appkey of the product is obtained by the remote unauthenticated attacker - CVE-2022-42496</li> </ul>
[Update the software] Update the software to the latest version according to the information provided by the developer.
GitHub
Compression and decompression issues of cnako3 #1325
https://github.com/kujirahand/nadesiko3/issues/1325
GitHub
File handling issues of nako3edit #1347
https://github.com/kujirahand/nadesiko3/issues/1347
JVN
Information from kujirahand
https://jvn.jp/en/jp/JVN56968681/996377/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41642
https://www.cve.org/CVERecord?id=CVE-2022-41642
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41777
https://www.cve.org/CVERecord?id=CVE-2022-41777
Common Vulnerabilities and Exposures (CVE)
CVE-2022-42496
https://www.cve.org/CVERecord?id=CVE-2022-42496
JVN
JVN#56968681
https://jvn.jp/en/jp/JVN56968681/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-10-20T15:37:16+09:00
[2022/10/20]\n Web page was published
2
2022-10-28T17:39:10+09:00
[2022/10/28]\n Affected Products : Product version was modified
2022-10-20T16:58:55+09:00
2022-10-28T17:51:38+09:00
2022-10-20T00:00:00+09:00
JVNDB-2022-000083
Multiple vulnerabilities in SHIRASAGI
SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below. <ul> <li>Open Redirect (CWE-601) - CVE-2022-43479 <li>Stored Cross-site Scripting (CWE-79) - CVE-2022-43499</ul> SHIGA TAKUMA of BroadBand Security, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
SHIRASAGI Project
SHIRASAGI
cpe:/a:ss-proj:shirasagi
v1.14.4 to v1.15.0 (CVE-2022-43479)
versions prior to v1.16.2 (CVE-2022-43499)
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
<ul> <li>The user may be redirected to an arbitrary website and become a victim of a phishing attack - CVE-2022-43479 <li>An arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege - CVE-2022-43499</ul>
[Update the Software] Update to the latest version according to the information provided by the developer. The developer has released the versions listed below that address the vulnerabilities. <ul> <li>CVE-2022-43479:SHIRASAGI v1.16.0 <li>CVE-2022-43499:SHIRASAGI v1.16.2</ul> For more information, refer to the information provided by the developer.
GitHub
SHIRASAGI
https://github.com/shirasagi/shirasagi
SHIRASAGI Official Website
SHIRASAGI Official Website
https://www.ss-proj.org/
SHIRASAGI Official Website
JVN#86350682 SHIRASAGI vulnerable to open redirect and cross-site scripting
https://www.ss-proj.org/support/928.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43479
https://www.cve.org/CVERecord?id=CVE-2022-43479
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43499
https://www.cve.org/CVERecord?id=CVE-2022-43499
JVN
JVN#86350682
http://jvn.jp/en/jp/JVN86350682/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-10-25T14:30:50+09:00
[2022/10/25]\n Web page was published
2022-10-25T15:10:41+09:00
2022-10-25T15:10:41+09:00
2022-10-25T00:00:00+09:00
JVNDB-2022-000084
Multiple vulnerabilities in FUJI SOFT network devices
USB dongle +F FS040U and mobile routers +F FS020W/+F FS030W/+F FS040W provided by FUJI SOFT INCORPORATED contain multiple vulnerabilities listed below. <ul><li>Plaintext Storage of a Password (CWE-256) - CVE-2022-43442<li>Cross-Site Request Forgery (CWE-352) - CVE-2022-43470</ul> Tomohisa Hasegawa of Canon IT Solutions Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
FUJISOFT INCORPORATED
+F FS020W
cpe:/o:fsi:%2bf_fs020w
software versions v4.0.0 and earlier(CVE-2022-43470)
FUJISOFT INCORPORATED
+F FS030W
cpe:/o:fsi:%2bf_fs030w
software versions v3.3.5 and earlier(CVE-2022-43470)
FUJISOFT INCORPORATED
+F FS040U
cpe:/o:fsi:%2bf_fs040u
software versions v2.3.4 and earlier(CVE-2022-43442, CVE-2022-43470)
FUJISOFT INCORPORATED
+F FS040W
cpe:/o:fsi:%2bf_fs040w
software versions v1.4.1 and earlier(CVE-2022-43470)
Low
3.2
AV:A/AC:H/Au:N/C:N/I:P/A:P
Medium
4.6
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
<ul><li>An attacker may obtain the login password of +F FS040U and log in to the management console - CVE-2022-43442 <li>If a user views a malicious page while logged in with the administrative privilege, unintended operations may be performed - CVE-2022-43470</ul>
[Update the software] For the products besides +F FS020W, update is provided from the developer. Update the software to the latest version according to the information provided by the developer. [Apply the Workaround] For +F FS020W, apply the workaround according to the information provided by the developer to mitigate the impact of the vulnerability.
FUJI SOFT INCORPORATED
FUJI SOFT INCORPORATED website
https://www.fsi.co.jp/mobile/plusF/news/index.html
JVN
Information from FUJI SOFT INCORPORATED
http://jvn.jp/en/jp/JVN74285622/995983/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43442
https://www.cve.org/CVERecord?id=CVE-2022-43442
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43470
https://www.cve.org/CVERecord?id=CVE-2022-43470
JVN
JVN#74285622
http://jvn.jp/en/jp/JVN74285622/index.html
JVNDB
CWE-352
Cross-Site Request Forgery
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-10-28T14:49:10+09:00
[2022/10/28]\n Web page was published
2022-10-28T15:12:34+09:00
2022-10-28T15:12:34+09:00
2022-10-28T00:00:00+09:00
JVNDB-2022-000085
WordPress Plugin "Salon booking system" vulnerable to cross-site scripting
WordPress Plugin "Salon booking system" contains a cross-site scripting vulnerability (CWE-79). Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Salon booking system
Salon booking system
cpe:/a:salonbookingsystem:salon_booking_syste
versions prior to 7.9
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress administrative page where the product is installed.
[Update the plugin] Update the plugin to the latest version according to the information provided by the developer.
Salon booking system
Salon booking system By Salon Booking System
https://wordpress.org/plugins/salon-booking-system/
Salon booking system
Salon Booking System: Scheduling made easy
https://www.salonbookingsystem.com/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43487
https://www.cve.org/CVERecord?id=CVE-2022-43487
JVN
JVN#59663854
http://jvn.jp/en/jp/JVN59663854/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-08T14:08:33+09:00
[2022/11/08]\n Web page was published
2022-11-08T15:07:08+09:00
2022-11-08T15:07:08+09:00
2022-11-08T00:00:00+09:00
JVNDB-2022-000086
Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure
Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability (CWE-200). Cameron Palmer of PROMON reported this vulnerability to Aiphone Co., Ltd. and coordinated. Aiphone Co., Ltd. and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
AIPHONE CO., LTD.
GT-DB-VN
cpe:/o:misc:aiphone_gt-db-vn
with firmware versions prior to 2.00
AIPHONE CO., LTD.
GT-DMB
cpe:/o:misc:aiphone_gt-dmb
with firmware versions prior to 3.00
AIPHONE CO., LTD.
GT-DMB-LVN
cpe:/o:misc:aiphone_gt-dmb-lvn
with firmware versions prior to 3.00
AIPHONE CO., LTD.
GT-DMB-N
cpe:/o:misc:aiphone_gt-dmb-n
with firmware versions prior to 3.00
Low
2.9
AV:A/AC:M/Au:N/C:P/I:N/A:N
Medium
4.3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
An attacker who can obtain specific information of the product and access the product may obtain sensitive information stored in the device.
[Use the products with the fixed firmware] According to the developer, the vulnerability has been fixed since December 2021. Please inquire the developer the information on the support of the products released before December 2021.
AIPHONE CO., LTD.
GT System, Entrance station Vulnerability Information
https://www.aiphone.net/important/20221110/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40903
https://www.cve.org/CVERecord?id=CVE-2022-40903
JVN
JVN#75437943
http://jvn.jp/en/jp/JVN75437943/index.html
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-10T12:32:43+09:00
[2022/11/10]\n Web page was published
2022-11-10T13:40:20+09:00
2022-11-10T13:40:20+09:00
2022-11-10T00:00:00+09:00
JVNDB-2022-000087
Multiple vulnerabilities in WordPress
WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature. <ul><li>Stored Cross-site scripting (CWE-79) - CVE-2022-43497</li><li>Stored Cross-site scripting (CWE-79) - CVE-2022-43500</li><li>Improper authentication (CWE-287) - CVE-2022-43504</li></ul> Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
WordPress.org
WordPress
cpe:/a:wordpress:wordpress
versions prior to 6.0.3
Medium
5
AV:N/AC:L/Au:N/C:P/I:N/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
<ul><li>An arbitrary script may be executed on the web browser of the user who is accessing the website using the product - CVE-2022-43497, CVE-2022-43500</li><li>A remote unauthenticated attacker may obtain the email address of the user who posted a blog using the WordPress Post by Email Feature - CVE-2022-43504</li></ul>
[Update the Software] Update to the latest version according to the information provided by the developer. According to the developer, these vulnerabilities have been fixed in version 6.0.3.
WordPress.org
WordPress 6.0.3 Security Release
https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
WordPress.org
Get WordPress
https://wordpress.org/download/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43497
https://www.cve.org/CVERecord?id=CVE-2022-43497
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43500
https://www.cve.org/CVERecord?id=CVE-2022-43500
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43504
https://www.cve.org/CVERecord?id=CVE-2022-43504
JVN
JVN#09409909
http://jvn.jp/en/jp/JVN09409909/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-08T13:51:32+09:00
[2022/11/08]\n Web page was published
2022-11-08T14:59:14+09:00
2022-11-08T14:59:14+09:00
2022-11-08T00:00:00+09:00
JVNDB-2022-000088
TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation
The past versions of TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability. According to the developer, this vulnerability is caused by an improper input validation issue (CWE-20) in the binding mechanism of Spring MVC. NTT DATA Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NTT DATA Corporation coordinated under the Information Security Early Warning Partnership.
NTT DATA
TERASOLUNA Global Framework
cpe:/a:nttdata:terasoluna_global_framework
1.0.0 (Public review version)
NTT DATA
TERASOLUNA Server Framework for Java (Rich)
cpe:/a:nttdata:terasoluna_server_framework_for_java_rich
2.0.0.2 to 2.0.5.1
High
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.
[Update the software] Update the software to the latest version according to the information provided by the developer. Note that, additional workarounds may be required depending on the system environment. For more information, refer to the information provided by the developer. [Apply the Workaround] If an update cannot be applied, the developer recommends users applying the workaround. For more information, refer to the information provided by the developer.
JVN
Information from FUJITSU LIMITED
https://jvn.jp/en/jp/JVN54728399/2390/index.html
JVN
Information from NTT DATA Corporation
https://jvn.jp/en/jp/JVN54728399/995570/index.html
NTT DATA Corporation
CVE-2022-43484
https://osdn.net/projects/terasoluna/wiki/cve-2022-43484
NTT DATA Corporation
CVE-2022-43484
http://terasolunaorg.github.io/vulnerability/cve-2022-43484.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43484
https://www.cve.org/CVERecord?id=CVE-2022-43484
JVN
JVN#54728399
https://jvn.jp/en/jp/JVN54728399/index.html
Related document
Minor issue with fix for CVE 2010-1622 [SPR-11098] #15724
https://github.com/spring-projects/spring-framework/issues/15724
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-14T16:45:43+09:00
[2022/11/14]\n Web page was published
2022-11-14T16:45:43+09:00
2022-11-14T16:45:43+09:00
2022-11-14T00:00:00+09:00
JVNDB-2022-000089
RICOH Aficio SP 4210N vulnerable to cross-site scripting
Aficio SP 4210N provided by RICOH COMPANY, LTD. contains a cross-site scripting vulnerability (CWE-79) in Web Image Monitor. Yudai Morii, Takaya Noma, Hiroki Yasui, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Ricoh Co., Ltd
IPSiO SP 4210
cpe:/o:ricoh:ipsio_sp_4210_firmware
firmware versions prior to Web Support 1.05
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.
[Update the firmware] Update the firmware to the latest version according to the information provided by the developer.
JVN
RICOH COMPANY, LTD. website
https://jvn.jp/en/jp/JVN24659622/423626/index.html
RICOH COMPANY, LTD.
RICOH Firmware Update Tool Ver.1.01 for IPSiO SP 4210
https://support.ricoh.com/bbv2/html/dr_ut_d/ipsio/history/w/bb/pub_j/dr_ut_d/4101044/4101044791/V101/5236968/redirect_CLUTool_DOM/history.htm
Common Vulnerabilities and Exposures (CVE)
CVE-2022-37406
https://www.cve.org/CVERecord?id=CVE-2022-37406
JVN
JVN#24659622
https://jvn.jp/en/jp/JVN24659622/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-17T11:15:29+09:00
[2022/11/17]\n Web page was published
2022-11-17T11:15:29+09:00
2022-11-17T11:15:29+09:00
2022-11-16T00:00:00+09:00
JVNDB-2022-000090
Multiple vulnerabilities in Movable Type
Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below. * Improper Validation of Syntactic Correctness of Input (CWE-1286) - CVE-2022-45113 * Cross-site Scripting (CWE-79) - CVE-2022-45122 * Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CWE-97) - CVE-2022-4366 CVE-2022-45113, CVE-2022-45122 SHIGA TAKUMA of BroadBand Security, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2022-43660 Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.
Six Apart, Ltd.
Movable Type
cpe:/a:sixapart:movabletype
Movable Type 7 r.5301 and earlier (Movable Type 7 Series)(CVE-2022-45113,CVE-2022-45122,CVE-2022-43660)
Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series)(CVE-2022-45113,CVE-2022-45122)
Six Apart, Ltd.
Movable Type Advanced
cpe:/a:sixapart:movable_type_advanced
Movable Type 6.8.7 and earlier (Movable Type 6 Series)(CVE-2022-45113,CVE-2022-45122,CVE-2022-43660)
Movable Type Advanced 6.8.7 and earlier (Movable Type Advanced 6 Series)(CVE-2022-45113,CVE-2022-45122,CVE-2022-43660)
Six Apart, Ltd.
Movable Type Premium
cpe:/a:sixapart:movable_type_premium
Movable Type Premium 1.53 and earlier (CVE-2022-45113,CVE-2022-45122,CVE-2022-43660)
Six Apart, Ltd.
Movable Type Premium Advanced
cpe:/a:sixapart:movable_type_premium_advanced
Movable Type Premium Advanced 1.53 and earlier (CVE-2022-45113,CVE-2022-45122,CVE-2022-43660)
Medium
4.6
AV:N/AC:H/Au:S/C:P/I:P/A:P
High
7.2
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* Having a user to access a specially crafted URL may allow a remote attacker to set a specially crafted URL to the Reset Password page and conduct a phishing attack - CVE-2022-45113 * An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2022-45122 * A remote authenticated attacker with the Privilege of "Manage of Content Types" may execute an arbitrary Perl script and/or an arbitrary OS command - CVE-2022-43660
[Update the Software] Apply the appropriate update according to the information provided by the developer. The developer has released the following updates that contain fixes for these vulnerabilities: * Movable Type 7 r.5401 (Movable Type 7 Series) * Movable Type Advanced 7 r.5401 (Movable Type Advanced 7 Series) * Movable Type 6.8.8 (Movable Type 6 Series) * Movable Type Advanced 6.8.8 (Movable Type Advanced 6 Series) * Movable Type Premium 1.54 * Movable Type Premium Advanced 1.54
JVN
Six Apart Ltd. website
https://jvn.jp/en/jp/JVN37014768/370331/index.html
MOVABLETYPE NEWS
[Important] Movable Type 7 r.5401 / Movable Type 6.8.8 / Movable Type Premium 1.54 (Security Update) & Movable Type 8
https://www.sixapart.jp/movabletype/news/2022/11/16-1100.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-45113
https://www.cve.org/CVERecord?id=CVE-2022-45113
Common Vulnerabilities and Exposures (CVE)
CVE-2022-45122
https://www.cve.org/CVERecord?id=CVE-2022-45122
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43660
https://www.cve.org/CVERecord?id=CVE-2022-43660
JVN
JVN#37014768
https://jvn.jp/en/jp/JVN37014768/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-16T17:07:36+09:00
[2022/11/16]\n Web page was published
2022-11-16T17:07:36+09:00
2022-11-16T17:07:36+09:00
2022-11-16T00:00:00+09:00
JVNDB-2022-000091
WordPress Plugin "WordPress Popular Posts" accepts untrusted external inputs to update certain internal variables
WordPress Plugin "WordPress Popular Posts" provided by Hector Cabrera accepts untrusted external inputs to update certain internal variables (CWE-454). Tsubasa Iinuma of Origami Systems reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Hector Cabrera
WordPress Popular Posts
cpe:/a:wordpress_popular_posts_project:wordpress_popular_posts
6.0.5 and earlier
Medium
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
Medium
5.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
The number of views for an article may be manipulated through a crafted input.
[Update the plugin] Update the plugin according to the information provided by the developer.
GitHub
GitHub - cabrerahector/wordpress-popular-posts
https://github.com/cabrerahector/wordpress-popular-posts/
Hector Cabrera
WordPress Popular Posts
https://ja.wordpress.org/plugins/wordpress-popular-posts/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43468
https://www.cve.org/CVERecord?id=CVE-2022-43468
JVN
JVN#13927745
https://jvn.jp/en/jp/JVN13927745/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-18T15:14:19+09:00
[2022/11/18]\n Web page was published
2022-11-18T15:14:19+09:00
2022-11-18T15:14:19+09:00
2022-11-18T00:00:00+09:00
JVNDB-2022-000092
Typora fails to properly neutralize JavaScript code.
Typora fails to properly neutralize JavaScript code (CWE-116). Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
typora
Typora
cpe:/a:typora:typora
versions prior to 1.4.4
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
4.4
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Opening a file with the affected product may lead to execute the JavaScript code inside the file.
[Update the Software] Update the software to the latest version according to the information provided by the developer. The developer confirms the vulnerability is fixed in Typora versions 1.4.x. The reporter confirms that Typora version 1.4.4 is not affected.
Typora
History Releases
https://typora.io/releases/all
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43668
https://www.cve.org/CVERecord?id=CVE-2022-43668
JVN
JVN#26044739
https://jvn.jp/en/jp/JVN26044739/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-21T13:48:09+09:00
[2022/11/21]\n Web page was published
2022-11-21T15:31:17+09:00
2022-11-21T15:31:17+09:00
2022-11-21T00:00:00+09:00
JVNDB-2022-000093
TP-Link RE300 V1 tdpServer vulnerable to improper processing of its input
tdpServer of TP-Link RE300 V1 improperly processes its input, possibly resulting to crash (CWE-228). Tomoya Kitagawa and Toshiki Takatera of Ricerca Security, Inc. reported this vulnerability to the developer and coordinated. After coordination was completed, this case was reported to JPCERT/CC and JPCERT/CC coordinated with the developer for the publication.
