JVNDB RSS Feed - 2018 Years Entry
https://jvndb.jvn.jp/en/
JVN iPedia Yearly Entry2024-03-24T09:10:24+09:002024-03-24T09:10:24+09:00Lhaplus vulnerable to improper verification when expanding ZIP64 archives
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000001.html
Lhaplus is file compression/decompression software. Lhaplus does not treat ZIP64 archives properly when expanding.
Koji Ando of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000001http://jvn.jp/en/jp/JVN57842148/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2158https://nvd.nist.gov/vuln/detail/CVE-2017-2158https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:lhaplus:lhaplus2018-04-04T12:33+09:002018-01-11T14:18+09:002018-04-04T12:33+09:00Nootka App for Android vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000002.html
Nootka App for Android provided by SeeLook contains an OS command injection vulnerability (CWE-78).
Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000002http://jvn.jp/en/jp/JVN10103841/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0506https://nvd.nist.gov/vuln/detail/CVE-2018-0506https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:nootka_project:nootka2018-04-11T11:46+09:002018-01-19T14:19+09:002018-04-11T11:46+09:00GroupSession vulnerable to open redirect
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000003.html
GroupSession provided by Japan Total System Co.,Ltd. is an open source groupware. GroupSession contains an open redirect vulnerability (CWE-601).
Norihiko Hirukawa of FiveDrive Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000003http://jvn.jp/en/jp/JVN26200083/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2166https://nvd.nist.gov/vuln/detail/CVE-2017-2166https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:groupsession:groupsession2018-04-11T11:37+09:002018-01-19T14:19+09:002018-04-11T11:37+09:00The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000004.html
The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000004http://jvn.jp/en/jp/JVN26255241/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0507https://nvd.nist.gov/vuln/detail/CVE-2018-0507https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ntt_east:flet%27s_virus_clear_easy_setup_%26_application_toolcpe:/a:ntt_east:flet%27s_virus_clear_v6_easy_setup_%26_application_tool2018-04-11T11:44+09:002018-01-22T14:17+09:002018-04-11T11:44+09:00WordPress plugin "WP Retina 2x" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000005.html
The WordPress plugin "WP Retina 2x" contains a reflected cross-site scripting vulnerability (CWE-79).
Chris Liu reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000005http://jvn.jp/en/jp/JVN30636823/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0511https://nvd.nist.gov/vuln/detail/CVE-2018-0511https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:jordy_meow:wp_retina_2x2018-04-11T11:53+09:002018-01-30T12:30+09:002018-04-11T11:53+09:00Multiple vulnerabilities in epg search result viewer(kkcald)
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000006.html
epg search result viewer(kkcald) provided by kkcal contains multiple vulnerabilities listed below.
* Cross-site Scripting (CWE-79) - CVE-2018-0508
* Cross-site request forgery (CWE-352) - CVE-2018-0509
* Buffer overflow (CWE-121) - CVE-2018-0510
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000006http://jvn.jp/en/jp/JVN91393903/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0508https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0509https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0510https://nvd.nist.gov/vuln/detail/CVE-2018-0508https://nvd.nist.gov/vuln/detail/CVE-2018-0509https://nvd.nist.gov/vuln/detail/CVE-2018-0510https://cwe.mitre.org/data/definitions/121.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:kkcald_project:kkcald2018-04-11T11:49+09:002018-02-01T13:58+09:002018-04-11T11:49+09:00Multiple I-O DATA network devices incorporating "MagicalFinder" vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000007.html
"MagicalFinder" provided by I-O DATA DEVICE, INC. is a IP address setting tool to for I-O DATA network devices such as routers, network cameras, strages, etc. Multiple I-O DATA network devices that incorporate "MagicalFinder" contain an OS command injection vulnerability (CWE-78).