TP-LINK Technologies
RE300 V1
cpe:/o:tp-link:re300-v1_firmware
firmware versions prior to 221009
Low
3.3
AV:A/AC:L/Au:N/C:N/I:N/A:P
Medium
4.3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
An attacker may be able to cause a denial-of-service (DoS) condition of the product's OneMesh function.
[Update the software] Update the software to the latest version according to the information provided by the developer. This vulnerability has been addressed in the firmware version 221009.
TP-LINK Technologies
Download for RE300 V1
https://www.tp-link.com/en/support/download/re300/v1/#Firmware
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41783
https://www.cve.org/CVERecord?id=CVE-2022-41783
JVN
JVN#29657972
https://jvn.jp/en/jp/JVN29657972/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-24T12:21:09+09:00
[2022/11/24]\n Web page was published
2022-11-24T14:46:40+09:00
2022-11-24T14:46:40+09:00
2022-11-24T00:00:00+09:00
JVNDB-2022-000094
Multiple cross-site scripting vulnerabilities in baserCMS
baserCMS provided by baserCMS Users Community contains multiple cross-site scripting vulnerabilities listed below. * Stored cross-site scripting vulnerability in User management (CWE-79) - CVE-2022-39325 * Stored cross-site scripting vulnerability in Permission Settings (CWE-79) - CVE-2022-41994 * Stored cross-site scripting vulnerability in User group management (CWE-79) - CVE-2022-42486 CVE-2022-39325 YUYA KOTAKE of CARTA HOLDINGS, INC. and Shogo Iyota of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2022-41994, CVE-2022-42486 Shogo Iyota of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
baserCMS Users Community
baserCMS
cpe:/a:basercms:basercms
versions prior to 4.7.2
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is accessing the administrative page of the product.
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer released baserCMS 4.7.2 that contains a fix for these vulnerabilities.
baserCMS Users Community
baserCMS Users Community website
https://basercms.net/security/JVN_53682526
Common Vulnerabilities and Exposures (CVE)
CVE-2022-39325
https://www.cve.org/CVERecord?id=CVE-2022-39325
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41994
https://www.cve.org/CVERecord?id=CVE-2022-41994
Common Vulnerabilities and Exposures (CVE)
CVE-2022-42486
https://www.cve.org/CVERecord?id=CVE-2022-42486
JVN
JVN#53682526
https://jvn.jp/en/jp/JVN53682526/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-25T12:22:37+09:00
[2022/11/25]\n Web page was published
2022-11-25T13:42:23+09:00
2022-11-25T13:42:23+09:00
2022-11-25T00:00:00+09:00
JVNDB-2022-000095
Cybozu Remote Service vulnerable to Uncontrolled Resource Consumption
Cybozu Remote Service provided by Cybozu, Inc. is vulnerable to uncontrolled resource consumption (CWE-400). Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.
Cybozu, Inc.
Remote Service
cpe:/a:cybozu:remote_service
4.0.0 to 4.0.3
Medium
4
AV:N/AC:L/Au:S/C:N/I:N/A:P
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
A logged-in user may consume huge storage space, resulting to a denial-of-service (DoS) condition.
[Update the Software] Update to the latest version according to the information provided by the developer.
Cybozu
Cybozu Remote Service 4 Vulnerability Notice
https://cs.cybozu.co.jp/2022/007754.html
JVN
Information from Cybozu, Inc.
https://jvn.jp/en/jp/JVN87895771/374951/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44608
https://www.cve.org/CVERecord?id=CVE-2022-44608
JVN
JVN#87895771
https://jvn.jp/en/jp/JVN87895771/index.html
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-11-25T12:42:47+09:00
[2022/11/25]\n Web page was published
2022-11-25T14:15:00+09:00
2022-11-25T14:15:00+09:00
2022-11-25T00:00:00+09:00
JVNDB-2022-000096
Redmine vulnerable to cross-site scripting
Redmine contains a cross-site scripting vulnerability (CWE-79) caused by improper Textile processing. Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Redmine
Redmine
cpe:/a:redmine:redmine
all versions
Low
2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user using the product.
[Update the Software] Update the software to the latest version according to the information provided by the developer. The developer has released the following versions: * Redmine version 4.2.9 * Redmine version 5.0.4
Redmine
Redmine 4.2.9 and 5.0.4 released
https://www.redmine.org/news/139
Redmine
Redmine Security Advisories
https://www.redmine.org/projects/redmine/wiki/Security_Advisories
Redmine
Download
https://www.redmine.org/projects/redmine/wiki/Download
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44637
https://www.cve.org/CVERecord?id=CVE-2022-44637
JVN
JVN#60211811
https://jvn.jp/en/jp/JVN60211811/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-12-13T12:19:55+09:00
[2022/12/13]\n Web page was published
2022-12-13T14:05:08+09:00
2022-12-13T14:05:08+09:00
2022-12-13T00:00:00+09:00
JVNDB-2022-000097
Multiple vulnerabilities in DENSHI NYUSATSU CORE SYSTEM
DENSHI NYUSATSU CORE SYSTEM provided by Japan Construction Information Center contains multiple vulnerabilities listed below. * Cross-site scripting vulnerability (CWE-79) - CVE-2022-41993 * Cross-site scripting vulnerability (CWE-79) - CVE-2022-46287 * Open redirect vulnerability (CWE-601) - CVE-2022-46288
Japan Construction Information Center
DENSHI NYUSATSU CORE SYSTEM
cpe:/a:misc:japan_construction_information_center_electronic_bidding_core_system
v6 R4 and earlier
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* An arbitrary script may be executed on the web browser of the user who is logging in to the system using the product - CVE-2022-41993 * An arbitrary script may be executed on the web browser of the user who is accessing the system using the product - CVE-2022-46287 * By having a user to access a specially crafted URL, the user may be redirected to an arbitrary website - CVE-2022-46288
[Apply the Patch] Apply the patch according to the information provided by the developer.
JACIC
Multiple vulnerabilities for DENSHI NYUSATSU CORE SYSTEM
https://www.cals.jacic.or.jp/coreconso/pdf/coreconsoinfo20221215.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41993
https://www.cve.org/CVERecord?id=CVE-2022-41993
Common Vulnerabilities and Exposures (CVE)
CVE-2022-46287
https://www.cve.org/CVERecord?id=CVE-2022-46287
Common Vulnerabilities and Exposures (CVE)
CVE-2022-46288
https://www.cve.org/CVERecord?id=CVE-2022-46288
JVN
JVN#96321933
https://jvn.jp/en/jp/JVN96321933/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-12-15T15:18:23+09:00
[2022/12/15]\n Web page was published
2022-12-15T15:18:23+09:00
2022-12-15T15:18:23+09:00
2022-12-15T00:00:00+09:00
JVNDB-2022-000098
Zenphoto vulnerable to cross-site scripting
Zenphoto contains a stored cross-site scripting vulnerability (CWE-79). Terada Yu of Fujitsu System Integration Laboratories reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Zenphoto
Zenphoto
cpe:/a:zenphoto:zenphoto
versions prior to 1.6
Low
3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N
Medium
4.8
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on the web browser of the user who is using the product.
[Update the software] Update the software to the latest version according to the information provided by the developer.
Github
GitHub - zenphoto / zenphoto
https://github.com/zenphoto/zenphoto
Zenphoto
ZenphotoCMS - The simpler media website CMS
https://www.zenphoto.org/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44449
https://www.cve.org/CVERecord?id=CVE-2022-44449
JVN
JVN#06093462
https://jvn.jp/en/jp/JVN06093462/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-12-19T13:25:22+09:00
[2022/12/19]\n Web page was published
2022-12-19T13:39:14+09:00
2022-12-19T13:39:14+09:00
2022-12-19T00:00:00+09:00
JVNDB-2022-000099
Corel Roxio Creator LJB starts a program with an unquoted file path
Roxio Creator LJB provided by Corel Corporation starts another program with an unquoted file path (CWE-428). Haruka Hino of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Corel Corporation
Roxio Creator LJB
cpe:/a:corel:roxio_creator_ljb
version number: 12.2, build number: 106B62B
version number: 12.2, build number: 106B63A
version number: 12.2, build number: 106B69A
version number: 12.2, build number: 106B71A
version number: 12.2, build number: 106B74A
Medium
6.8
AV:L/AC:L/Au:S/C:C/I:C/A:C
High
8.2
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Since a registered Windows service path contains spaces and are unquoted, if a malicious executable is placed on a certain path, the executable may be executed with the privilege of the Windows service.
[Update the software] Update the software to the latest version according to the information provided by the developer.
FUJITSU
Corel Roxio Creator LJB Vulnerability Notice
https://www.fmworld.net/biz/common/corel/20221110.html
JVN
Information from FUJITSU LIMITED
https://jvn.jp/en/jp/JVN13075438/2390/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-46662
https://www.cve.org/CVERecord?id=CVE-2022-46662
JVN
JVN#13075438
https://jvn.jp/en/jp/JVN13075438/index.html
Related document
Roxio Creator LJB Update Program (Fujitsu Client Computing Made Computer Bundle-Only)
https://kb.corel.com/en/129393
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-12-19T12:50:07+09:00
[2022/12/19]\n Web page was published
2022-12-19T13:47:35+09:00
2022-12-19T13:47:35+09:00
2022-12-19T00:00:00+09:00
JVNDB-2022-000101
+Message App improper handling of Unicode control characters
+Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode control character's specifications. Therefore, a crafted text may display misleading web links (CWE-451). Akaki Tsunoda reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
KDDI
+Message (PlusMessage)
cpe:/a:kddi:%2b_message
for Android prior to version 3.9.2
for iOS prior to version 3.9.4
NTT DOCOMO, INC.
+Message (PlusMessage)
cpe:/a:nttdocomo:%2b_message
for Android prior to version 54.49.0500
for iOS prior to version 3.9.4
SoftBank
+Message (PlusMessage)
cpe:/a:softbank:%2b_message
for Android prior to version 12.9.5
for iOS prior to version 3.9.4
Medium
4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Medium
4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
A spoofed URL may be displayed and phishing attacks may be conducted.
[Update the Application] Update to the latest version according to the information provided by the developer.
JVN
Information from KDDI CORPORATION
https://jvn.jp/en/jp/JVN43561812/113349/index.html
JVN
Information from SoftBank Corp.
https://jvn.jp/en/jp/JVN43561812/397327/index.html
JVN
Information from NTT DOCOMO, INC.
https://jvn.jp/en/jp/JVN43561812/995312/index.html
KDDI CORPORATION
Notice: + message (plus message)
https://www.au.com/mobile/service/plus-message/information/
NTT docomo
+ message (plus message)
https://www.docomo.ne.jp/service/plus_message/
Softbank
+ message (plus message)
https://www.softbank.jp/mobile/service/plus-message/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43543
https://www.cve.org/CVERecord?id=CVE-2022-43543
JVN
JVN#43561812
https://jvn.jp/en/jp/JVN43561812/index.html
Related document
Unicode Technical Report #36
https://unicode.org/reports/tr36/
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-12-21T12:44:45+09:00
[2022/12/21]\n Web page was published
2022-12-21T14:13:28+09:00
2022-12-21T14:13:28+09:00
2022-12-21T00:00:00+09:00
JVNDB-2022-000102
Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries
Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications. Installers generated by Squirrel.Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Koh You Liang of Sompo Holdings, Inc. reported this vulnerability to the developer first, and to IPA later. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Squirrel
Squirrel.Windows
Installers generated by 2.0.1 and earlier
Medium
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Arbitrary code may be executed with the privilege of the user invoking the installer.
As of December 21, 2022, the fixed version is not provided. According to the developer, there are no plans to release the fixed version soon, but the following fix was committed to 'develop' branch of the GitHub repository on June 1, 2021. <ul> <li><a href="https://github.com/Squirrel/Squirrel.Windows/pull/1807" target="blank">Better delay load urlmon and move official build to GH Actions #1807</a></li> </ul> You should create Squirrel.Windows from the latest source code from 'develop' branch and use it to generate an installer.
Squirrel
Better delay load urlmon and move official build to GH Actions #1807
https://github.com/Squirrel/Squirrel.Windows/pull/1807
Squirrel
Squirrel.Windows
https://github.com/Squirrel/Squirrel.Windows
Common Vulnerabilities and Exposures (CVE)
CVE-2022-46330
https://www.cve.org/CVERecord?id=CVE-2022-46330
JVN
JVN#29902403
https://jvn.jp/en/jp/JVN29902403/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
JVNDB
CWE-Other
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-12-21T13:57:00+09:00
[2022/12/21]\n Web page was published
2022-12-21T14:23:29+09:00
2022-12-21T14:23:29+09:00
2022-12-21T00:00:00+09:00
JVNDB-2022-001087
GROWI vulnerable to authorization bypass through user-controlled key
GROWI provided by WESEEK, Inc. contains an authorization bypass through user-controlled key vulnerability (CWE-639, CVE-2021-3852). huntr first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as an intermediator. After the coordination between huntr and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
WESEEK, Inc.
GROWI
cpe:/a:weseek:growi
v4.4.7 and earlier
High
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
An unauthenticated remote attacker may bypass the authorization and delete an arbitrary user's comment.
[Update the software] Update the software to the version listed below which contains the fix for this vulnerability. * GROWI v4.4.8 and later
WESEEK, Inc.
WESEEK, Inc. website
https://weseek.co.jp/security/2022/01/21/vulnerability/growi-authentication-bypass/
Common Vulnerabilities and Exposures (CVE)
CVE-2021-3852
https://www.cve.org/CVERecord?id=CVE-2021-3852
JVN
JVNVU#94151526
https://jvn.jp/en/vu/JVNVU94151526/
Related document
Authorization Bypass Through User-Controlled Key in weseek/growi
https://huntr.dev/bounties/d44def81-2834-4031-9037-e923975c3852/
Related document
VDB-190179 (GROWI AUTHORIZATION)
https://vuldb.com/?id.190179
JVNDB
CWE-639
Authorization Bypass Through User-Controlled Key
https://cwe.mitre.org/data/definitions/639.html
1
2022-01-24T13:52:43+09:00
[2022/01/24]\n Web page was published
2022-01-24T14:07:24+09:00
2022-01-24T14:07:24+09:00
2022-01-21T00:00:00+09:00
JVNDB-2022-001097
Multiple vulnerabilities in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux
Deep Security and Cloud One - Workload Security Agent for Linux provided by Trend Micro Incorporated contain multiple vulnerabilities listed below. * Directory Traversal (CWE-22) - CVE-2022-23119 * Code Injection (CWE-94) - CVE-2022-23120 As of 2022 January 24, a Proof-of-Concept (PoC) code exploiting these vulnerabilities have already been made public. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Cloud One Workload Security
cpe:/a:trendmicro:cloud_one_workload_security
Trend Micro, Inc.
Deep Security Agent
cpe:/a:trendmicro:deep_security_agent
for Linux Versions 20 and earlier
High
7
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
* An attacker who can log in to the product may obtain the files in the product - CVE-2022-23119 * An attacker who can log in to the product may obtain administrative privileges. As a result, arbitrary code may be executed with root privileges - CVE-2022-23120
[Apply the patch] Apply the appropriate patch according to the information provided by the developer.
Trend Micro
SECURITY BULLETIN: Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux Directory Traversal & Code Injection Local Privilege Escalation Vulnerabilities
https://success.trendmicro.com/solution/000290104
Common Vulnerabilities and Exposures (CVE)
CVE-2022-23119
https://www.cve.org/CVERecord?id=CVE-2022-23119
Common Vulnerabilities and Exposures (CVE)
CVE-2022-23120
https://www.cve.org/CVERecord?id=CVE-2022-23120
JVN
JVNVU#95024141
https://jvn.jp/en/vu/JVNVU95024141/
JVNDB
CWE-94
Code Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-01-25T12:22:26+09:00
[2022/01/25]\n Web page was published
2022-01-25T13:35:58+09:00
2022-01-25T13:35:58+09:00
2022-01-24T00:00:00+09:00
JVNDB-2022-001299
Cross-site Scripting Vulnerability in JP1/IT Desktop Management 2
A Cross-site Scripting vulnerability was found in JP1/IT Desktop Management 2.
Hitachi, Ltd
JP1/IT Desktop Management 2
cpe:/a:hitachi:jp1_it_desktop_management_2
- Manager
- Operations Director
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2022-103
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-103/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-02-08T17:03:55+09:00
[2022/02/08]\n Web page was published
2022-02-08T17:15:17+09:00
2022-02-08T17:15:17+09:00
2022-02-04T00:00:00+09:00
JVNDB-2022-001372
Trend Micro Antivirus for MAC vulnerable to privilege escalation
Trend Micro Incorporated has released a security update for Trend Micro Antivirus for MAC. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.
Trend Micro, Inc.
Trend Micro Antivirus
for MAC Versions 11.0.2150 and earlier
A user who can log in to the system where the affected product is installed may obtain the administrative privilege. As a result, arbitrary program may be executed on the system. For more information, refer to the information provided by the developer.
[Update the software] Update the software to the latest version according to the information provided by the developer.
Trend Micro Incorporated
Security Bulletin: Trend Micro Antivirus for Mac Link Following Privilege Escalation Vulnerability
https://helpcenter.trendmicro.com/en-us/article/tmka-10937
Common Vulnerabilities and Exposures (CVE)
CVE-2022-24671
https://www.cve.org/CVERecord?id=CVE-2022-24671
JVN
JVNVU#95075478
https://jvn.jp/en/vu/JVNVU95075478/index.html
1
2022-02-18T14:33:14+09:00
[2022/02/18]\n Web page was published
2022-02-18T14:55:19+09:00
2022-02-18T14:55:19+09:00
2022-02-17T00:00:00+09:00
JVNDB-2022-001380
Multiples security updates for Trend Micro Endpoint security products for enterprises (March 2022)
Trend Micro Incorporated has released multiple security updates for Trend Micro Endpoint security products for enterprises. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Apex One
cpe:/a:trendmicro:apex_one
as a Service
On Premise (2019)
Trend Micro, Inc.
Worry-Free Business Security
cpe:/a:trendmicro:business_security
10.0 SP1
Trend Micro, Inc.