Taizo Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000007https://jvn.jp/en/jp/JVN36048131/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0512https://nvd.nist.gov/vuln/detail/CVE-2018-0512https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:i-o_data_device:bx-vp1cpe:/h:i-o_data_device:gv-ntx1cpe:/h:i-o_data_device:gv-ntx2cpe:/h:i-o_data_device:hdl-acpe:/h:i-o_data_device:hdl-ahcpe:/h:i-o_data_device:hdl-gtcpe:/h:i-o_data_device:hdl-gtrcpe:/h:i-o_data_device:hdl-tcpe:/h:i-o_data_device:hdl-xrcpe:/h:i-o_data_device:hdl-xr2ucpe:/h:i-o_data_device:hdl-xr2uwcpe:/h:i-o_data_device:hdl-xrwcpe:/h:i-o_data_device:hdl-xvcpe:/h:i-o_data_device:hdl-xvwcpe:/h:i-o_data_device:hdl2-acpe:/h:i-o_data_device:hdl2-ahcpe:/h:i-o_data_device:hfas1cpe:/h:i-o_data_device:hls-ccpe:/h:i-o_data_device:hvl-acpe:/h:i-o_data_device:hvl-atcpe:/h:i-o_data_device:hvl-atacpe:/h:i-o_data_device:hvl-scpe:/h:i-o_data_device:whg-ac1750%2falcpe:/h:i-o_data_device:whg-ac1750acpe:/h:i-o_data_device:whg-napgacpe:/h:i-o_data_device:whg-napgalcpe:/h:i-o_data_device:wn-ac1167dgrcpe:/h:i-o_data_device:wn-ac1300excpe:/h:i-o_data_device:wn-ac1600dgrcpe:/h:i-o_data_device:wn-ac583rkcpe:/h:i-o_data_device:wn-ac583trkcpe:/h:i-o_data_device:wn-ag300dgrcpe:/h:i-o_data_device:wn-ag750dgrcpe:/h:i-o_data_device:wn-ax1167grcpe:/h:i-o_data_device:wn-g300excpe:/h:i-o_data_device:wn-g300rcpe:/h:i-o_data_device:wn-g300r3cpe:/h:i-o_data_device:wn-g300srcpe:/h:i-o_data_device:wn-gx300grcpe:/h:i-o_data_device:wnpr1167fcpe:/h:i-o_data_device:wnpr1167gcpe:/h:i-o_data_device:wnpr1750gcpe:/h:i-o_data_device:wnpr2600g2018-04-11T11:51+09:002018-02-06T14:22+09:002018-04-11T11:51+09:00Spring Security and Spring Framework vulnerable to authentication bypass
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000008.html
Spring Framework and Spring Security provided by Pivotal Software, Inc. contain an authentication bypass vulnerability.
Macchinetta Framework Development Team : NTT COMWARE, NTT DATA Corporation, and NTT reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000008http://jvn.jp/en/jp/JVN15643848/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199https://nvd.nist.gov/vuln/detail/CVE-2018-1199https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:greenplum:spring_frameworkcpe:/a:greenplum:spring_security2018-06-14T13:48+09:002018-02-02T12:28+09:002018-06-14T13:48+09:00The installer of Anshin net security for Windows may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000009.html
Anshin net security for Windows provided by KDDI CORPORATION is an Internet Security suite. The installer of Anshin net security for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000009http://jvn.jp/en/jp/JVN70615027/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0517https://nvd.nist.gov/vuln/detail/CVE-2018-0517https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:kddi:anshin_net_security2018-04-11T12:13+09:002018-02-06T15:05+09:002018-04-11T12:13+09:00WordPress plugin "MTS Simple Booking C" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000010.html
The WordPress plugin "MTS Simple Booking C" provided by MT Systems Co., Ltd. contains a stored cross-site scripting vulnerability (CWE-79).
Daichi Takaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000010http://jvn.jp/en/jp/JVN99312352/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0513https://nvd.nist.gov/vuln/detail/CVE-2018-0513https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:mtssb.mt-systems:simple_booking2018-04-11T11:53+09:002018-02-02T13:39+09:002018-04-11T11:53+09:00MP Form Mail CGI eCommerce Edition vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000011.html
MP Form Mail CGI eCommerce Edition provided by futomi Co., Ltd. is a CGI used to send mail from a web form. MP Form Mail CGI eCommerce Edition contains an OS command injection vulnerability (CWE-78).
Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000011https://jvn.jp/en/jp/JVN15462187/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0514https://nvd.nist.gov/vuln/detail/CVE-2018-0514https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:futomis_cgi_cafe:mp_form_mail_cgi_ecommerce2018-04-11T11:57+09:002018-02-08T12:21+09:002018-04-11T11:57+09:00Installer of "FLET'S Azukeru Backup Tool" may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000012.html
"FLET'S Azukeru Backup Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION is software to automatically back up files in the user's computer to "FLET'S Azukeru" service. Installer of "FLET'S Azukeru Backup Tool" contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.
Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000012https://jvn.jp/en/jp/JVN04564808/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0515https://nvd.nist.gov/vuln/detail/CVE-2018-0515https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ntt_east:flet%27s_azukeru_backup_tool2018-04-11T12:25+09:002018-02-13T15:37+09:002018-04-11T12:25+09:00Insecure DLL Loading issue in multiple Trend Micro products
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000013.html
Multiple products provided by Trend Micro Incorporated contain an insecure DLL loading issue (CWE-427).
When invoking the installers of other applications while the concerned products are installed to the PC, the DLL placed in the same directory as the the installers (of the other applications) may be insecurely loaded.
Hidenori Ohta of Mitsubishi Electric Information Systems Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000013http://jvn.jp/en/jp/JVN28865183/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6218https://nvd.nist.gov/vuln/detail/CVE-2018-6218https://www.ipa.go.jp/security/ciadr/vul/20180215-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:trendmicro:business_securitycpe:/a:trendmicro:business_security_servicescpe:/a:trendmicro:deep_securitycpe:/a:trendmicro:endpoint_sensorcpe:/a:trendmicro:securitycpe:/a:trendmicro:virus_baster_corporate_edition2018-04-11T12:23+09:002018-02-15T16:39+09:002018-04-11T12:23+09:00Application and self-extracting archive containing the application of "FLET'S v4 / v6 address selection tool" may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000014.html
Application and self-extracting archive containing the application of "FLET'S v4 / v6 address selection tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000014https://jvn.jp/en/jp/JVN87403477/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0516https://nvd.nist.gov/vuln/detail/CVE-2018-0516https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ntt_west:flet%27s_address_sentaku_tool2018-04-11T12:28+09:002018-02-13T15:43+09:002018-04-11T12:28+09:00Multiple vulnerabilities in FS010W
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000015.html
FS010W provided by FUJI SOFT INCORPORATED is a WiFi router. FS010W contains multiple vulnerabilities listed below.
* Stored cross-site scripting (CWE-79) - CVE-2018-0519
* Cross-site request forgery (CWE-352) - CVE-2018-0520
Manabu Kobayashi reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000015http://jvn.jp/en/jp/JVN83834277/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0519https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0520https://nvd.nist.gov/vuln/detail/CVE-2018-0519https://nvd.nist.gov/vuln/detail/CVE-2018-0520https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:fsi:fs010w2018-04-11T12:31+09:002018-02-22T15:29+09:002018-04-11T12:31+09:00LINE for iOS fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000016.html
LINE for iOS provided by LINE Corporation fails to verify SSL server certificates due to the vulnerability existed in the Third Party SDK which is incorporated in the application.
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000016http://jvn.jp/en/jp/JVN75453852/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0518https://nvd.nist.gov/vuln/detail/CVE-2018-0518cpe:/a:linecorp:line2018-06-14T12:23+09:002018-02-22T15:29+09:002018-06-14T12:23+09:00Multiple vulnerabilities in WXR-1900DHP2
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000017.html
WXR-1900DHP2 provided by BUFFALO INC. is a wireless LAN router. WXR-1900DHP2 contains multiple vulnerabilities listed below.