Worry-Free Business Security Services
cpe:/a:trendmicro:business_security_services
<ul> <li>Apex One On Premise (2019)</li> * Privilege escalation due to uncontrolled search path element * Privilege escalation due to unnecessary privilege * Privilege escalation due to incorrect permission assignment * Privilege escalation due to stack-based buffer overflow * CGI program crash due to NULL pointer dereference * Denial-of-service (DoS) due to reachable assertion * Denial-of-service (DoS) due to link following vulnerability * Privilege escalation due to link following vulnerability * Privilege escalation due to origin validation error vulnerability * Server crash due to out-of-bounds read * Denial-of-service (DoS) due to resource exhaustion attack <li>Apex One as a Service</li> * Privilege escalation due to uncontrolled search path element * Privilege escalation due to unnecessary privilege * Privilege escalation due to incorrect permission assignment * Privilege escalation due to stack-based buffer overflow * CGI program crash due to NULL pointer dereference * Denial-of-service (DoS) due to reachable assertion * Denial-of-service (DoS) due to link following vulnerability * Privilege escalation due to link following vulnerability * Denial-of-service (DoS) due to resource exhaustion attack <li>Worry-Free Business Security 10.0 SP1</li> * Privilege escalation due to unnecessary privilege * Privilege escalation due to stack-based buffer overflow * CGI program crash due to NULL pointer dereference * Denial-of-service (DoS) due to link following vulnerability * Privilege escalation due to link following vulnerability * Server crash due to out-of-bounds read * Denial-of-service (DoS) due to resource exhaustion attack <li>Worry-Free Business Security Services</li> * Privilege escalation due to unnecessary privilege * Denial-of-service (DoS) due to link following vulnerability * Privilege escalation due to link following vulnerability * Denial-of-service (DoS) due to resource exhaustion attack </ul>
[Update the software] Update the software to the latest version according to the information provided by the developer.
Trend Micro Incorporated
SECURITY BULLETIN: October 14, 2021, Security Bulletin for Trend Micro Apex One and Apex One as a Service
https://success.trendmicro.com/solution/000289229
Trend Micro Incorporated
SECURITY BULLETIN: October 14, 2021, Security Bulletin for Trend Micro Worry-Free Business Security and Worry-Free Business Security Services
https://success.trendmicro.com/solution/000289230
Trend Micro Incorporated
SECURITY BULLETIN: December 2021 Security Bulletin for Trend Micro Apex One and Worry-Free Business Security
https://success.trendmicro.com/solution/000289996
Trend Micro Incorporated
SECURITY BULLETIN: Trend Micro Worry-Free Business Security Server Out-Of-Bounds Read Information Disclosure Vulnerability
https://success.trendmicro.com/solution/000290416
Trend Micro Incorporated
SECURITY BULLETIN: February 2022 Security Bulletin for Trend Micro Apex One
https://success.trendmicro.com/solution/000290464
Trend Micro Incorporated
SECURITY BULLETIN: February 2022 Security Bulletin for Trend Micro Worry-Free Business Security
https://success.trendmicro.com/solution/000290486
JVN
JVNVU#96994445
https://jvn.jp/en/vu/JVNVU96994445/index.html
1
2022-03-02T14:26:38+09:00
[2022/03/02]\n Web page was published
2022-03-02T17:07:57+09:00
2022-03-02T17:07:57+09:00
2022-03-01T00:00:00+09:00
JVNDB-2022-001381
Multiple vulnerabilities in Trend Micro ServerProtect
Trend Micro Incorporated has released security updates for ServerProtect. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Trend Micro ServerProtect
cpe:/a:trendmicro:serverprotect
for EMC Celerra (SPEMC) 5.8
for Microsoft Windows / Novell NetWare (SPNT) 5.8
for Storage (SPFS) 6.0
ServerProtect for Network Appliance Filers (SPNAF) 5.8
* Remote control execution due to insufficiently protected static credentials * Denial-of-service (DoS) and/or remote code execution due to integer overflow * Denial-of-service (DoS) due to improper exception handling For more information, refer to the information provided by the developer.
[Apply the patch] Apply the appropriate patch according to the information provided by the developer.
Trend Micro Incorporated
CRITICAL SECURITY BULLETIN: Multiple Vulnerabilities in Trend Micro ServerProtect - February 2022
https://success.trendmicro.com/solution/000290507
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25329
https://www.cve.org/CVERecord?id=CVE-2022-25329
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25330
https://www.cve.org/CVERecord?id=CVE-2022-25330
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25331
https://www.cve.org/CVERecord?id=CVE-2022-25331
JVN
JVNVU#92972528
https://jvn.jp/en/vu/JVNVU92972528/index.html
1
2022-03-03T14:10:44+09:00
[2022/03/03]\n Web page was published
2022-03-03T14:42:48+09:00
2022-03-03T14:42:48+09:00
2022-03-02T00:00:00+09:00
JVNDB-2022-001382
File Permission Vulnerability in Hitachi Command Suite
A file permission vulnerability was found in HitachiHitachi Command Suite.
Hitachi, Ltd
Hitachi Compute Systems Manager
cpe:/a:hitachi:compute_systems_manager
Hitachi, Ltd
Hitachi Device Manager
cpe:/a:hitachi:device_manager
Hitachi, Ltd
Hitachi Replication Manager
cpe:/a:hitachi:replication_manager
Hitachi, Ltd
Hitachi Tiered Storage Manager
cpe:/a:hitachi:tiered_storage_manager
Hitachi, Ltd
Hitachi Tuning Manager
cpe:/a:hitachi:tuning_manager
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2022-108
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-108/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-03-07T14:55:16+09:00
[2022/03/07]\n Web page was published
2022-03-07T15:35:43+09:00
2022-03-07T15:35:43+09:00
2022-03-04T00:00:00+09:00
JVNDB-2022-001383
Directory Permission Vulnerability in Hitachi Ops Center Viewpoint
A directory permission vulnerability was found in Hitachi Ops Center Viewpoint.
Hitachi, Ltd
Hitachi Ops Center Viewpoint
cpe:/a:hitachi:hitachi_ops_center_viewpoint
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2022-106
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-106/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-03-07T14:46:11+09:00
[2022/03/07]\n Web page was published
2022-03-07T15:45:58+09:00
2022-03-07T15:45:58+09:00
2022-03-04T00:00:00+09:00
JVNDB-2022-001384
Multiple vulnerabilities in OMRON CX-Programmer
CX-Programmer provided by OMRON Corporation contains multiple vulnerabilities listed below. * Out-of-bounds Write (CWE-787) - CVE-2022-21124 * Use After Free (CWE-416) - CVE-2022-25230 * Use After Free (CWE-416) - CVE-2022-25325 * Out-of-bounds Read (CWE-125) - CVE-2022-21219 * Out-of-bounds Write (CWE-787) - CVE-2022-25234 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
OMRON Corporation
CX-One
cpe:/a:omron:cx-one
v9.76.1 and earlier which is a part of CX-One (v4.60) suite
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
By having a user to open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.
[Update the Software] Update for CX-One suite is applied by its Auto Update function, therefore it is not necessary for the users to take any actions. The developer recommends the users to contact the developer and/or the sales representatives if there are any issues with Auto Update. The version that contains the fix for this vulnerability is as follows. * CX-Programmer Ver.9.77 For more information, refer to the information provided by the developer.
JVN
Information from OMRON Corporation
https://jvn.jp/en//vu/JVNVU90121984/995504/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21124
https://www.cve.org/CVERecord?id=CVE-2022-21124
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25230
https://www.cve.org/CVERecord?id=CVE-2022-25230
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25325
https://www.cve.org/CVERecord?id=CVE-2022-25325
Common Vulnerabilities and Exposures (CVE)
CVE-2022-21219
https://www.cve.org/CVERecord?id=CVE-2022-21219
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25234
https://www.cve.org/CVERecord?id=CVE-2022-25234
JVN
JVNVU#90121984
https://jvn.jp/en//vu/JVNVU90121984/
JVNDB
CWE-125
Out-of-bounds Read
https://cwe.mitre.org/data/definitions/125.html
JVNDB
CWE-787
Out-of-bounds Write
https://cwe.mitre.org/data/definitions/787.html
JVNDB
CWE-416
Use After Free
https://cwe.mitre.org/data/definitions/416.html
1
2022-03-08T15:56:58+09:00
[2022/03/08]\n Web page was published
2022-03-08T15:56:58+09:00
2022-03-08T15:56:58+09:00
2022-03-04T00:00:00+09:00
JVNDB-2022-001387
Installer of WPS Office for Windows misconfigures the ACL for the installation directory
Installer of WPS Office for Windows misconfigures the ACL for the installation directory. When WPS Office for Windows is installed, some service program is registered to the OS, which is invoked with some administrative privilege. The installer fails to configure properly the ACL for the directory where the service program is installed (CWE-276). Mohammed Hadi reported this vulnerability to the vendor and JPCERT/CC. JPCERT/CC coordinated with the developer.
Kingsoft Office Software, Inc.
WPS Office
cpe:/a:kingsoft:kingsoft_wps_office
for Windows, versions prior to v11.2.0.10258
Medium
4.3
AV:L/AC:L/Au:S/C:P/I:P/A:P
High
7.8
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
A non-administrative user may touch/modify/remove any files in the directory where the service program is installed, resulting to privilege escalation.
[Update the Software] Update WPS Office for Windows to the latest version. According to the developer, the vulnerability is fixed on v11.2.0.10258.
Kingsoft Office Software, Inc.
WPS Office for Windows
https://www.wps.com/office/windows/
Kingsoft Office Software, Inc.
Update Features of WPS Office on 08/06/2021
https://www.wps.com/whatsnew/pc/20210806/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-25943
https://www.cve.org/CVERecord?id=CVE-2022-259434
JVN
JVNVU#90673830
https://jvn.jp/en/vu/JVNVU90673830/index.html
Related document
GitHub / HadiMed / KINGSOFT-WPS-Office-LPE
https://github.com/HadiMed/KINGSOFT-WPS-Office-LPE
JVNDB
CWE-276
Incorrect Default Permissions
https://cwe.mitre.org/data/definitions/276.html
1
2022-03-10T16:09:06+09:00
[2022/03/09]\n Web page was published
2
2022-03-10T16:08:45+09:00
[2022/03/10]\n References : Content was added
2022-03-09T12:30:18+09:00
2022-03-10T17:26:42+09:00
2022-03-08T00:00:00+09:00
JVNDB-2022-001404
Installer of Trend Micro Password Manager may insecurely load Dynamic Link Libraries
Trend Micro Incorporated has released a security update for Trend Micro Password Manager. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.
Trend Micro, Inc.
Password Manager
cpe:/a:trendmicro:password_manager
version 5.0.0.1262 and earlier
A local attacker may obtain the administrative privilege when the product's installer is running. For more information, refer to the information provided by the developer.
[Use the latest installer] Use the latest installer provided by the developer. Users who already have installed the software do not need to re-install, because this issue affects the installers only.
Trend Micro
Security Bulletin: Trend Micro Password Manager Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
https://helpcenter.trendmicro.com/en-us/article/tmka-10954
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26337
https://www.cve.org/CVERecord?id=CVE-2022-26337
JVN
JVNVU#96777901
https://jvn.jp/en/vu/JVNVU96777901/index.html
JVN
JVNTA#91240916
https://jvn.jp/en/ta/JVNTA91240916/
2
2022-03-11T15:43:04+09:00
[2022/03/11]\n Web page was published
2022-03-11T15:55:16+09:00
2022-03-11T15:55:16+09:00
2022-03-10T00:00:00+09:00
JVNDB-2022-001477
Netcommunity OG410X and OG810X VoIP gateway/Hikari VoIP adapter for business offices vulnerable to OS command injection
Netcommunity OG410X and OG810X series provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contain an OS command injection vulnerability (CWE-78, CVE-2022-22986). Chuya Hayakawa of 00One, Inc. reported this vulnerability to NTT East and NTT West and coordinated. NTT East, NTT West and JPCERT/CC published respective advisories in order to notify users of this vulnerability.
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
Netcommunity OG410Xa firmware
cpe:/o:ntt_east:netcommunity_0g410xa_firmware
Ver.2.28 and earlier
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
Netcommunity OG410Xi firmware
cpe:/o:ntt_east:netcommunity_0g410xi_firmware
Ver.2.28 and earlier
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
Netcommunity OG810Xa firmware
cpe:/o:ntt_east:netcommunity_0g810xa_firmware
Ver.2.28 and earlier
NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION
Netcommunity OG810Xi firmware
cpe:/o:ntt_east:netcommunity_0g810xi_firmware
Ver.2.28 and earlier
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Netcommunity OG410Xa firmware
cpe:/o:ntt_west:netcommunity_0g410xa_firmware
Ver.2.28 and earlier
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Netcommunity OG410Xi firmware
cpe:/o:ntt_west:netcommunity_0g410xi_firmware
Ver.2.28 and earlier
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Netcommunity OG810Xa firmware
cpe:/o:ntt_west:netcommunity_0g810xa_firmware
Ver.2.28 and earlier
NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION
Netcommunity OG810Xi firmware
cpe:/o:ntt_west:netcommunity_0g810xi_firmware
Ver.2.28 and earlier
High
8
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An arbitrary OS command may be executed by an attacker via specially crafted config files.
[Update the firmware] Apply the appropriate firmware update according to the information provided by the developer.
Nippon Telegraph and Telephone East Corporation
For the users of Netcommunity OG410X810X series
https://business.ntt-east.co.jp/topics/2022/03_22.html
Nippon Telegraph and Telephone West Corporation
For the users of "Netcommunity OG410X810X series"
https://www.ntt-west.co.jp/smb/kiki_info/info/220322.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-22986
https://www.cve.org/CVERecord?id=CVE-2022-22986
JVN
JVNVU#94900322
http://jvn.jp/en/vu/JVNVU94900322/index.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
2
2022-03-23T11:54:17+09:00
[2022/03/23]\n Web page was published
2022-03-23T12:08:34+09:00
2022-03-23T12:08:34+09:00
2022-03-22T00:00:00+09:00
JVNDB-2022-001494
Trend Micro Apex Central and Trend Micro Apex Central as a Service vulnerable to improper check for file contents
Trend Micro Apex Central and Trend Micro Apex Central as a Service provided by Trend Micro Incorporated are vulnerable to improper check for file contents (CWE-345, CVE-2022-26871). Trend Micro Incorporated states that attacks has been observed. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Trend Micro, Inc.
Apex Central
cpe:/a:trendmicro:apex_central
2019 prior to Build 6016
Trend Micro, Inc.
Apex Central as a Service
cpe:/a:trendmicro:apex_central_as_a_service
prior to Build 202203
High
8.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
A remote attacker may upload an arbitrary file in the product. As a result, arbitrary code may be executed.
[Apply the Patch] Apply the patch according to the information provided by the developer. The developer has released a patch listed below that contains a fix for this vulnerability. * Trend Micro Apex Central 2019 Patch3 (Build 6016) The issue in Trend Micro Apex Central as a Service is fixed in the March 2022 updates.
Trend Micro
IMPORTANT SECURITY BULLETIN: Trend Micro Apex Central Arbitrary File Upload Remote Code Execution (RCE) Vulnerability
https://success.trendmicro.com/dcx/s/solution/000290678?language=en_US
Trend Micro
[Alert] Apply a Critical Patch; An attack exploiting the vulnerability (CVE-2022-26871) in Trend Micro Apex Central has been observed
https://appweb.trendmicro.com/supportNews/NewsDetail.aspx?id=4435
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26871
https://www.cve.org/CVERecord?id=CVE-2022-26871
JPCERT REPORT
JPCERT-AT-2022-0008
https://www.jpcert.or.jp/english/at/2022/at220008.html
JVN
JVNVU#99107357
http://jvn.jp/en/vu/JVNVU99107357/index.html
JVNDB
CWE-345
Insufficient Verification of Data Authenticity
https://cwe.mitre.org/data/definitions/345.html
2
2022-03-31T16:01:02+09:00
[2022/03/31]\n Web page was published
2022-03-31T17:25:35+09:00
2022-03-31T17:25:35+09:00
2022-03-30T00:00:00+09:00
JVNDB-2022-001526
Trend Micro Antivirus for Mac vulnerable to privilege escalation
Trend Micro Incorporated has released a security update for Trend Micro Antivirus for Mac. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.
Trend Micro, Inc.
Trend Micro Antivirus
cpe:/a:trendmicro:trend_micro_antivirus
for Mac Versions 11.5 and earlier
A user who can log in to the system where the affected product is installed may obtain the administrative privilege. As a result, arbitrary code may be executed on the system. For more information, refer to the information provided by the developer.
[Update the software] Update the software to the latest version according to the information provided by the developer.
Trend Micro Incorporated
Security Bulletin: Trend Micro Antivirus for Mac Link Following Privilege Escalation Vulnerability (ZDI-CAN-14816)
https://helpcenter.trendmicro.com/en-us/article/tmka-10978
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27883
https://www.cve.org/CVERecord?id=CVE-2022-27883
JVN
JVNVU#97833256
https://jvn.jp/en/vu/JVNVU97833256/index.html
1
2022-04-07T16:58:02+09:00
[2022/04/07]\n Web page was published
2022-04-07T16:58:30+09:00
2022-04-07T16:58:30+09:00
2022-04-06T00:00:00+09:00
JVNDB-2022-001795
Command injection vulnerability in QNAP VioStar series NVR
VioStar series NVR provided by QNAP Systems, Inc. contains a command injection vulnerability (CVE-2022-27588, CWE-77). Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
QNAP Systems
NVR VioStar series
cpe:/a:qnap:nvr_viostar
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An arbitrary command may be executed by a remote attacker.
[Update the firmware] Apply the appropriate firmware update according to the information provided by the developer. The developer has released fixed version below. * QVR 5.1.6 build 20220401
QNAP Systems, Inc.
QSA-22-07: Vulnerability in QVR
https://www.qnap.com/en/security-advisory/qsa-22-07
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27588
https://www.cve.org/CVERecord?id=CVE-2022-27588
JVN
JVNVU#95992089
http://jvn.jp/en/vu/JVNVU95992089/index.html
JVNDB
CWE-77
Command Injection
https://cwe.mitre.org/data/definitions/77.html
1
2022-05-12T18:07:56+09:00
[2022/05/12]\n Web page was published
2022-05-12T18:07:56+09:00
2022-05-12T18:07:56+09:00
2022-05-11T00:00:00+09:00
JVNDB-2022-001800
Installer of Trend Micro HouseCall for Home Networks may insecurely load Dynamic Link Libraries
Trend Micro Incorporated has released a security update for HouseCall for Home Networks. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.
Trend Micro, Inc.
HouseCall for Home Networks
cpe:/a:trendmicro:housecall_for_home_networks
(for Windows) Versions 5.3.1302 and earlier
Installer of Trend Micro HouseCall for Home Networks contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the administrative privilege of the system. For more information, refer to the information provided by the developer.
[Use the latest installer] Use the latest installer provided by the developer. Users who already have installed the software do not need to re-install, because this issue affects the installers only.
Trend Micro
Security Bulletin: Trend Micro HouseCall for Home Networks Uncontrolled Search Path Element Privilege Escalation Vulnerability
https://helpcenter.trendmicro.com/en-us/article/tmka-21734
Common Vulnerabilities and Exposures (CVE)
CVE-2022-28339
https://www.cve.org/CVERecord?id=CVE-2022-28339
JVN
JVNVU#93434935
http://jvn.jp/en/vu/JVNVU93434935/index.html
JVN
JVNTA#91240916
https://jvn.jp//en/ta/JVNTA91240916/
2
2022-05-13T16:05:02+09:00
[2022/05/13]\n Web page was published
2022-05-13T16:24:39+09:00
2022-05-13T16:24:39+09:00
2022-05-12T00:00:00+09:00
JVNDB-2022-001809
Trend Micro Password Manager vulnerable to privilege escalation
Trend Micro Incorporated has released a security update for Trend Micro Password Manager. Trend Micro Incorporated reported the vulnerability to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Password Manager
cpe:/a:trendmicro:password_manager
for Windows 5.0.0.1266 and earlier
A non-administrative user of the system where the affected product is installed may obtain the administrative privilege. As a result, arbitrary code may be executed on the system. For more information, refer to the information provided by the developer.
[Update the Software] Update the Software to the latest version according to the information provided by the developer. The update that addresses this vulnerability is available and is automatically applied through the product's automatic update mechanism.
Trend Micro
Security Bulletin: Trend Micro Password Manager Link Following Privilege Escalation Vulnerability
https://helpcenter.trendmicro.com/en-us/article/tmka-09071
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30523
https://www.cve.org/CVERecord?id=CVE-2022-30523
JVN
JVNVU#92641706
http://jvn.jp/en/vu/JVNVU92641706/index.html
1
2022-05-24T15:27:33+09:00
[2022/05/24]\n Web page was published
2022-05-24T15:27:33+09:00
2022-05-24T15:27:33+09:00
2022-05-23T00:00:00+09:00
JVNDB-2022-001923
Multiple vulnerabilities in CONTEC SolarView Compact
SolarView Compact provided by CONTEC CO., LTD. is PV Measurement System. SolarView Compact contains multiple vulnerabilities listed below. OS command injection (CWE-78) - CVE-2022-29303 Improper validation of input values on the send test mail console of the product's web server may result in OS command injection. Directory traversal (CWE-23) - CVE-2022-29298 Improper validation of a URL on the download page of the product's web server may allow a remote attacker to view and obtain an arbitrary file. Information disclosure (CWE-200) - CVE-2022-29302 The hidden page which enables to edit the product's web server contents exists in the product's web server, and a remote attacker to read and/or alter an arbitrary file on the web server via the hidden page. OS command injection (CWE-78) - CVE-2022-40881 Improper validation of input values on Check Network Communication Page of the product's web server may result in an arbitrary OS command execution. OS command injection (CWE-78) - CVE-2023-23333 Improper validation of input values on the download page of the product's web server may result in an arbitrary OS command execution.
Contec
SolarView Compact SV-CPT-MC310
cpe:/o:contec:sv-cpt-mc310_firmware
versions prior to Ver.6.50 (CVE-2022-29298, CVE-2022-29302)
versions prior to Ver.7.21 (CVE-2022-29303, CVE-2022-40881, CVE-2023-23333)
Contec
SolarView Compact SV-CPT-MC310F
cpe:/o:contec:sv-cpt-mc310F_firmware
versions prior to Ver.6.50 (CVE-2022-29298, CVE-2022-29302)
versions prior to Ver.7.21 (CVE-2022-29303, CVE-2022-40881, CVE-2023-23333)
Exploiting these vulnerabilities may result in the impacts listed below. * An attacker who can access the product settings may execute an arbitrary OS command - CVE-2022-29303, CVE-2022-40881, CVE-2023-23333 * A remote attacker may obtain an arbitrary file - CVE-2022-29298 * A remote attacker may view and/or altered an arbitrary file on the web server - CVE-2022-29302
[Update the firmware] Update the firmware to the latest version according to the information provided by the developer. These vulnerabilities have been already addressed in the following firmware versions. * SV-CPT-MC310 Ver.7.21 and later * SV-CPT-MC310F Ver.7.21 and later [Apply the workaround] Applying the following workarounds may mitigate the impacts of these vulnerabilities. * Disconnect from network if the product being used in the standalone environment * Setup a firewall and run the product behind it * Configure the product in the trusted and closed network * Choose "User authentications required in all menus" under "User authentication target settings" in "User account settings" * Change default credentials
Contec Co., Ltd.
SV-CPT-MC310 | frimware
https://www.contec.com/jp/download/donwload-list/?itemid=b28c8b7c-9f40-40b2-843c-b5b04c035b0e#firmware
Contec Co., Ltd.
Command injection vulnerability in SolarView Compact (PDF)
https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_solarview_230210.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29303
https://www.cve.org/CVERecord?id=CVE-2022-29303
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29298
https://www.cve.org/CVERecord?id=CVE-2022-29298
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29302
https://www.cve.org/CVERecord?id=CVE-2022-29302
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40881
https://www.cve.org/CVERecord?id=CVE-2022-40881
Common Vulnerabilities and Exposures (CVE)
CVE-2023-23333
https://www.cve.org/CVERecord?id=CVE-2023-23333
JVN
JVNVU#92327282
https://jvn.jp/en/vu/JVNVU92327282/index.html
National Vulnerability Database (NVD)
CVE-2022-29303
https://nvd.nist.gov/vuln/detail/CVE-2022-29303
National Vulnerability Database (NVD)
CVE-2022-29298
https://nvd.nist.gov/vuln/detail/CVE-2022-29298
National Vulnerability Database (NVD)
CVE-2022-29302
https://nvd.nist.gov/vuln/detail/CVE-2022-29302
National Vulnerability Database (NVD)
CVE-2022-40881
https://nvd.nist.gov/vuln/detail/CVE-2022-40881
JVNDB
CWE-200
Information Exposure
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-23
Relative Path Traversal
https://cwe.mitre.org/data/definitions/23.html
1
2022-05-27T14:08:02+09:00
[2022/05/27]\n Web page was published
2
2022-06-10T14:45:03+09:00
[2022/06/10]\n Title was modified\n Description was modified\n CVSS Severity was modified\n Impact was modified \n Solution was modified \n Affected Products were modified\n References : Contents were added\n CWE : Contents were added
3
2023-02-13T15:55:25+09:00
[2022/12/15]\n Description was modified\n CVSS Severity was modified\n Affected Products were modified \n Vendor Information was modified\n Impact was modified\n Solution was modified\n CVE : CVE-IDs were added\n References : Contents were added \n[2023/02/13]\n Description was modified\n CVSS Severity was modified\n Affected Products were modified \n Vendor Information was modified\n Impact was modified\n References : Content was added
2022-05-27T15:28:34+09:00
2023-02-13T15:57:41+09:00
2022-05-26T00:00:00+09:00
JVNDB-2022-001929
Multiple vulnerabilities in Fuji Electric V-SFT
Multiple vulnerabilities listed below exist in the simulator module contained in the graphic editor "V-SFT" provided by FUJI ELECTRIC CO., LTD. * Out-of-bounds Write (CWE-787) - CVE-2022-30538 * Out-of-bounds Read (CWE-125) - CVE-2022-30546 * Heap-based Buffer Overflow (CWE-122) - CVE-2022-26302 * Use After Free (CWE-416) - CVE-2022-29522 * Access of Uninitialized Pointer (CWE-824) - CVE-2022-29522 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
Fuji Electric Co., Ltd.
V-SFT
cpe:/a:fujielectric:v-sft
versions prior to v6.1.6.0
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploiting these vulnerabilities by opening a specially crafted image file may result in the following impacts. * Information disclosure * Arbitrary code execution
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer released v6.1.6.0 which contains fixes for these vulnerabilities. Refer to "Improvement information 2240H36" provided by the developer for more information.
Fuji Electric
Improvement information 2240H36
https://monitouch.fujielectric.com/site/download-e/09vsft6_inf/Search.php
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30538
https://www.cve.org/CVERecord?id=CVE-2022-30538
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30546
https://www.cve.org/CVERecord?id=CVE-2022-30546
Common Vulnerabilities and Exposures (CVE)
CVE-2022-26302
https://www.cve.org/CVERecord?id=CVE-2022-26302
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29522
https://www.cve.org/CVERecord?id=CVE-2022-29522
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29925
https://www.cve.org/CVERecord?id=CVE-2022-29925
JVN
JVNVU#99188133
http://jvn.jp/en/vu/JVNVU99188133/index.html
JVNDB
CWE-824
Access of Uninitialized Pointer
https://cwe.mitre.org/data/definitions/824.html
JVNDB
CWE-122
Heap-based Buffer Overflow
https://cwe.mitre.org/data/definitions/122.html
JVNDB
CWE-125
Out-of-bounds Read
https://cwe.mitre.org/data/definitions/125.html
JVNDB
CWE-787
Out-of-bounds Write
https://cwe.mitre.org/data/definitions/787.html
JVNDB
CWE-416
Use After Free
https://cwe.mitre.org/data/definitions/416.html
2
2022-05-27T15:26:49+09:00
[2022/05/27]\n Web page was published
2022-05-27T15:39:46+09:00
2022-05-27T15:39:46+09:00
2022-05-26T00:00:00+09:00
JVNDB-2022-001931
Multiple vulnerabilities in Fuji Electric V-SFT, V-Server and V-Server Lite
Multiple vulnerabilities listed below exist in the simulator module contained in the graphic editor "V-SFT" and the remote monitoring software "V-Server" and "V-Server Lite" provided by FUJI ELECTRIC CO., LTD. * Out-of-bounds Read in V-SFT (CWE-125) - CVE-2022-29506 * Out-of-bounds Read in V-Server and V-Server Lite (CWE-125) - CVE-2022-30549 * Out-of-bounds Write in V-Server and V-Server Lite (CWE-787) - CVE-2022-29524 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
Fuji Electric Co., Ltd.
V-Server
cpe:/a:fujielectric:v-server
Lite v4.0.13.0 and earlier
v4.0.11.0 and earlier
Fuji Electric Co., Ltd.
V-SFT
cpe:/a:fujielectric:v-sft
v6.1.3.0 and earlier
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploiting these vulnerabilities by having a user to open a specially crafted image file may result in the following impacts. * Information disclosure * Arbitrary code execution
[Update the software] Update the software to the latest version according to the information provided by the developer. The respective products/versions listed below contain the fixes for these vulnerabilities. * V-SFT v6.1.6.0 (Improvement information 2240H36) * V-Server V4.0.12.0 and V-Server Lite V4.0.13.0a (Improvement information 2250S01)
Fuji Electric
Improvement information 2240H36
https://monitouch.fujielectric.com/site/download-e/09vsft6_inf/Search.php
Fuji Electric
Improvement information 2250S01
https://monitouch.fujielectric.com/site/download-eu/03tellus_inf/index.php
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29506
https://www.cve.org/CVERecord?id=CVE-2022-29506
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30549
https://www.cve.org/CVERecord?id=CVE-2022-30549
Common Vulnerabilities and Exposures (CVE)
CVE-2022-29524
https://www.cve.org/CVERecord?id=CVE-2022-29524
JVN
JVNVU#93134398
http://jvn.jp/en/vu/JVNVU93134398/index.html
JVNDB
CWE-125
Out-of-bounds Read
https://cwe.mitre.org/data/definitions/125.html
JVNDB
CWE-787
Out-of-bounds Write
https://cwe.mitre.org/data/definitions/787.html
2
2022-05-27T15:10:43+09:00
[2022/05/27]\n Web page was published
2022-05-27T15:37:08+09:00
2022-05-27T15:37:08+09:00
2022-05-26T00:00:00+09:00
JVNDB-2022-001948
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Apex One
cpe:/a:trendmicro:apex_one
2019
SaaS
* Privilege escalation and arbitrary DLL loading due to an incorrect permission assignment vulnerability * Privilege escalation and arbitrary DLL loading due to an uncontrolled search path element vulnerability
[Update the software] Update the software to the latest version according to the information provided by the developer. The issue in Apex One as a Service is fixed in the March 2022 updates.
Trend Micro
SECURITY BULLETIN: May 2022 Security Bulletin for Trend Micro Apex One
https://success.trendmicro.com/dcx/s/solution/000291008?language=en_US
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30700
https://www.cve.org/CVERecord?id=CVE-2022-30700
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30701
https://www.cve.org/CVERecord?id=CVE-2022-30701
JVN
JVNVU#90675050
http://jvn.jp/en/vu/JVNVU90675050/index.html
1
2022-06-03T11:58:55+09:00
[2022/06/03]\n Web page was published
2022-06-03T12:17:13+09:00
2022-06-03T12:17:13+09:00
2022-06-02T00:00:00+09:00
JVNDB-2022-001953
Growi vulnerable to weak password requirements
GROWI provided by WESEEK, Inc. contains a weak password requirements vulnerability (CWE-521, CVE-2022-1236). 418sec first reported this vulnerability to JPCERT/CC, then JPCERT/CC contacted WSEEK, Inc. as a coordinator. After the coordination between 418sec and WESEEK, Inc. was completed, this case was published to notify the users of the solution through JVN.
WESEEK, Inc.
GROWI
cpe:/a:weseek:growi
versions prior to v5.00
Medium
6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Medium
6.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
If a user sets a weak password, an attacker may be able to access the user's account and its data via a bruteforce attack.
[Update the software] Update the software to GROWI v5.00 (v5 series) or above according to the information provided by the developer. The fixed version requires a user to set a longer password at the user registration. * GROWI v5.00 or later
WESEEK, Inc.
WESEEK, Inc. website
https://weseek.co.jp/ja/news/2022/06/14/growi-weak-password-requirements/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-1236
https://www.cve.org/CVERecord?id=CVE-2022-1236
JVN
JVNVU#96438711
http://jvn.jp/en/vu/JVNVU96438711/index.html
National Vulnerability Database (NVD)
CVE-2022-1236
https://nvd.nist.gov/vuln/detail/CVE-2022-1236
Related document
Weak Password Requirements in weseek/growi
https://huntr.dev/bounties/c7df088f-e355-45e6-9267-e41030dc6a32/?token=7f784544ffb530a9e6bef04557518633e763810d60f107095451c58b34645b81ad18529d3ea12f3b61ba547c99a0d87b2324e52da6efc4b01ec175416c479099bf5de3d16b8f07f0758556c278d058872597936f0e4fea7acb2bd2bc
JVNDB
CWE-521
Weak Password Requirements
https://cwe.mitre.org/data/definitions/521.html
1
2022-06-15T17:47:19+09:00
[2022/06/15]\n Web page was published
2022-06-15T17:47:19+09:00
2022-06-15T17:47:19+09:00
2022-06-14T00:00:00+09:00
JVNDB-2022-002017
U-Boot squashfs filesystem implementation vulnerable to heap-based buffer overflow
U-Boot is a boot loader for multiple platforms, and squashfs filesystem feature is provided since v2020.10-rc2 (commit c5100613). squashfs filesystem implementation of U-Boot contains a heap-based buffer overflow vulnerability (CWE-122) due to a defect in the metadata reading process. Tatsuhiko Yasumatsu of Sony Corporation reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated between the reporter and the developer.
DENX Software Engineering
U-Boot
cpe:/a:denx:u-boot
from v2020.10-rc2 to v2022.07-rc5
Medium
6.6
CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Loading a specially crafted squashfs image may lead to a denial-of-service (DoS) condition or an arbitrary code being executed.
[Update the Software] Update the software to the latest version according to the information provided by the developer. The developer has included the fix in U-Boot v2022.07-rc6.
DENX Software Engineering
U-Boot
https://www.denx.de/project/u-boot/
DENX Software Engineering
U-Boot mailing list: [v2] fs/squashfs: Use kcalloc when relevant
https://lists.denx.de/pipermail/u-boot/2022-June/487467.html
DENX Software Engineering
Commit 7f7fb993: fs/squashfs: Use kcalloc when relevant
https://source.denx.de/u-boot/u-boot/-/commit/7f7fb9937c6cb49dd35153bd6708872b390b0a44
Common Vulnerabilities and Exposures (CVE)
CVE-2022-33967
https://www.cve.org/CVERecord?id=CVE-2022-33967
JVN
JVNVU#97846460
https://jvn.jp/en/vu/JVNVU97846460/index.html
JVNDB
CWE-122
Heap-based Buffer Overflow
https://cwe.mitre.org/data/definitions/122.html
1
2022-07-14T15:59:47+09:00
[2022/07/14]\n Web page was published
2
2022-07-25T18:30:35+09:00
[2022/07/25]\n Overview was modified\n Affected Products : Product version was modified\n Solution was modified
2022-07-14T15:59:47+09:00
2022-07-25T18:31:00+09:00
2022-07-12T00:00:00+09:00
JVNDB-2022-002112
CONTEC SolarView Compact vulnerable to insufficient verification in uploading files
SolarView Compact provided by CONTEC CO., LTD. is PV Measurement System. The image file management page of SolarView Compact contains an insufficient verification vulnerability when uploadi webray reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.ng files (CWE-20).
Contec
SolarView Compact SV-CPT-MC310
cpe:/o:contec:sv-cpt-mc310_firmware
Ver.7.23 and earlier
Contec
SolarView Compact SV-CPT-MC310F
cpe:/o:contec:sv-cpt-mc310F_firmware
Ver.7.23 and earlier
High
8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Arbitrary PHP code may be executed if a remote authenticated attacker uploads a specially crafted PHP file.
[Update the firmware] Update the firmware to the latest version according to the information provided by the developer. This vulnerability has been already addressed in the following firmware versions. * SolarView Compact * SV-CPT-MC310 Ver.7.24 * SV-CPT-MC310F Ver.7.24 [Apply the workaround] Applying the following workarounds may mitigate the impacts of this vulnerability. * Disconnect from network if the product is used in the standalone environment * Setup a firewall and run the product behind it * Configure the product in the trusted and closed network * Choose "User authentications required in all menus" under "User authentication target settings" in "User account settings" * Change default credentials
Contec Co., Ltd.
Regarding a vulnerability in SolarView Compact (SV-CPT-MC310)
https://www.contec.com/jp/api/downloadlogger?download=/jp/-/media/Contec/jp/support/security-info/contec_security_solarview_220727.pdf
Contec Co., Ltd.
SV-CPT-MC310 | firmware
https://www.contec.com/jp/download/donwload-list/?itemid=b28c8b7c-9f40-40b2-843c-b5b04c035b0e#firmware
Common Vulnerabilities and Exposures (CVE)
CVE-2022-35239
https://www.cve.org/CVERecord?id=CVE-2022-35239
JVN
JVNVU#93696585
https://jvn.jp/en/vu/JVNVU93696585/
JVNDB
CWE-20
Improper Input Validation
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-08-03T17:40:32+09:00
[2022/08/03]\n Web page was published
2
2023-03-31T09:14:19+09:00
[2023/03/31]\n Overview was modified
2022-08-03T17:40:32+09:00
2023-03-31T09:14:53+09:00
2022-07-27T00:00:00+09:00
JVNDB-2022-002143
Information Disclosure Vulnerability in Hitachi Automation Director and Hitachi Ops Center Automator
Information Disclosure Vulnerability have been found in Hitachi Automation Director and Hitachi Ops Center Automator.
Hitachi, Ltd
Hitachi Automation Director
cpe:/a:hitachi:automation_director
Hitachi, Ltd
Hitachi Ops Center Automator
cpe:/a:hitachi:hitachi_ops_center_automator
less than 10.8.3-00
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2022-123
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-123/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-08-01T16:54:59+09:00
[2022/08/01]\n Web page was published
2022-08-01T17:10:29+09:00
2022-08-01T17:10:29+09:00
2022-07-29T00:00:00+09:00
JVNDB-2022-002265
Trend Micro Endpoint security products for enterprises vulnerable to Link Following Local Privilege Escalation
Trend Micro Incorporated has released security updates for Endpoint security products for enterprises. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Apex One
cpe:/a:trendmicro:apex_one
as a Service
On Premise (2019)
Trend Micro, Inc.