* Missing Authentication for Critical Function (CWE-306) - CVE-2018-0521
* Buffer Overflow (CWE-119) - CVE-2018-0522
* OS Command Injection (CWE-78) - CVE-2018-0523
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000017http://jvn.jp/en/jp/JVN97144273/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0521https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0522https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0523https://nvd.nist.gov/vuln/detail/CVE-2018-0521https://nvd.nist.gov/vuln/detail/CVE-2018-0522https://nvd.nist.gov/vuln/detail/CVE-2018-0523https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:buffalo_inc:wxr-1900dhp22018-06-14T13:49+09:002018-02-26T14:10+09:002018-06-14T13:49+09:00Multiple vulnerabilities in Jubatus
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000019.html
Jubatus provided by Jubatus Community contains multiple vulnerabilities listed below.
* Arbitrary code execution - CVE-2018-0524
* Directory traversal (CWE-22) - CVE-2018-0525
Symantec Japan, Inc. Advisory Services Team reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000019http://jvn.jp/en/jp/JVN56132776/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0524https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0525https://nvd.nist.gov/vuln/detail/CVE-2018-0524https://nvd.nist.gov/vuln/detail/CVE-2018-0525https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:jubat:jubatus2018-06-14T13:57+09:002018-03-02T13:45+09:002018-06-14T13:57+09:00Installer of JTrim may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000020.html
Installer of JTrim contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000020http://jvn.jp/en/jp/JVN71816327/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0543https://nvd.nist.gov/vuln/detail/CVE-2018-0543https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:woodybells:jtrim2018-06-14T13:46+09:002018-03-05T14:07+09:002018-06-14T13:46+09:00Installer of WinShot may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000021.html
Installer of WinShot contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000021http://jvn.jp/en/jp/JVN01837169/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0544https://nvd.nist.gov/vuln/detail/CVE-2018-0544https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:woodybells:winshot2018-06-14T13:43+09:002018-03-05T15:10+09:002018-06-14T13:43+09:00WordPress plugin "WP All Import" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000022.html
The WordPress plugin "WP All Import" provided by Soflyy contains a cross-site scripting vulnerability (CWE-79) in the file upload function.
Note that this vulnerability is different from JVN#60032768.
Mardan Muhidin of Gehirn Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000022http://jvn.jp/en/jp/JVN33527174/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0546https://nvd.nist.gov/vuln/detail/CVE-2018-0546https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:soflyy:wp_all_import2018-06-14T12:26+09:002018-03-08T14:10+09:002018-06-14T12:26+09:00WordPress plugin "WP All Import" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000023.html
The WordPress plugin "WP All Import" provided by Soflyy contains a reflected cross-site scripting vulnerability (CWE-79).
Note that this vulnerability is different from JVN#33527174.
Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000023http://jvn.jp/en/jp/JVN60032768/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0547https://nvd.nist.gov/vuln/detail/CVE-2018-0547https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:soflyy:wp_all_import2018-06-14T12:27+09:002018-03-08T14:10+09:002018-06-14T12:27+09:00Multiple vulnerabilities in CG-WGR1200
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000024.html
CG-WGR1200 provided by Corega Inc is a wireless LAN router. CG-WGR1200 contains multiple vulnerabilities listed below.
* Buffer Overflow (CWE-119) - CVE-2017-10852
* Buffer Overflow (CWE-78) - CVE-2017-10853
* Authentication bypass (CWE-306) - CVE-2017-10854
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000024http://jvn.jp/en/jp/JVN15201064/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10852https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10853https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10854https://nvd.nist.gov/vuln/detail/CVE-2017-10852https://nvd.nist.gov/vuln/detail/CVE-2017-10853https://nvd.nist.gov/vuln/detail/CVE-2017-10854https://cwe.mitre.org/data/definitions/19.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:corega:cg-wgr_12002018-06-14T13:54+09:002018-03-09T13:56+09:002018-06-14T13:54+09:00The installer of PhishWall Client Firefox and Chrome edition for Windows may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000025.html
PhishWall Client Firefox and Chrome edition for Windows provided by SecureBrain Corporation is an anti-phishing and anti-MITB software. The installer of PhishWall Client Firefox and Chrome edition for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Eiji James Yoshida of Security Professionals Network Inc. and Yuto Iso of NTT Security (Japan) KK reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000025http://jvn.jp/en/jp/JVN39896275/index.htmlhttp://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0552https://nvd.nist.gov/vuln/detail/CVE-2018-0552https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:securebrain:phishwall_client2018-06-14T13:43+09:002018-03-15T13:38+09:002018-06-14T13:43+09:00iRemoconWiFi App for Android fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000026.html
iRemoconWiFi App for Android provided by Glamo Inc. fails to verify SSL server certificates.
Seigo Yamamoto of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000026https://jvn.jp/en/jp/JVN43382653/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0553https://nvd.nist.gov/vuln/detail/CVE-2018-0553https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:glamo:iremocon_wifi2018-06-14T14:29+09:002018-03-27T13:40+09:002018-06-14T14:29+09:00Multiple vulnerabilities in WZR-1750DHP2
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000027.html
WZR-1750DHP2 provided by BUFFALO INC. is a wireless LAN router. WXR-1900DHP2 contains multiple vulnerabilities listed below.
* Missing Authentication for Critical Function (CWE-306) - CVE-2018-0554
* Buffer Overflow (CWE-119) - CVE-2018-0555
* OS Command Injection (CWE-78) - CVE-2018-0556
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000027https://jvn.jp/en/jp/JVN93397125/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0554https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0555https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0556https://nvd.nist.gov/vuln/detail/CVE-2018-0554https://nvd.nist.gov/vuln/detail/CVE-2018-0555https://nvd.nist.gov/vuln/detail/CVE-2018-0556https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:buffalo_inc:wzr-1750dhp2_firmware2018-06-14T14:12+09:002018-03-29T13:52+09:002018-06-14T14:12+09:00LXR vulnerable to OS command injection
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000028.html
LXR provided by LXR Project contains an OS command injection vulnerability (CWE-78).
Touma Hatano reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000028https://jvn.jp/en/jp/JVN72589538/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0545https://nvd.nist.gov/vuln/detail/CVE-2018-0545https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:lxr_project:lxr2018-06-14T14:08+09:002018-03-29T14:00+09:002018-06-14T14:08+09:00Safari vulnerable to script injection
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000029.html
Safari provided by Apple Inc. contains a script injection vulnerability (CWE-81) in the processing of displaying an error page when it fails to verify server certificates.
In an error page Safari displays when it fails to verify server certificates, a domain name of the website accessed is output straightly. Therefore by exploiting this vulnerability, an arbitrary script may be executed on the user's web browser via an error page that is displayed when a user is led to visit a website with a specially crafted domain name.
Yuji Tonai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000029https://jvn.jp/en/jp/JVN01161596/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4133https://nvd.nist.gov/vuln/detail/CVE-2018-4133https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:apple:safari2018-06-14T14:02+09:002018-03-30T13:39+09:002018-06-14T14:02+09:00Installer of SoundEngine Free may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000030.html
Installer of SoundEngine Free contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Eili Masami of Tachibana Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000030http://jvn.jp/en/jp/JVN85056623/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0562https://nvd.nist.gov/vuln/detail/CVE-2018-0562https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:coderium:soundengine2018-06-14T14:16+09:002018-04-13T13:52+09:002018-06-14T14:16+09:00Multiple vulnerabilities in Cybozu Garoon
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000031.html
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* SQL injection in the application "Address" (CWE-89) - CVE-2018-0530
* Operation restriction bypass in the "Folder settings" (CWE-264) - CVE-2018-0531
* Operation restriction bypass in the setting of Login authentication (CWE-264) - CVE-2018-0532
* Operation restriction bypass in the setting of Session authentication (CWE-264) - CVE-2018-0533
* Browse restriction bypass in the application "Space" (CWE-264) - CVE-2018-0548
* Stored cross-site scripting in "Rich text" of the application "Message" (CWE-79) - CVE-2018-0549
* Browse restriction bypass in the application "Cabinet" (CWE-264) - CVE-2018-0550
* Stored cross-site scripting in "Rich text" of the application "Space" (CWE-79) - CVE-2018-0551
Cybozu, Inc. reported CVE-2018-0530, CVE-2018-0531, CVE-2018-0532, CVE-2018-0533 and CVE-2018-0548 vulnerabilities to JPCERT/CC to notify users of respective solutions through JVN.