Worry-Free Business Security
cpe:/a:trendmicro:business_security
10.0 SP1
Trend Micro, Inc.
Worry-Free Business Security Services
cpe:/a:trendmicro:business_security_services
A non-administrative user of the system where the affected product is installed may obtain the administrative privilege. For more information, refer to the information provided by the developer.
[Update Spyware pattern] Update Spyware pattern to the latest version according to the information provided by the developer. Spyware Pattern 25.27 and later that addresses this vulnerability is available and it is automatically applied through the product's automatic ActiveUpdate feature.
Trend Micro
SECURITY BULLETIN: Trend Micro Apex One and Worry-Free Business Security Security Agent Link Following Local Privilege Escalation Vulnerability
https://success.trendmicro.com/dcx/s/solution/000291267?language=en_US
Common Vulnerabilities and Exposures (CVE)
CVE-2022-36336
https://www.cve.org/CVERecord?id=CVE-2022-36336
JVN
JVNVU#96643038
http://jvn.jp/en/vu/JVNVU96643038/index.html
National Vulnerability Database (NVD)
CVE-2022-36336
https://nvd.nist.gov/vuln/detail/CVE-2022-36336
1
2022-08-18T15:02:17+09:00
[2022/08/18]\n Web page was published
2022-08-18T15:45:41+09:00
2022-08-18T15:45:41+09:00
2022-08-17T00:00:00+09:00
JVNDB-2022-002295
Multiple vulnerabilities in Trend Micro Security
Trend Micro Incorporated has released security updates for Trend Micro Security. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Trend Micro Security
cpe:/a:trendmicro:security
2021
2022
High
7.8
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Trend Micro Security 2022 * Information disclosure due to an Out-Of-Bounds Read vulnerability * Information disclosure and privilege escalation due to an exposed dangerous method vulnerability Trend Micro Security 2021 * Information disclosure and privilege escalation due to an exposed dangerous method vulnerability
[Update the software] Update the software to the latest version according to the information provided by the developer. The update that addresses this vulnerability is available and is automatically applied through the product's ActiveUpdate feature.
Trend Micro Incorporated
Security Bulletin: Trend Micro Security Out-Of-Bounds Read Information Disclosure Vulnerability
https://helpcenter.trendmicro.com/en-us/article/tmka-11022
Trend Micro Incorporated
Security Bulletin: Trend Micro Security Exposed Dangerous Method Information Disclosure Vulnerability
https://helpcenter.trendmicro.com/en-us/article/tmka-11021
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30702
https://www.cve.org/CVERecord?id=CVE-2022-30702
Common Vulnerabilities and Exposures (CVE)
CVE-2022-30703
https://www.cve.org/CVERecord?id=CVE-2022-30703
JVN
JVNVU#93109244
https://jvn.jp/en/vu/JVNVU93109244/index.html
National Vulnerability Database (NVD)
CVE-2022-30702
https://nvd.nist.gov/vuln/detail/CVE-2022-30702
National Vulnerability Database (NVD)
CVE-2022-30703
https://nvd.nist.gov/vuln/detail/CVE-2022-30703
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-125
Out-of-bounds Read
https://cwe.mitre.org/data/definitions/125.html
1
2022-08-19T11:42:36+09:00
[2022/08/19]\n Web page was published
2022-08-19T11:42:36+09:00
2022-08-19T11:42:36+09:00
2022-08-17T00:00:00+09:00
JVNDB-2022-002337
UNIMO Technology digital video recorders vulnerable to missing authentication for critical functions
Multiple digital video recorders provided by UNIMO Technology Co., Ltd do not perform authentication for some critical functions (CWE-306) in the device management web interface. The reporter states that attacks exploiting this vulnerability have been observed. Yoshiki Mori, Ushimaru Hayato and Masaki Kubo of National Institute of Information and Communications Technology Cybersecurity Research Institute reported this vulnerability to the developer and coordinated. After coordination was completed, this case was reported to JPCERT/CC and JPCERT/CC coordinated with the developer for the publication.
UNIMO Technology Co., Ltd
UDR-JA1004 firmware
cpe:/o:misc:unimo_technology_udr-ja1004_firmware
v1.0.20.13 and earlier
UNIMO Technology Co., Ltd
UDR-JA1008 firmware
cpe:/o:misc:unimo_technology_udr-ja1008_firmware
v1.0.20.13 and earlier
UNIMO Technology Co., Ltd
UDR-JA1016 firmware
cpe:/o:misc:unimo_technology_udr-ja1016_firmware
v1.0.20.13 and earlier
v2.0.20.13 and earlier
Critical
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
When a remote attacker sends a crafted request to the web interface, an arbitrary OS command may be executed on the product without authentication.
[Update the firmware] Update the firmware to the latest version according to the information provided by the developer. This vulnerability has been addressed in the firmware versions v1.0.21.0 and v2.0.21.0.
UNIMO Technology Co., Ltd
Notification Updated firmwares for UDR-JA1004/JA1008/JA1016
http://www.unimo.co.jp/table_notice/index.php?act=1&resid=1643590226-637355
Common Vulnerabilities and Exposures (CVE)
CVE-2022-35733
https://www.cve.org/CVERecord?id=CVE-2022-35733
JVN
JVNVU#90821877
http://jvn.jp/en/vu/JVNVU90821877/index.html
JVNDB
CWE-306
Missing Authentication for Critical Function
https://cwe.mitre.org/data/definitions/306.html
1
2022-08-23T14:10:41+09:00
[2022/08/23]\n Web page was published
2022-08-23T14:31:56+09:00
2022-08-23T14:31:56+09:00
2022-08-22T00:00:00+09:00
JVNDB-2022-002338
PLANEX MZK-DP150N contains hidden administrative functionality
MZK-DP150N provided by PLANEX COMMUNICATIONS INC. contains a hidden administrative screen (CVE-2021-37289, CWE-912). In the initial settings of the product, the login account for the configuration screen is common to all products. Please change the account information from the initial settings before using it. Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
PLANEX COMMUNICATIONS INC.
MZK-DP150N
cpe:/o:planex:mzk-dp150n
v1.43 and earlier
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
A user who can log in to the configuration screen may execute arbitrary OS commands with the administrative privilege.
[Update the firmware] Update the firmware to the latest version according to the information provided by the developer. The developer has released MZK-DP150N v1.44 which fixes this vulnerability.
PLANEX COMMUNICATIONS INC.
MZK-DP150N
https://www.planex.co.jp/products/mzk-dp150n/
PLANEX COMMUNICATIONS INC.
DOWNLOAD MZK-DP150N
https://www.planex.co.jp/support/download/mzk-dp150n/
Common Vulnerabilities and Exposures (CVE)
CVE-2021-37289
https://www.cve.org/CVERecord?id=CVE-2021-37289
JVN
JVNVU#98291763
http://jvn.jp/en/vu/JVNVU98291763/index.html
JVNDB
CWE-912
Hidden Functionality
https://cwe.mitre.org/data/definitions/912.html
1
2022-08-23T14:42:29+09:00
[2022/08/23]\n Web page was published
2022-08-23T15:02:39+09:00
2022-08-23T15:02:39+09:00
2022-08-22T00:00:00+09:00
JVNDB-2022-002339
Multiple vulnerabilities in PukiWiki
PukiWiki provided by PukiWiki Development Team contains multiple vulnerabilities listed below. * Path Traversal (CWE-22) - CVE-2022-34486 * Reflected Cross-site Scripting (CWE-79) - CVE-2022-27637 Harold Kim reported these vulnerabilities to the developer and coordinated. After coordination was completed, this case was reported to JPCERT/CC and JPCERT/CC coordinated with the developer for the publication.
PukiWiki Developers Team.
PukiWiki
cpe:/a:pukiwiki:pukiwiki
versions 1.4.5 to 1.5.3 - CVE-2022-34486
versions 1.5.1 to 1.5.3 - CVE-2022-27637
High
7.7
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
* An administrator of the product may execute a malicious script - CVE-2022-34486 * An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2022-27637
[Update the Software] Update the Software to the latest version according to the information provided by the developer. According to the developer, these vulnerabilities have been fixed in version 1.5.4.
PukiWiki Errata
PukiWiki/Errata
https://pukiwiki.osdn.jp/?PukiWiki/Errata
Common Vulnerabilities and Exposures (CVE)
CVE-2022-34486
https://www.cve.org/CVERecord?id=CVE-2022-34486
Common Vulnerabilities and Exposures (CVE)
CVE-2022-27637
https://www.cve.org/CVERecord?id=CVE-2022-27637
JVN
JVNVU#96002401
http://jvn.jp/en/vu/JVNVU96002401/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-22
Path Traversal
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-08-24T11:50:49+09:00
[2022/08/24]\n Web page was published
2022-08-24T14:17:24+09:00
2022-08-24T14:17:24+09:00
2022-08-23T00:00:00+09:00
JVNDB-2022-002346
Multiple vulnerabilities in Contec FLEXLAN FX3000 and FX2000 series
FLEXLAN FX3000 and FX2000 series provided by Contec Co., Ltd. contain multiple vulnerabilities listed below. * Hidden Functionality (CWE-912) - CVE-2022-36158 * Use of Hard-coded Credentials (CWE-798) - CVE-2022-36159 Thomas J. Knudsen and Samy Younsi of Necrum Security Labs reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
Contec
FLEXLAN FX2000 firmware
cpe:/o:contec:flexlan_fx2000_firmware
prior to ver.1.39.00
Contec
FLEXLAN FX3000 firmware
cpe:/o:contec:flexlan_fx3000_firmware
prior to ver.1.16.00
High
8
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An attacker may execute an arbitrary OS command with an administrative privilege of the product - CVE-2022-36158 An attacker may access the product with an administrative privilege - CVE-2022-36159
[Update the firmware] Update the firmware to the latest version according to the information provided by the developer. The developer has released the following versions that contain fixes for these vulnerabilities. * FLEXLAN FX3000 series * Firmware version ver.1.16.00 * FLEXLAN FX2000 series * Firmware version ver.1.39.00
Contec Co., Ltd.
Vulnerability of FLEXLAN FX3000/2000 series and its countermeasures (PDF)
https://www.contec.com/-/media/Contec/support/security-info/contec_security_flexlan_en_220901.pdf
Contec Co., Ltd.
Firmware Update (Vulnerability Countermeasure) : Wireless LAN FLEXLAN™ FX3000/2000 Series
https://www.contec.com/software-update/2022/22082900/
Contec Co., Ltd.
Security Information
https://www.contec.com/support/security-info/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-36158
https://www.cve.org/CVERecord?id=CVE-2022-36158
Common Vulnerabilities and Exposures (CVE)
CVE-2022-36159
https://www.cve.org/CVERecord?id=CVE-2022-36159
JVN
JVNVU#98305100
http://jvn.jp/en/vu/JVNVU98305100/index.html
JVNDB
CWE-912
Hidden Functionality
https://cwe.mitre.org/data/definitions/912.html
JVNDB
CWE-798
Use of Hard-coded Credentials
https://cwe.mitre.org/data/definitions/798.html
1
2022-09-02T18:08:23+09:00
[2022/09/02]\n Web page was published
2022-09-02T18:08:23+09:00
2022-09-02T18:08:23+09:00
2022-09-01T00:00:00+09:00
JVNDB-2022-002364
DoS Vulnerability in uCosminexus TP1/Client/J and Cosminexus Service Coordinator
DoS Vulnerability have been found in uCosminexus TP1/Client/J and Cosminexus Service Coordinator.
Hitachi, Ltd
uCosminexus Service Architect
cpe:/a:hitachi:ucosminexus_service_architect
Hitachi, Ltd
uCosminexus Service Platform
cpe:/a:hitachi:ucosminexus_service_platform
Hitachi, Ltd
uCosminexus Service Platform(64)
cpe:/a:hitachi:ucosminexus_service_platform_64
Hitachi, Ltd
uCosminexus TP1/Client/J
cpe:/a:hitachi:ucosminexus_tp1_client_j
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2022-130
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-130/index.html
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-09-14T11:34:26+09:00
[2022/09/14]\n Web page was published
2022-09-14T11:34:26+09:00
2022-09-14T11:34:26+09:00
2022-09-13T00:00:00+09:00
JVNDB-2022-002367
OpenAM (OpenAM Consortium Edition) vulnerable to open redirect
OpenAM (OpenAM Consortium Edition) provided by OpenAM Consortium contains an open redirect vulnerability (CWE-601). OpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.
OpenAM Consortium
OpenAM
cpe:/a:osstech:openam
(OpenAM Consortium Edition) 14.0.0
Medium
4.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
When accessing an affected server through some specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
[Apply the Patch] Apply the patch according to the information provided by the developer.
GitHub
Open Redirect Vulnerability #259
https://github.com/openam-jp/openam/issues/259
OpenAM Consortium
OSSTech Corporation website
https://www.osstech.co.jp/support/am2022-1-1/
Common Vulnerabilities and Exposures (CVE)
CVE-2022-31735
https://www.cve.org/CVERecord?id=CVE-2022-31735
JVN
JVNVU#99326969
http://jvn.jp/en/vu/JVNVU99326969/index.html
JVNDB
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
https://cwe.mitre.org/data/definitions/601.html
1
2022-09-16T15:30:22+09:00
[2022/09/16]\n Web page was published
2022-09-16T15:30:22+09:00
2022-09-16T15:30:22+09:00
2022-09-15T00:00:00+09:00
JVNDB-2022-002443
Privilege Escalation Vulnerability in Hitachi Storage Plug-in for VMware vCenter
A privilege escalation vulnerability (CVE-2022-2637) exists in Hitachi Storage Plug-in for VMware vCenter.
Hitachi, Ltd
Hitachi Storage Plug-in
cpe:/a:hitachi:storage_plug-in
Medium
5.4
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2022-131
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-131/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-2637
https://www.cve.org/CVERecord?id=CVE-2022-2637
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-10-05T17:21:41+09:00
[2022/10/05]\n Web page was published
2022-10-05T17:28:59+09:00
2022-10-05T17:28:59+09:00
2022-10-04T00:00:00+09:00
JVNDB-2022-002444
Multiple vulnerabilities in Buffalo network devices
Multiple network devices provided by Buffalo Inc. contain multiple vulnerabilities listed below. * Hidden Functionality (CWE-912) - CVE-2022-39044 * Use of Hard-coded Credentials (CWE-798) - CVE-2022-34840 * Authentication Bypass (CWE-288) - CVE-2022-4096 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
BUFFALO INC.
BHR-4GRV firmware
cpe:/o:buffalo_inc:bhr-4grv_firmware
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
DWR-HP-G300NH firmware
cpe:/o:buffalo_inc:dwr-hp-g300nh_firmware
Ver. 1.84 and earlier (CVE-2022-39044)
Ver. 1.84 and earlier (CVE-2022-40966)
BUFFALO INC.
DWR-PG firmware
cpe:/o:buffalo_inc:dwr-pg_firmware
Ver. 1.83 and earlier (CVE-2022-39044)
Ver. 1.83 and earlier (CVE-2022-40966)
BUFFALO INC.
FS-600DHP firmware
cpe:/o:buffalo_inc:fs-600dhp_firmware
Ver. 3.40 and earlier (CVE-2022-39044)
Ver. 3.40 and earlier (CVE-2022-40966)
BUFFALO INC.
FS-G300N firmware
cpe:/o:buffalo_inc:fs-g300n_firmware
Ver. 3.14 and earlier (CVE-2022-39044)
Ver. 3.14 and earlier (CVE-2022-40966)
BUFFALO INC.
FS-HP-G300N firmware
cpe:/o:buffalo_inc:fs-hp-g300n_firmware
Ver. 3.33 and earlier (CVE-2022-39044)
Ver. 3.33 and earlier (CVE-2022-40966)
BUFFALO INC.
FS-R600DHP firmware
cpe:/o:buffalo_inc:fs-r600dhp_firmware
Ver. 3.40 and earlier (CVE-2022-39044)
Ver. 3.40 and earlier (CVE-2022-40966)
BUFFALO INC.
HW-450HP-ZWE firmware
cpe:/o:buffalo_inc:hw-450hp-zwe_firmware
Ver. 2.00 and earlier (CVE-2022-34840)
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
WCR-300 firmware
cpe:/o:buffalo_inc:wcr-300_firmware
Ver. 1.87 and earlier (CVE-2022-39044)
Ver. 1.87 and earlier (CVE-2022-40966)
BUFFALO INC.
WEM-1266 firmware
cpe:/o:buffalo_inc:wem-1266_firmwpware
Ver. 2.85 and earlier (CVE-2022-40966)
BUFFALO INC.
WEM-1266WP firmware
cpe:/o:buffalo_inc:wem-1266_firmware
Ver. 2.85 and earlier (CVE-2022-40966)
BUFFALO INC.
WER-A54G54 firmware
cpe:/o:buffalo_inc:wer-a54g54_firmware
Ver. 1.43 and earlier (CVE-2022-39044)
Ver. 1.43 and earlier (CVE-2022-40966)
BUFFALO INC.
WER-AG54 firmware
cpe:/o:buffalo_inc:wer-ag54_firmware
Ver. 1.43 and earlier (CVE-2022-39044)
Ver. 1.43 and earlier (CVE-2022-40966)
BUFFALO INC.
WER-AM54G54 firmware
cpe:/o:buffalo_inc:wer-amg54_firmware
Ver. 1.43 and earlier (CVE-2022-39044)
Ver. 1.43 and earlier (CVE-2022-40966)
BUFFALO INC.
WER-AMG54 firmware
cpe:/o:buffalo_inc:wer-am54g55_firmware
Ver. 1.43 and earlier (CVE-2022-39044)
Ver. 1.43 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-300 firmware
cpe:/o:buffalo_inc:whr-300_firmware
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-300HP firmware
cpe:/o:buffalo_inc:whr-300hp_firmware
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-AM54G54 firmware
cpe:/o:buffalo_inc:whr-am54g54_firmware
Ver. 1.43 and earlier (CVE-2022-39044)
Ver. 1.43 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-AMG54 firmware
cpe:/o:buffalo_inc:whr-amg54_firmware
Ver. 1.43 and earlier (CVE-2022-39044)
Ver. 1.43 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-AMPG firmware
cpe:/o:buffalo_inc:whr-ampg_firmware
Ver. 1.52 and earlier (CVE-2022-39044)
Ver. 1.52 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-G firmware
cpe:/o:buffalo_inc:whr-g_firmware
Ver. 1.49 and earlier (CVE-2022-39044)
Ver. 1.49 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-G301N firmware
cpe:/o:buffalo_inc:whr-g300n_firmware
Ver. 1.65 and earlier (CVE-2022-39044)
Ver. 1.65 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-G301N firmware
cpe:/o:buffalo_inc:whr-g301n_firmware
Ver. 1.87 and earlier (CVE-2022-39044)
Ver. 1.87 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-G54S firmware
cpe:/o:buffalo_inc:whr-g54s_firmware
Ver. 1.43 and earlier (CVE-2022-39044)
Ver. 1.43 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-G54S-NI firmware
cpe:/o:buffalo_inc:whr-g54s-ni_firmware
Ver. 1.24 and earlier (CVE-2022-39044)
Ver. 1.24 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-HP-AMPG firmware
cpe:/o:buffalo_inc:whr-hp-ampg_firmware
Ver. 1.43 and earlier (CVE-2022-39044)
Ver. 1.43 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-HP-G firmware
cpe:/o:buffalo_inc:whr-hp-g_firmware
Ver. 1.49 and earlier (CVE-2022-39044)
Ver. 1.49 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-HP-G300N firmware
cpe:/o:buffalo_inc:whr-hp-g300n_firmware
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-HP-G54 firmware
cpe:/o:buffalo_inc:whr-hp-g54_firmware
Ver. 1.43 and earlier (CVE-2022-39044)
Ver. 1.43 and earlier (CVE-2022-40966)
BUFFALO INC.
WHR-HP-GN firmware
cpe:/o:buffalo_inc:whr-hp-gn_firmware
Ver. 1.87 and earlier (CVE-2022-39044)
Ver. 1.87 and earlier (CVE-2022-40966)
BUFFALO INC.
WLAE-AG300N firmware
cpe:/o:buffalo_inc:wlae-ag300n_firmware
Ver. 1.86 and earlier (CVE-2022-39044)
Ver. 1.86 and earlier (CVE-2022-40966)
BUFFALO INC.
WLI-H4-D600 firmware
cpe:/o:buffalo_inc:wli-h4-d600_firmware
Ver. 1.88 and earlier (CVE-2022-39044)
Ver. 1.88 and earlier (CVE-2022-40966)
BUFFALO INC.
WLI-TX4-AG300N firmware
cpe:/o:buffalo_inc:wli-tx4-ag300n_firmware
Ver. 1.53 and earlier (CVE-2022-39044)
BUFFALO INC.
WPL-05G300 firmware
cpe:/o:buffalo_inc:wpl-05g300_firmware
Ver. 1.88 and earlier (CVE-2022-39044)
Ver. 1.88 and earlier (CVE-2022-40966)
BUFFALO INC.
WRM-D2133HP firmware
cpe:/o:buffalo_inc:wrm-d2133hp_firmware
Ver. 2.85 and earlier (CVE-2022-40966)
BUFFALO INC.
WRM-D2133HS firmware
cpe:/o:buffalo_inc:wrm-d2133hs_firmware
Ver. 2.96 and earlier (CVE-2022-40966)
BUFFALO INC.
WS024BF firmware
cpe:/o:buffalo_inc:ws024bf_firmware
Ver. 1.60 and earlier (CVE-2022-39044)
Ver. 1.60 and earlier (CVE-2022-40966)
BUFFALO INC.
WS024BF-NW firmware
cpe:/o:buffalo_inc:ws024bf-nw_firmware
Ver. 1.60 and earlier (CVE-2022-39044)
Ver. 1.60 and earlier (CVE-2022-40966)
BUFFALO INC.
WTR-M2133HP firmware
cpe:/o:buffalo_inc:wtr-m2133hp_firmware
Ver. 2.85 and earlier (CVE-2022-40966)
BUFFALO INC.
WTR-M2133HS firmware
cpe:/o:buffalo_inc:wtr-m2133hs_firmware
Ver. 2.96 and earlier (CVE-2022-40966)
BUFFALO INC.
WXR-1750DHP firmware
cpe:/o:buffalo_inc:wxr-1750dhp_firmware
Ver. 2.60 and earlier (CVE-2022-40966)
BUFFALO INC.
WXR-1750DHP2 firmware
cpe:/o:buffalo_inc:wxr-1750dhp2_firmware
Ver. 2.60 and earlier (CVE-2022-40966)
BUFFALO INC.
WXR-1900DHP firmware
cpe:/o:buffalo_inc:wxr-1900dhp_firmware
Ver. 2.50 and earlier (CVE-2022-40966)
BUFFALO INC.
WXR-1900DHP2 firmware
cpe:/o:buffalo_inc:wxr-1900dhp2_firmware
Ver. 2.59 and earlier (CVE-2022-40966)
BUFFALO INC.
WXR-1900DHP3 firmware
cpe:/o:buffalo_inc:wxr-1900dhp3_firmware
Ver. 2.63 and earlier (CVE-2022-40966)
BUFFALO INC.
WXR-5950AX12 firmware
cpe:/o:buffalo_inc:wxr-5950acx2_firmware
Ver. 3.40 and earlier (CVE-2022-40966)
BUFFALO INC.
WXR-6000AX12B firmware
cpe:/o:buffalo_inc:wxr-6000ax12b_firmware
Ver. 3.40 and earlier (CVE-2022-40966)
BUFFALO INC.
WXR-6000AX12S firmware
cpe:/o:buffalo_inc:wxr-6000ax12s_firmware
Ver. 3.40 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-1166DHP firmware
cpe:/o:buffalo_inc:wzr-1166dhp_firmware
Ver. 2.18 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-1166DHP2 firmware
cpe:/o:buffalo_inc:wzr-1166dhp2_firmware
Ver. 2.18 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-1750DHP firmware
cpe:/o:buffalo_inc:wzr-1750dhp_firmware
Ver. 2.30 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-1750DHP2 firmware
cpe:/o:buffalo_inc:wzr-1750dhp2_firmware
Ver. 2.31 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-300HP firmware
cpe:/o:buffalo_inc:wzr-300hp_firmware
Ver. 2.00 and earlier (CVE-2022-34840)
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-450HP firmware
cpe:/o:buffalo_inc:wzr-450hp_firmware
Ver. 2.00 and earlier (CVE-2022-34840)
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-450HP-CWT firmware
cpe:/o:buffalo_inc:wzr-450hp-cwt_firmware
Ver. 2.00 and earlier (CVE-2022-34840)
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-450HP-UB firmware
cpe:/o:buffalo_inc:wzr-450hp-ub_firmware
Ver. 2.00 and earlier (CVE-2022-34840)
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-600DHP firmware
cpe:/o:buffalo_inc:wzr-600dhp_firmware
Ver. 2.00 and earlier (CVE-2022-34840)
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-600DHP2 firmware
cpe:/o:buffalo_inc:wzr-600dhp2_firmware
Ver. 1.15 and earlier (CVE-2022-34840)
Ver. 1.15 and earlier (CVE-2022-39044)
Ver. 1.15 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-600DHP3 firmware
cpe:/o:buffalo_inc:wzr-600dhp3_firmware
Ver. 2.19 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-900DHP firmware
cpe:/o:buffalo_inc:wzr-900dhp_firmware
Ver. 1.15 and earlier (CVE-2022-34840)
Ver. 1.15 and earlier (CVE-2022-39044)
Ver. 1.15 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-900DHP2 firmware
cpe:/o:buffalo_inc:wzr-900dhp2_firmware
Ver. 2.19 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-AGL300NH firmware
cpe:/o:buffalo_inc:wzr-agl300nh_firmware
Ver. 1.55 and earlier (CVE-2022-39044)
Ver. 1.55 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-AMPG144NH firmware
cpe:/o:buffalo_inc:wzr-ampg144nh_firmware
Ver. 1.49 and earlier (CVE-2022-39044)
Ver. 1.49 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-AMPG300NH firmware
cpe:/o:buffalo_inc:wzr-ampg300nh_firmware
Ver. 1.51 and earlier (CVE-2022-39044)
Ver. 1.51 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-D1100H firmware
cpe:/o:buffalo_inc:wzr-d1100h_firmware
Ver. 2.00 and earlier (CVE-2022-34840)
Ver. 2.00 and earlier (CVE-2022-39044)
Ver. 2.00 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-G144N firmware
cpe:/o:buffalo_inc:wzr-g144n_firmware
Ver. 1.48 and earlier (CVE-2022-39044)
Ver. 1.48 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-G144NH firmware
cpe:/o:buffalo_inc:wzr-g144nh_firmware
Ver. 1.48 and earlier (CVE-2022-39044)
Ver. 1.48 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-HP-AG300H firmware
cpe:/o:buffalo_inc:wzr-hp-ag300h_firmware
Ver. 1.76 and earlier (CVE-2022-39044)
Ver. 1.76 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-HP-G300NH firmware
cpe:/o:buffalo_inc:wzr-hp-g300nh_firmware
Ver. 1.84 and earlier (CVE-2022-39044)
Ver. 1.84 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-HP-G301NH firmware
cpe:/o:buffalo_inc:wzr-hp-g301nh_firmware
Ver. 1.84 and earlier (CVE-2022-39044)
Ver. 1.84 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-HP-G302H firmware
cpe:/o:buffalo_inc:wzr-hp-g302h_firmware
Ver. 1.86 and earlier (CVE-2022-39044)
Ver. 1.86 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-HP-G450H firmware
cpe:/o:buffalo_inc:wzr-hp-g450h_firmware
Ver. 1.90 and earlier (CVE-2022-39044)
Ver. 1.90 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-S1750DHP firmware
cpe:/o:buffalo_inc:wzr-s1750dhp_firmware
Ver. 2.32 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-S600DHP firmware
cpe:/o:buffalo_inc:wzr-s600dhp_firmware
Ver. 2.19 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR-S900DHP firmware
cpe:/o:buffalo_inc:wzr-s900dhp_firmware
Ver. 2.19 and earlier (CVE-2022-40966)
BUFFALO INC.
WZR2-G108 firmware
cpe:/o:buffalo_inc:wzr2-g108_firmware
Ver. 1.33 and earlier (CVE-2022-39044)
BUFFALO INC.
WZR2-G300N firmware
cpe:/o:buffalo_inc:wzr2-g300n_firmware
Ver. 1.55 and earlier (CVE-2022-39044)
Ver. 1.55 and earlier (CVE-2022-40966)
High
8.8
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* A user logging into the affected product may execute arbitrary OS commands - CVE-2022-39044 * A network-adjacent attacker may modify configuration settings of the device - CVE-2022-34840 * A network-adjacent attacker may bypass authentication for the device - CVE-2022-4096
[Update the firmware] Update firmware to the latest version according to the information provided by the developer. [Stop using the products] Some vulnerable products are no longer supported. For more information, refer to the security advisory from the developer and stop using the products.
BUFFALO
Multiple Vulnerabilities in network devices
https://www.buffalo.jp/news/detail/20221003-01.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-39044
https://www.cve.org/CVERecord?id=CVE-2022-39044
Common Vulnerabilities and Exposures (CVE)
CVE-2022-34840
https://www.cve.org/CVERecord?id=CVE-2022-34840
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40966
https://www.cve.org/CVERecord?id=CVE-2022-40966
JVN
JVNVU#92805279
https://jvn.jp/en/vu/JVNVU92805279/index.html
JVNDB
CWE-288
Authentication Bypass Using an Alternate Path or Channel
https://cwe.mitre.org/data/definitions/288.html
JVNDB
CWE-912
Hidden Functionality
https://cwe.mitre.org/data/definitions/912.html
JVNDB
CWE-798
Use of Hard-coded Credentials
https://cwe.mitre.org/data/definitions/798.html
1
2022-10-05T17:03:21+09:00
[2022/10/05]\n Web page was published\n
2
2022-10-13T09:01:29+09:00
[2022/10/13]\n Affected Products : Products were added\n Solution was modified
2022-10-05T17:44:41+09:00
2022-10-13T16:28:34+09:00
2022-10-04T00:00:00+09:00
JVNDB-2022-002448
Multiple vulnerabilities in Trend Micro Deep Security and Cloud One - Workload Security agents for Windows
Trend Micro Incorporated has released a security update for Trend Micro Deep Security and Cloud One - Workload Security agents for Windows. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Cloud One Workload Security
cpe:/a:trendmicro:cloud_one_workload_security
Version 20
Trend Micro, Inc.
Deep Security Agent
cpe:/a:trendmicro:deep_security_agent
Version 20
* Information disclosure due to an Out-Of-Bounds Read vulnerabilities * Privilege escalation due to link following vulnerability
[Apply the patch] Apply the appropriate patch according to the information provided by the developer.
Trend Micro Incorporated
SECURITY BULLETIN: September 2022 Security Bulletin for Trend Micro Deep Security 20 and Cloud One - Workload Security Agents
https://success.trendmicro.com/dcx/s/solution/000291590?language=en_US
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40707
https://www.cve.org/CVERecord?id=CVE-2022-40707
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40708
https://www.cve.org/CVERecord?id=CVE-2022-40708
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40709
https://www.cve.org/CVERecord?id=CVE-2022-40709
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40710
https://www.cve.org/CVERecord?id=CVE-2022-40710
JVN
JVNVU#99960963
https://jvn.jp/en/vu/JVNVU99960963/index.html
National Vulnerability Database (NVD)
CVE-2022-40710
https://nvd.nist.gov/vuln/detail/CVE-2022-40710
National Vulnerability Database (NVD)
CVE-2022-40707
https://nvd.nist.gov/vuln/detail/CVE-2022-40707
National Vulnerability Database (NVD)
CVE-2022-40708
https://nvd.nist.gov/vuln/detail/CVE-2022-40708
National Vulnerability Database (NVD)
CVE-2022-40709
https://nvd.nist.gov/vuln/detail/CVE-2022-40709
1
2022-10-11T17:02:41+09:00
[2022/10/11]\n Web page was published
2022-10-11T17:02:41+09:00
2022-10-11T17:02:41+09:00
2022-10-07T00:00:00+09:00
JVNDB-2022-002451
Multiple vulnerabilities in SVMPC1 and SVMPC2
SVMPC1 and SVMPC2 provided by Daikin Holdings Singapore Pte Ltd. contain multiple vulnerabilities listed below. * Use of hard-coded password (CWE-259) - CVE-2022-41653 * Improper access control (CWE-284) - CVE-2022-38355
Daikin Holdings Singapore Pte Ltd.
SVMPC1
cpe:/a:misc:daikin_holdings_singapore_svmpc1
Ver2.1.22 and earlier
Daikin Holdings Singapore Pte Ltd.
SVMPC2
cpe:/a:misc:daikin_holdings_singapore_svmpc2
Ver1.2.3 and earlier
Exploiting these vulnerabilities may allow an attacker on the same LAN segment to access the affected product without authorization and conduct arbitrary operations. For more information, refer to the information provided by the developer.
[Update the software] Update the software to the latest version according to the information provided by the developer. The automatic update will be applied when the internet connection settings are enabled. For more information, refer to the information provided by the developer.
Daikin Holdings Singapore Pte Ltd.
Vulnerability in SVM Series
https://www.daikin-solutions.com/resources/ck/files/SVM%20vulnerability.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41653
https://www.cve.org/CVERecord?id=CVE-2022-41653
Common Vulnerabilities and Exposures (CVE)
CVE-2022-38355
https://www.cve.org/CVERecord?id=CVE-2022-38355
ICS-CERT ADVISORY
ICSA-22-284-02
https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-02
JVN
JVNVU#93424017
https://jvn.jp/en/vu/JVNVU93424017/index.html
JVNDB
CWE-284
Improper Access Control
https://cwe.mitre.org/data/definitions/284.html
JVNDB
CWE-259
Use of Hard-coded Password
https://cwe.mitre.org/data/definitions/259.html
1
2022-10-13T17:14:15+09:00
[2022/10/13]\n Web page was published\n
2022-10-13T17:27:01+09:00
2022-10-13T17:27:01+09:00
2022-10-12T00:00:00+09:00
JVNDB-2022-002537
Stack-based buffer overflow vulnerability in Yokogawa Test & Measurement WTViewerE
WTViewerE provided by Yokogawa Test & Measurement Corporation contains a stack-based buffer overflow vulnerability (CWE-121). Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
Yokogawa Test & Measurement Corporation
WTViewerE 761941
cpe:/a:misc:yokogawa_test_wtviewere_761941
from 1.31 to 1.61
Yokogawa Test & Measurement Corporation
WTViewerEfree
cpe:/a:misc:yokogawa_test_wtviewerefree
from 1.01 to 1.52
Medium
5.3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Processing a long file name may cause the product to crash. This analysis assumes that the user is led to input a long filename to the affected product.
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer has released the versions below that contain a fix for this vulnerability * WTViewerE 761941 1.62 * WTViewerEfree 1.53
Yokogawa Test & Measurement Corporation
KSR-PSIRT-Q005: Vulnerability in YOKOGAWA application software WTViewerE
https://cdn.aff.yokogawa.com/8/756/details/Vulnerability_in_YOKOGAWA_application_software_WTViewerE_r0_e.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2022-40984
https://www.cve.org/CVERecord?id=CVE-2022-40984
JVN
JVNVU#99955870
http://jvn.jp/en/vu/JVNVU99955870/index.html
JVNDB
CWE-121
Stack-based Buffer Overflow
https://cwe.mitre.org/data/definitions/121.html
1
2022-10-19T16:26:01+09:00
[2022/10/19]\n Web page was published
2022-10-19T16:23:41+09:00
2022-10-19T16:23:41+09:00
2022-10-18T00:00:00+09:00
JVNDB-2022-002544
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Apex One
cpe:/a:trendmicro:apex_one
as a Service
On Premise (2019)
* Privilege escalation due to a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability * Privilege escalation due to a an Out-of-Bounds access vulnerability * Privilege escalation due to a forced browsing vulnerability * Privilege escalation due to an improper certification validation vulnerability * Bypass of the product's anti-tampering mechanisms due to an improper registry permissions vulnerability in the Trend Micro Apex One Data Loss Prevention (DLP) module * Privilege escalation due to an origin validation error vulnerability
[Apply the Patch] Apply the patch according to the information provided by the developer. The developer has released the following patch to fix these vulnerabilities. * Trend Micro Apex One On Premise (2019) Service Pack 1 Critical Patch b11110/11102 The issues in Trend Micro Apex One as a Service are already fixed in September 2022 updates. [Apply the Workaround] Applying the following workaround may mitigate the impact of these vulnerabilities. * Permit access to the product only from the trusted network
Trend Micro
CRITICAL SECURITY BULLETIN: October 2022 Security Bulletin for Trend Micro Apex One
https://success.trendmicro.com/dcx/s/solution/000291645?language=en_US
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41744
https://www.cve.org/CVERecord?id=CVE-2022-41744
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41745
https://www.cve.org/CVERecord?id=CVE-2022-41745
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41746
https://www.cve.org/CVERecord?id=CVE-2022-41746
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41747
https://www.cve.org/CVERecord?id=CVE-2022-41747
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41748
https://www.cve.org/CVERecord?id=CVE-2022-41748
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41749
https://www.cve.org/CVERecord?id=CVE-2022-41749
JVN
JVNVU#97131578
http://jvn.jp/en/vu/JVNVU97131578/index.html
National Vulnerability Database (NVD)
CVE-2022-41745
https://nvd.nist.gov/vuln/detail/CVE-2022-41745
National Vulnerability Database (NVD)
CVE-2022-41746
https://nvd.nist.gov/vuln/detail/CVE-2022-41746
National Vulnerability Database (NVD)
CVE-2022-41747
https://nvd.nist.gov/vuln/detail/CVE-2022-41747
National Vulnerability Database (NVD)
CVE-2022-41748
https://nvd.nist.gov/vuln/detail/CVE-2022-41748
National Vulnerability Database (NVD)
CVE-2022-41749
https://nvd.nist.gov/vuln/detail/CVE-2022-41749
National Vulnerability Database (NVD)
CVE-2022-41744
https://nvd.nist.gov/vuln/detail/CVE-2022-41744
2
2022-10-20T13:57:39+09:00
[2022/10/20]\n Web page was published
2022-10-20T16:18:59+09:00
2022-10-20T16:18:59+09:00
2022-10-19T00:00:00+09:00
JVNDB-2022-002691
Multiple vulnerabilities in OMRON products
Machine automation controller NJ/NX series, Automation software "Sysmac Studio", and programmable terminal (PT) NA series provided by OMRON Corporation contain multiple vulnerabilities in the communication function. The vulnerabilities are as follows. * Use of Hard-coded Credentials (CWE-798) - CVE-2022-34151 * Authentication Bypass by Capture-replay (CWE-294) - CVE-2022-33208 * Active Debug Code (CWE-489) - CVE-2022-33971 OMRON Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
OMRON Corporation
Automation software "Sysmac Studio"
cpe:/a:omron:automation_software_sysmac_studio
OMRON Corporation
Machine automation controller NJ series
cpe:/a:omron:machine_automation_controller_nj_series
OMRON Corporation
Machine automation controller NX series
cpe:/a:omron:machine_automation_controller_nx_series
OMRON Corporation
Programmable terminal (PT) NA series
cpe:/a:omron:programmable_terminal_na_series
Critical
9.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Impacts of each vulnerability are as follows. * A remote attacker who successfully obtained the user credentials by analyzing the affected product may access the controller - CVE-2022-34151 * A remote attacker who can analyze the communication between the affected controller and automation software "Sysmac Studio" and/or a programmable terminal (PT) may access the controller - CVE-2022-33208 * An adjacent attacker who can analyze the communication between the controller and the specific software used by OMRON internally may cause a denial-of-service (DoS) condition or execute a malicious program - CVE-2022-33971
[Update the Software] OMRON states that the updates for the respective products will be released gradually, therefore users are suggested to contact OMRON sales representatives or distributors for the latest information regarding the updates. * <a href="https://www.fa.omron.co.jp/sales/local/" target="blank">Inquiry from the users in Japan (in Japanese)</a> * <a href="https://www.ia.omron.com/global_network/index.html" target="blank">Inquiry from the users outside Japan</a> * "Sysmac Studio" users are suggested to update the software to the latest versions using the installed Omron Automation Software AutoUpdate tool Furthermore, it is recommended for the users to apply workarounds to mitigate the impacts of these vulnerabilities. For the details of the workarounds, refer to OMRON's advisories.
OMRON
Authentication bypass vulnerabilities in communications functions of NJ/NX-series Machine Automation Controllers
https://www.ia.omron.com/product/vulnerability/OMSR-2022-001_en.pdf
OMRON
Malicious program execution vulnerability in NJ/NX-series Machine Automation Controllers
https://www.ia.omron.com/product/vulnerability/OMSR-2022-002_en.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2022-34151
https://www.cve.org/CVERecord?id=CVE-2022-34151
Common Vulnerabilities and Exposures (CVE)
CVE-2022-33208
https://www.cve.org/CVERecord?id=CVE-2022-33208
Common Vulnerabilities and Exposures (CVE)
CVE-2022-33971
https://www.cve.org/CVERecord?id=CVE-2022-33971
JVN
JVNVU#97050784
https://jvn.jp/en/vu/JVNVU97050784/index.html
National Vulnerability Database (NVD)
CVE-2022-34151
https://nvd.nist.gov/vuln/detail/CVE-2022-34151
National Vulnerability Database (NVD)
CVE-2022-33208
https://nvd.nist.gov/vuln/detail/CVE-2022-33208
National Vulnerability Database (NVD)
CVE-2022-33971
https://nvd.nist.gov/vuln/detail/CVE-2022-33971
US-CERT National Cyber Awareness System Alerts
AA22-103A
https://www.cisa.gov/uscert/ncas/alerts/aa22-103a
JVNDB
CWE-489
Active Debug Code
https://cwe.mitre.org/data/definitions/489.html
JVNDB
CWE-294
Authentication Bypass by Capture-replay
https://cwe.mitre.org/data/definitions/294.html
JVNDB
CWE-798
Use of Hard-coded Credentials
https://cwe.mitre.org/data/definitions/798.html
1
2022-11-10T09:46:39+09:00
[2022/11/10]\n Web page was published
2022-11-10T09:46:39+09:00
2022-11-10T09:46:39+09:00
2022-07-01T00:00:00+09:00
JVNDB-2022-002761
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Apex One
cpe:/a:trendmicro:apex_one
2019
as a Service
* Information disclosure due to Out-of-Bounds read vulnerabilities * Privilege escalation due to an Out-of-Bounds access vulnerability in the Unauthorized Change Prevention Service * Privilege escalation due to a memory corruption vulnerability in the Unauthorized Change Prevention Service * Privilege escalation due to a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the Security Agent * Privilege escalation due to an improper handling of exceptional conditions vulnerability * Privilege escalation due to a directory traversal vulnerability in the Security Agent * Memory corruption due to missing SAFESEH memory protection mechanism in some modules
[Apply the Patch] Apply the patch according to the information provided by the developer. The developer has released the following patch to fix these vulnerabilities. * Trend Micro Apex One On Premise (2019) Service Pack 1 Critical Patch b11128 The issues in Trend Micro Apex One as a Service are already fixed in October 2022 updates. [Apply the Workaround] Applying the following workaround may mitigate the impact of these vulnerabilities. * Permit access to the product only from the trusted network
Trend Micro
SECURITY BULLETIN: November 2022 Security Bulletin for Trend Micro Apex One
https://success.trendmicro.com/dcx/s/solution/000291770?language=en_US
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44654
https://www.cve.org/CVERecord?id=CVE-2022-44654
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44647
https://www.cve.org/CVERecord?id=CVE-2022-44647
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44648
https://www.cve.org/CVERecord?id=CVE-2022-44648
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44649
https://www.cve.org/CVERecord?id=CVE-2022-44649
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44650
https://www.cve.org/CVERecord?id=CVE-2022-44650
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44651
https://www.cve.org/CVERecord?id=CVE-2022-44651
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44652
https://www.cve.org/CVERecord?id=CVE-2022-44652
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44653
https://www.cve.org/CVERecord?id=CVE-2022-44653
JVN
JVNVU#90082799
https://jvn.jp/en/vu/JVNVU90082799
JVN
JVNVU#91848962
http://jvn.jp/en/vu/JVNVU91848962/index.html
National Vulnerability Database (NVD)
CVE-2022-44652
https://nvd.nist.gov/vuln/detail/CVE-2022-44652
National Vulnerability Database (NVD)
CVE-2022-44653
https://nvd.nist.gov/vuln/detail/CVE-2022-44653
National Vulnerability Database (NVD)
CVE-2022-44654
https://nvd.nist.gov/vuln/detail/CVE-2022-44654
National Vulnerability Database (NVD)
CVE-2022-44647
https://nvd.nist.gov/vuln/detail/CVE-2022-44647
National Vulnerability Database (NVD)
CVE-2022-44648
https://nvd.nist.gov/vuln/detail/CVE-2022-44648
National Vulnerability Database (NVD)
CVE-2022-44649
https://nvd.nist.gov/vuln/detail/CVE-2022-44649
National Vulnerability Database (NVD)
CVE-2022-44650
https://nvd.nist.gov/vuln/detail/CVE-2022-44650
National Vulnerability Database (NVD)
CVE-2022-44651
https://nvd.nist.gov/vuln/detail/CVE-2022-44651
1
2022-11-21T18:25:00+09:00
[2022/11/21]\n Web page was published
2
2023-02-22T11:25:43+09:00
[2023/02/22]\n References : Contents were added
2022-11-21T18:25:00+09:00
2023-02-22T11:47:46+09:00
2022-11-18T00:00:00+09:00
JVNDB-2022-002765
Multiple vulnerabilities in OMRON CX-Programmer
CX-Programmer provided by Omron Corporation contains multiple vulnerabilities listed below. * Use-after-free (CWE-416) - CVE-2022-43508, CVE-2023-22277, CVE-2023-22317, CVE-2023-22314 * Out-of-bounds Write (CWE-787) - CVE-2022-43509 * Stack-based Buffer Overflow (CWE-121) - CVE-2022-43667 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
OMRON Corporation
CX-Programmer
cpe:/a:omron:cx-programmer
Ver.9.77 and earlier - CVE-2022-43508
Ver.9.78 and earlier - CVE-2022-43509, CVE-2022-43667
Ver.9.79 and earlier - CVE-2023-22277, CVE-2023-22317, CVE-2023-22314
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
By having a user to open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.
[Update the Software] Update for CX-One suite is applied by its Auto Update function, therefore it is not necessary for the users to take any actions. The developer recommends the users to contact the developer and/or the sales representatives if there are any issues with Auto Update. For more information, refer to the information provided by the developer.
JVN
Information from OMRON Corporation
https://jvn.jp/en/vu/JVNVU92877622/995504/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2023-22277
https://www.cve.org/CVERecord?id=CVE-2023-22277
Common Vulnerabilities and Exposures (CVE)
CVE-2023-22314
https://www.cve.org/CVERecord?id=CVE-2023-22314
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43508
https://www.cve.org/CVERecord?id=CVE-2022-43508
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43509
https://www.cve.org/CVERecord?id=CVE-2022-43509
Common Vulnerabilities and Exposures (CVE)
CVE-2023-22317
https://www.cve.org/CVERecord?id=CVE-2023-22317
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43667
https://www.cve.org/CVERecord?id=CVE-2022-43667
IPA SECURITY ALERTS
ICSA-22-356-04
https://www.cisa.gov/uscert/ics/advisories/icsa-22-356-04
JVN
JVNVU#92877622
https://jvn.jp/en/vu/JVNVU92877622/index.html
National Vulnerability Database (NVD)
CVE-2022-43508
https://nvd.nist.gov/vuln/detail/CVE-2022-43508
National Vulnerability Database (NVD)
CVE-2022-43509
https://nvd.nist.gov/vuln/detail/CVE-2022-43509
National Vulnerability Database (NVD)
CVE-2022-43667
https://nvd.nist.gov/vuln/detail/CVE-2022-43667
JVNDB
CWE-787
Out-of-bounds Write
https://cwe.mitre.org/data/definitions/787.html
JVNDB
CWE-121
Stack-based Buffer Overflow
https://cwe.mitre.org/data/definitions/121.html
JVNDB
CWE-416
Use After Free
https://cwe.mitre.org/data/definitions/416.html
1
2022-11-28T15:14:41+09:00
[2022/11/28]\n Web page was published
2
2023-01-12T16:47:35+09:00
[2023/01/12]\n Overview was modified\n CVSS Severity was modified\n Affected Products : Product versions were added\n Solution was modified\n CVE : CVE-2023-22277,CVE-2023-22314,CVE-2023-22317 was added\n References : Contents were added
2022-11-28T15:40:37+09:00
2023-01-12T16:48:58+09:00
2022-11-25T00:00:00+09:00
JVNDB-2022-002768
Multiple vulnerabilities in UNIMO Technology digital video recorders
Multiple digital video recorders provided by UNIMO Technology Co., Ltd contain multiple vulnerabilities listed below. * Improper Authentication (CWE-287) - CVE-2022-44620 * OS Command Injection (CWE-78) - CVE-2022-44606 * Hidden Functionality (CWE-912) - CVE-2022-43464 The reporter states that attacks exploiting these vulnerabilities have been observed. Yoshiki Mori, Ushimaru Hayato, Hiromu Kubiura and Masaki Kubo of National Institute of Information and Communications Technology Cybersecurity Research Institute reported these vulnerabilities to the developer and coordinated. After coordination was completed, this case was reported to JPCERT/CC and JPCERT/CC coordinated with the developer for the publication.
UNIMO Technology Co., Ltd
UDR-JA1604 firmware
cpe:/o:misc:unimo_technology_udr-ja1604_firmware
versions 71x10.1.107112.43A and earlier
UNIMO Technology Co., Ltd
UDR-JA1608 firmware
cpe:/o:misc:unimo_technology_udr-ja1608_firmware
versions 71x10.1.107112.43A and earlier
UNIMO Technology Co., Ltd
UDR-JA1616 firmware
cpe:/o:misc:unimo_technology_udr-ja1616_firmware
versions 71x10.1.107112.43A and earlier
High
8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An arbitrary OS command may be executed on the product or the device settings may be altered. This analysis assumes a scenario that OS commands are executed on the device using the authentication information obtained by CVE-2022-44620.
[Update the firmware] Update the firmware to the latest version according to the information provided by the developer. This vulnerability has been addressed in the firmware version 71x10.1.107114.43A.
UNIMO Technology Co., Ltd
Notification Updated firmware for UDR-JA1604/UDR-JA1608/UDR-JA1616
http://www.unimo.co.jp/table_notice/index.php?act=1&resid=1666831567-004418
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44620
https://www.cve.org/CVERecord?id=CVE-2022-44620
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44606
https://www.cve.org/CVERecord?id=CVE-2022-44606
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43464
https://www.cve.org/CVERecord?id=CVE-2022-43464
JVN
JVNVU#94514762
https://jvn.jp/en/vu/JVNVU94514762/index.html
JVNDB
CWE-912
Hidden Functionality
https://cwe.mitre.org/data/definitions/912.html
JVNDB
CWE-287
Improper Authentication
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-12-02T14:46:35+09:00
[2022/12/02]\n Web page was published
2022-12-02T14:57:52+09:00
2022-12-02T14:57:52+09:00
2022-12-01T00:00:00+09:00
JVNDB-2022-002770
Contec SolarView Compact vulnerable to cross-site scripting
SolarView Compact provided by Contec Co., Ltd. is PV Measurement System. SolarView Compact contains a cross-site scripting vulnerability (CWE-79, CVE-2022-44355) in Check Network Communication Page of the product's web server. As of 2022 December 5, a Proof-of-Concept (PoC) code exploiting this vulnerability has already been made public.
Contec
SolarView Compact SV-CPT-MC310
cpe:/o:contec:sv-cpt-mc310_firmware
prior to Ver.8.02
Contec
SolarView Compact SV-CPT-MC310F
cpe:/o:contec:sv-cpt-mc310F_firmware
prior to Ver.8.02
Medium
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
An arbitrary script may be executed on a logged-in user's web browser. The developer states that users accessing the product without login may be affected by this vulnerability if the product's firmware versions are SV-CPT-MC310 prior to Ver.7.24 or SV-CPT-MC310F prior to Ver.7.24.
[Update the firmware] Update the firmware to the latest version according to the information provided by the developer. This vulnerability has been already addressed in the following firmware versions. * SolarView Compact * SV-CPT-MC310 Ver.8.02 * SV-CPT-MC310F Ver.8.02 [Apply the workaround] Applying the following workarounds may mitigate the impacts of this vulnerability. * Disconnect from network if the product is used in the standalone environment * Setup a firewall and run the product behind it * Configure the product in the trusted and closed network * When the product's firmware versions are SV-CPT-MC310 prior to Ver.7.24 or SV-CPT-MC310F prior to Ver.7.24, choose "User authentications required in all menus" under "User authentication target settings" in "User account settings" * Change default credentials
Contec Co., Ltd.
SV-CPT-MC310
https://www.contec.com/jp/download/donwload-list/?itemid=b28c8b7c-9f40-40b2-843c-b5b04c035b0e#firmware
Contec Co., Ltd.
Regarding a vulnerability in SolarView Compact (SV-CPT-MC310) (PDF)
https://www.contec.com/jp/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_solarview_221205.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44355
https://www.cve.org/CVERecord?id=CVE-2022-44355
JVN
JVNVU#93526386
http://jvn.jp/en/vu/JVNVU93526386/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-12-06T15:08:45+09:00
[2022/12/06]\n Web page was published
2022-12-06T15:08:45+09:00
2022-12-06T15:08:45+09:00
2022-12-05T00:00:00+09:00
JVNDB-2022-002771
Information Exposure Vulnerability in JP1/Automatic Operation
An information exposure vulnerability (CVE-2022-34881) exists in JP1/Automatic Operation.
Hitachi, Ltd
JP1/Automatic Operation
cpe:/a:hitachi:jp1_automatic_operation
Low
3.3
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Regarding the impact of the vulnerability, please refer to the vendor advisory.
Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Hitachi Software Vulnerability Information
hitachi-sec-2022-140
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-140/index.html
Hitachi Software Vulnerability Information
hitachi-sec-2022-140
https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2022-140/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-34881
https://www.cve.org/CVERecord?id=CVE-2022-34881
JVNDB
CWE-noinfo
No Mapping
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-12-07T17:30:08+09:00
[2022/12/07]\n Web page was published
2022-12-07T17:30:08+09:00
2022-12-07T17:30:08+09:00
2022-12-06T00:00:00+09:00
JVNDB-2022-002775
Multiple vulnerabilities in Buffalo network devices
Multiple network devices provided by BUFFALO INC. contain multiple vulnerabilities listed below. * OS Command Injection (CWE-78) - CVE-2022-43466 * OS Command Injection (CWE-78) - CVE-2022-43443 * Hidden Functionality (CWE-912) - CVE-2022-43486 Chuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
BUFFALO INC.
WCR-1166DS firmware
cpe:/o:buffalo_inc:wcr-1166ds_firmware
Ver. 1.34 and earlier - CVE-2022-43443
Ver. 1.34 and earlier - CVE-2022-43486
BUFFALO INC.
WEX-1800AX4 firmware
cpe:/o:buffalo_inc:wex-1800ax4_firmware
Ver. 1.13 and earlier - CVE-2022-43466
Ver. 1.13 and earlier - CVE-2022-43486
BUFFALO INC.
WEX-1800AX4EA firmware
cpe:/o:buffalo_inc:wex-1800ax4ea_firmware
Ver. 1.13 and earlier - CVE-2022-43466
Ver. 1.13 and earlier - CVE-2022-43486
BUFFALO INC.
WSR-1166DHP firmware
cpe:/o:buffalo_inc:wsr-1166dhp_firmware
Ver. 1.16 and earlier - CVE-2022-43443
BUFFALO INC.
WSR-1166DHP2 firmware
cpe:/o:buffalo_inc:wsr-1166dhp2_firmware
Ver. 1.17 and earlier - CVE-2022-43443
BUFFALO INC.
WSR-2533DHP firmware
cpe:/o:buffalo_inc:wsr-2533dhp_firmware
Ver. 1.08 and earlier - CVE-2022-43443
Ver. 1.08 and earlier - CVE-2022-43486
BUFFALO INC.
WSR-2533DHP2 firmware
cpe:/o:buffalo_inc:wsr-2533dhp2_firmware
Ver. 1.22 and earlier - CVE-2022-43466
Ver. 1.22 and earlier - CVE-2022-43443
Ver. 1.22 and earlier - CVE-2022-43486
BUFFALO INC.
WSR-2533DHP3-BK firmware
cpe:/o:buffalo_inc:wsr-2533dhp3-bk_firmware
Ver. 1.26 and earlier - CVE-2022-43466
Ver. 1.26 and earlier - CVE-2022-43443
Ver. 1.26 and earlier - CVE-2022-43486
BUFFALO INC.
WSR-2533DHPL firmware
cpe:/o:buffalo_inc:wsr-2533dhpl_firmware
Ver. 1.08 and earlier - CVE-2022-43443
Ver. 1.08 and earlier - CVE-2022-43486
BUFFALO INC.
WSR-2533DHPL2-BK firmware
cpe:/o:buffalo_inc:wsr-2533dhpl2-bk_firmware
Ver. 1.03 and earlier - CVE-2022-43466
Ver. 1.03 and earlier - CVE-2022-43443
Ver. 1.03 and earlier - CVE-2022-43486
BUFFALO INC.
WSR-2533DHPLB firmware
cpe:/o:buffalo_inc:wsr-2533dhplb_firmware
Ver. 1.05 - CVE-2022-43443
Ver. 1.05 - CVE-2022-43466
Ver. 1.05 - CVE-2022-43486
BUFFALO INC.
WSR-2533DHPLS firmware
cpe:/o:buffalo_inc:wsr-2533dhpls_firmware
Ver. 1.07 and earlier - CVE-2022-43466
Ver. 1.07 and earlier - CVE-2022-43443
Ver. 1.07 and earlier - CVE-2022-43486
BUFFALO INC.
WSR-3200AX4B firmware
cpe:/o:buffalo_inc:wsr-3200ax4b_firmware
Ver. 1.25 - CVE-2022-43466
Ver. 1.25 - CVE-2022-43443
Ver. 1.25 - CVE-2022-43486
BUFFALO INC.
WSR-3200AX4S firmware
cpe:/o:buffalo_inc:wsr-3200ax4s_firmware
Ver. 1.26 and earlier - CVE-2022-43443
Ver. 1.26 and earlier - CVE-2022-43466
Ver. 1.26 and earlier - CVE-2022-43486
BUFFALO INC.
WSR-A2533DHP2 firmware
cpe:/o:buffalo_inc:wsr-a2533dhp2_firmware
Ver. 1.22 and earlier - CVE-2022-43466
Ver. 1.22 and earlier - CVE-2022-43443
Ver. 1.22 and earlier - CVE-2022-43486
BUFFALO INC.
WSR-A2533DHP3 firmware
cpe:/o:buffalo_inc:wsr-a2533dhp3_firmware
Ver. 1.26 and earlier - CVE-2022-43466
Ver. 1.26 and earlier - CVE-2022-43443
Ver. 1.26 and earlier - CVE-2022-43486
BUFFALO INC.
WXR-11000XE12 firmware
cpe:/o:buffalo_inc:wxr-11000xe12_firmware
Ver. 1.10 and earlier - CVE-2022-43443
BUFFALO INC.
WXR-5700AX7B firmware
cpe:/o:buffalo_inc:wxr-5700ax7b_firmware
Ver. 1.27 and earlier - CVE-2022-43443
Ver. 1.27 and earlier - CVE-2022-43466
Ver. 1.27 and earlier - CVE-2022-43486
BUFFALO INC.
WXR-5700AX7S firmware
cpe:/o:buffalo_inc:wxr-5700ax7s_firmware
Ver. 1.27 and earlier - CVE-2022-43443
Ver. 1.27 and earlier - CVE-2022-43466
Ver. 1.27 and earlier - CVE-2022-43486
Medium
6.8
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* An authenticated user may execute arbitrary OS commands by sending a specially crafted request and accessing a certain URL on the management console of the affected device - CVE-2022-43466 * An unauthenticated attacker may execute arbitrary OS commands via sending a specially crafted request to the affected device - CVE-2022-43443 * An authenticated user may enable the feature, and execute arbitrary commands on the affected device - CVE-2022-43486
[Update the firmware] Update firmware to the latest version according to the information provided by the developer.
BUFFALO
BUFFALO INC. website
https://www.buffalo.jp/news/detail/20221205-01.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43466
https://www.cve.org/CVERecord?id=CVE-2022-43466
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43443
https://www.cve.org/CVERecord?id=CVE-2022-43443
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43486
https://www.cve.org/CVERecord?id=CVE-2022-43486
JVN
JVNVU#97099584
http://jvn.jp/en/vu/JVNVU97099584/index.html
JVNDB
CWE-912
Hidden Functionality
https://cwe.mitre.org/data/definitions/912.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
1
2022-12-12T15:04:05+09:00
[2022/12/12]\n Web page was published
2
2024-02-14T15:33:10+09:00
[2024/02/14]\n Affected Products : Products were added
2022-12-12T15:28:31+09:00
2024-02-14T15:45:04+09:00
2022-12-09T00:00:00+09:00
JVNDB-2022-002779
Multiple vulnerabilities in Contec CONPROSYS HMI System (CHS)
CONPROSYS HMI System (CHS) provided by Contec Co., Ltd. contains multiple vulnerabilities listed below. * OS Command Injection (CWE-78) - CVE-2022-44456 * Use of Default Credentials (CWE-1392) - CVE-2023-22331 * Use of Password Hash Instead of Password for Authentication (CWE-836) - CVE-2023-22334 * Cross-site Scripting (CWE-79) - CVE-2023-22373 * Improper Access Control (CWE-284) - CVE-2023-22339 Floris Hendriks and Jeroen Wijenbergh of Radboud University reported these vulnerabilities to Contec Co., Ltd. and coordinated. Contec Co., Ltd. and JPCERT/CC published respective advisories in order to notify users of its solution.
Contec
CONPROSYS HMI System (CHS)
cpe:/a:contec:conprosys_hmi_system
Ver.3.4.4 and earlier - CVE-2022-44456
Ver.3.4.5 and earlier - CVE-2023-22331, CVE-2023-22334, CVE-2023-22373, CVE-2023-22339
Critical
10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2022-44456 An arbitrary OS command may be executed on the server where the product is running, when an unauthenticated remote attacker sends a specially crafted request. CVE-2023-22331 User credentials information may be altered by a remote unauthenticated attacker. CVE-2023-22334 User credentials information may be obtained via a man-in-the-middle attack. CVE-2023-22373 An arbitrary script may be executed on the web browser of the administrative user who is logging into the product, and sensitive information may be obtained. CVE-2023-22339 A remote unauthenticated attacker may obtain the server certificate including the private key of the product.
[Update the software] Update the software to the latest version according to the information provided by the developer.
Contec Co., Ltd.
Download License Agreement | Installer / Trial Software
https://www.contec.com/download/contract/contract4/?itemid=ea8039aa-3434-4999-9ab6-897aa690210c&downloaditemid=866d7d3c-aae9-438d-87f3-17aa040df90b
Contec Co., Ltd.
Vulnerability correction in Web HMI / SCADA software CONPROSYS HMI System (CHS) (PDF)
https://www.contec.com/api/downloadlogger?download=/-/media/Contec/jp/support/security-info/contec_security_chs_230110_en.pdf
Common Vulnerabilities and Exposures (CVE)
CVE-2023-22339
https://www.cve.org/CVERecord?id=CVE-2023-22339
Common Vulnerabilities and Exposures (CVE)
CVE-2022-44456
https://www.cve.org/CVERecord?id=CVE-2022-44456
Common Vulnerabilities and Exposures (CVE)
CVE-2023-22331
https://www.cve.org/CVERecord?id=CVE-2023-22331
Common Vulnerabilities and Exposures (CVE)
CVE-2023-22334
https://www.cve.org/CVERecord?id=CVE-2023-22334
Common Vulnerabilities and Exposures (CVE)
CVE-2023-22373
https://www.cve.org/CVERecord?id=CVE-2023-22373
ICS-CERT ADVISORY
ICSA-22-347-03
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03
JVN
JVNVU#96873821
https://jvn.jp/en/vu/JVNVU96873821/index.html
JVNDB
CWE-79
Cross-site Scripting
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-284
Improper Access Control
https://cwe.mitre.org/data/definitions/284.html
JVNDB
CWE-78
OS Command Injection
https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
JVNDB
CWE-1392
Use of Default Credentials
https://cwe.mitre.org/data/definitions/1392.html
JVNDB
CWE-836
Use of Password Hash Instead of Password for Authentication
https://cwe.mitre.org/data/definitions/836.html
2
2022-12-16T10:22:32+09:00
[2022/12/16]\n Web page was published
3
2023-01-11T15:50:00+09:00
[2023/01/11]\n Title was modified\n Overview was modified\n CVSS Severity was modified\n Affected Products : Product version was modified\n Impact was modified\n Vendor Information : Content was modified\n CVE : CVE-2023-22331, CVE-2023-22334, CVE-2023-22373, CVE-2023-22339 was added\n CWE : CWE-1392, CWE-836, CWE-79, CWE-284 was added
2022-12-16T13:29:43+09:00
2023-01-11T16:55:59+09:00
2022-12-14T00:00:00+09:00
JVNDB-2022-002780
Command injection vulnerability in SHARP Multifunctional Products (MFP)
SHARP Multifunctional Products (MFP) contain a command injection vulnerability (CWE-77, CVE-2022-45796). The OS layer is affected beyond the web application component, however treating the web application component as separate from the OS layer, 'Scope' is analyzed as 'S:C'. Sharp reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Sharp Corporation
(Multiple Products)
cpe:/a:sharp:multiple_product
Critical
9.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
If this vulnerability is exploited, an arbitrary command may be executed on the affected MFP firmware. The developer states that the followings are the prerequisites to exploit this vulnerability. * A remote attacker has access to the affected MFPs via network * A remote attacker is authenticated with the administrative privileges of the affected MFPs For more information, refer to the <a href="https://global.sharp/products/copier/info/info_security_2022-11.html"target="blank">information provided by the developer</a>.
[Update the firmware] Apply the appropriate firmware update according to the information provided by the developer. For the details such as how to update the firmware and/or where to obtain the firmware update, refer to <a href="https://global.sharp/support/warranty.html"target="blank">Sharp Corporation - Sharp Global Support page</a>. [Apply workaround] Applying the following workarounds may mitigate the impact of this vulnerability. * Connect MFPs to the internet under the securely protected network such as using a firewall or similar network appliance * Change the factory-shipped default administrative password, and manage it appropriately For the details of workarounds, refer to <a href="https://global.sharp/support/warranty.html"target="blank">Sharp Corporation - Sharp Global Support page</a>.
Sharp Corporation
About Command Injection Security Vulnerability in SHARP Multifunctional Products (MFP)
https://global.sharp/products/copier/info/info_security_2022-11.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-45796
https://www.cve.org/CVERecord?id=CVE-2022-45796
JVN
JVNVU#96195138
http://jvn.jp/en/vu/JVNVU96195138/index.html
Related document
SHARP Multifunction Printer - Command Injection
https://zuso.ai/Advisory/ZA-2022-01.html
JVNDB
CWE-77
Command Injection
https://cwe.mitre.org/data/definitions/77.html
1
2022-12-20T10:59:06+09:00
[2022/12/20]\n Web page was published
2022-12-20T12:12:08+09:00
2022-12-20T12:12:08+09:00
2022-12-15T00:00:00+09:00
JVNDB-2022-002783
Use-after-free vulnerability in Omron CX-Drive
CX-Drive provided by Omron Corporation contains a use-after-free vulnerability (CWE-416). Michael Heinzl reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.
OMRON Corporation
CX-Drive
cpe:/a:omron:cx-drive
V3.00 and earlier
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
By having a user to open a specially crafted file, arbitrary code may be executed.
[Apply Workarounds] Applying the following workarounds may mitigate the impact of this vulnerability. For more information, refer to the information provided by the developer under [Vendor Status] section's [Status (Vulnerable)] page.
JVN
Information from OMRON Corporation
https://jvn.jp/en/vu/JVNVU92689335/995504/index.html
Common Vulnerabilities and Exposures (CVE)
CVE-2022-46282
https://www.cve.org/CVERecord?id=CVE-2022-46282
JVN
JVNVU#92689335
https://jvn.jp/en/vu/JVNVU92689335/
JVNDB
CWE-416
Use After Free
https://cwe.mitre.org/data/definitions/416.html
1
2022-12-20T14:49:04+09:00
[2022/12/20]\n Web page was published
2022-12-20T15:32:51+09:00
2022-12-20T15:32:51+09:00
2022-12-19T00:00:00+09:00
JVNDB-2022-002836
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Trend Micro, Inc.
Apex One
cpe:/a:trendmicro:apex_one
as a Service
On Premise (2019)
* Privilege escalation and file deletion in Damage Cleanup Engine component * Privilege escalation due to a link following vulnerability in Damage Cleanup Engine component
[Apply the Patch] Apply the patch according to the information provided by the developer. The developer has released the following patch to fix these vulnerabilities. * Trend Micro Apex One On Premise (2019) Service Pack 1 Critical Patch b11136 The issues in Trend Micro Apex One as a Service are already fixed in November 2022 updates (Agent 14.0.11840). [Apply the Workaround] Applying the following workaround may mitigate the impact of these vulnerabilities. * Permit access to the product only from the trusted network
Trend Micro
SECURITY BULLETIN: December 1, 2022, Security Bulletin for Trend Micro Apex One
https://success.trendmicro.com/dcx/s/solution/000291830?language=en_US
Common Vulnerabilities and Exposures (CVE)
CVE-2022-45797
https://www.cve.org/CVERecord?id=CVE-2022-45797
Common Vulnerabilities and Exposures (CVE)
CVE-2022-45798
https://www.cve.org/CVERecord?id=CVE-2022-45798
JVN
JVNVU#96679793
https://jvn.jp/en/vu/JVNVU96679793/index.html
JVN
JVNVU#91848962
http://jvn.jp/en/vu/JVNVU91848962/index.html
National Vulnerability Database (NVD)
CVE-2022-45797
https://nvd.nist.gov/vuln/detail/CVE-2022-45797
National Vulnerability Database (NVD)
CVE-2022-45798
https://nvd.nist.gov/vuln/detail/CVE-2022-45798
1
2022-12-26T16:21:27+09:00
[2022/12/26]\n Web page was published
2
2023-02-22T11:32:41+09:00
[2023/02/22]\n References : Contents were added
2022-12-26T16:21:27+09:00
2023-02-22T11:47:43+09:00
2022-12-23T00:00:00+09:00
JVNDB-2022-002837
Multiple vulnerabilities in Fuji Electric V-SFT and TELLUS
V-SFT and TELLUS provided by FUJI ELECTRIC CO., LTD. contain multiple vulnerabilities listed below. * Out-of-bounds Read (CWE-125) - CVE-2022-46360 * Out-of-bounds Write (CWE-787) - CVE-2022-43448 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
Fuji Electric Co., Ltd.
TELLUS
cpe:/a:fujielectric:tellus
v4.0.12.0 and earlier
Fuji Electric Co., Ltd.
V-SFT
cpe:/a:fujielectric:v-sft
v6.1.7.0 and earlier
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploiting these vulnerabilities by having a user to open a specially crafted image file may result in information disclosure and/or arbitrary code execution.
[Update the software] Update the software to the latest version according to the information provided by the developer. The respective products/versions listed below contain the fixes for these vulnerabilities. * V-SFT v6.1.8.0 (Improvement information 22C0H19) * TELLUS v4.0.15.0 (Improvement information 22C0H19)
Fuji Electric
Improvement information 22C0H19
https://monitouch.fujielectric.com/site/download-e/09vsft6_inf/index.php
Common Vulnerabilities and Exposures (CVE)
CVE-2022-46360
https://www.cve.org/CVERecord?id=CVE-2022-46360
Common Vulnerabilities and Exposures (CVE)
CVE-2022-43448
https://www.cve.org/CVERecord?id=CVE-2022-43448
JVN
JVNVU#90679513
http://jvn.jp/en/vu/JVNVU90679513/index.html
JVNDB
CWE-125
Out-of-bounds Read
https://cwe.mitre.org/data/definitions/125.html
JVNDB
CWE-787
Out-of-bounds Write
https://cwe.mitre.org/data/definitions/787.html
1
2023-01-04T14:13:54+09:00
[2023/01/04]\n Web page was published
2023-01-04T14:16:51+09:00
2023-01-04T14:16:51+09:00
2022-12-28T00:00:00+09:00
JVNDB-2022-002838
Multiple vulnerabilities in Fuji Electric V-Server
V-Server provided by FUJI ELECTRIC CO., LTD. contains multiple vulnerabilities listed below. * Stack-based Buffer ovewflow (CWE-121) - CVE-2022-47908 * Out-of-bounds Read (CWE-125) - CVE-2022-41645 * Out-of-bounds Write (CWE-787) - CVE-2022-47317 Michael Heinzl reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
Fuji Electric Co., Ltd.
V-Server
cpe:/a:fujielectric:v-server
v4.0.12.0 and earlier
High
7.8
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploiting these vulnerabilities by having a user to open a specially crafted project file may result in information disclosure and/or arbitrary code execution.
[Update the software] Update the software to the latest version according to the information provided by the developer. The developer released V-Server v4.0.15.0 that contains the fixes for these vulnerabilities (Improvement information 22C0S04).
Fuji Electric
Improvement information 22C0S04
https://monitouch.fujielectric.com/site/download-e/03tellus_inf/index.php
Common Vulnerabilities and Exposures (CVE)
CVE-2022-47908
https://www.cve.org/CVERecord?id=CVE-2022-47908
Common Vulnerabilities and Exposures (CVE)
CVE-2022-41645
https://www.cve.org/CVERecord?id=CVE-2022-41645
Common Vulnerabilities and Exposures (CVE)
CVE-2022-47317
https://www.cve.org/CVERecord?id=CVE-2022-47317
JVN
JVNVU#92811888
http://jvn.jp/en/vu/JVNVU92811888/index.html
JVNDB
CWE-125
Out-of-bounds Read
https://cwe.mitre.org/data/definitions/125.html
JVNDB
CWE-787
Out-of-bounds Write
https://cwe.mitre.org/data/definitions/787.html
JVNDB
CWE-121
Stack-based Buffer Overflow
https://cwe.mitre.org/data/definitions/121.html
1
2023-01-04T14:15:36+09:00
[2023/01/04]\n Web page was published
2023-01-04T14:21:16+09:00
2023-01-04T14:21:16+09:00
2022-12-28T00:00:00+09:00