Jun Kokatsu reported CVE-2018-0549 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
ixama reported CVE-2018-0550 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Masato Kinugawa reported CVE-2018-0551 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.JVNDB-2018-000031http://jvn.jp/en/jp/JVN65268217/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0530https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0531https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0532https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0533https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0548https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0549https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0550https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0551https://nvd.nist.gov/vuln/detail/CVE-2018-0530https://nvd.nist.gov/vuln/detail/CVE-2018-0531https://nvd.nist.gov/vuln/detail/CVE-2018-0532https://nvd.nist.gov/vuln/detail/CVE-2018-0533https://nvd.nist.gov/vuln/detail/CVE-2018-0548https://nvd.nist.gov/vuln/detail/CVE-2018-0549https://nvd.nist.gov/vuln/detail/CVE-2018-0550https://nvd.nist.gov/vuln/detail/CVE-2018-0551https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:garoon2018-06-14T14:33+09:002018-04-09T14:27+09:002018-06-14T14:33+09:00Hatena Bookmark App for iOS contains an address bar spoofing vulnerability
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000032.html
Hatena Bookmark App for iOS provided by Hatena Co., Ltd. contains a vulnerability where the address bar displays a different URL than the URL that is being accessed.
Kenichiro Wakitani reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
JVNDB-2018-000032http://jvn.jp/en/jp/JVN77753476/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0560https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hatena:hatenaboolmark2018-04-10T13:39+09:002018-04-10T13:39+09:002018-04-10T13:39+09:00The installer of PhishWall Client Internet Explorer edition may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000033.html
PhishWall Client Internet Explorer edition provided by SecureBrain Corporation is anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer edition contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
According to the developer, the affected installer was built using Install Shield with all Hotfixes applied as of November 2017.
The developer has confirmed that the most recent Hotfix applied Install Shield addresses this issue.
For details on Install Shield Hotfixes, refer to Best Practices to Avoid Windows Setup Launcher Executable Issues.
Note that this vulnerability is different from JVN#93699304.
Yuto Iso of NTT Security (Japan) KK and BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000033http://jvn.jp/en/jp/JVN92220486/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0561https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:securebrain:phishwall_client2018-04-12T14:27+09:002018-04-12T14:27+09:002018-04-12T14:27+09:00Tenable Appliance vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000034.html
Tenable Appliance provided by Tenable, Inc. contains a stored cross-site scripting vulnerability (CWE-79).
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000034http://jvn.jp/en/jp/JVN71255137/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1142https://nvd.nist.gov/vuln/detail/CVE-2018-1142https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:tenable:appliance2018-06-14T14:20+09:002018-04-12T14:33+09:002018-06-14T14:20+09:00EC-CUBE vulnerable to session fixation
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000035.html
EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a session fixation vulnerability (CWE-384).
LOCKON CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LOCKON CO.,LTD. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000035https://jvn.jp/en/jp/JVN52695336/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0564https://nvd.nist.gov/vuln/detail/CVE-2018-0564https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ec-cube:ec-cube2018-08-22T17:42+09:002018-04-17T13:39+09:002018-08-22T17:42+09:00Joruri Gw vulnerable to arbitrary file upload
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000036.html
Joruri Gw provided by SiteBridge Inc. is groupware which runs on Ruby on Rails. Joruri Gw contains a vulnerability that may allow an attacker to upload arbitrary files (CWE-434).
Shoji Baba of Kobe Digital Labo, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000036http://jvn.jp/en/jp/JVN95589314/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0568https://nvd.nist.gov/vuln/detail/CVE-2018-0568https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:joruri:SiteBridge_joruri_gw2018-08-30T14:02+09:002018-04-26T15:19+09:002018-08-30T14:02+09:00WordPress plugin "Events Manager" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000037.html
The WordPress plugin "Events Manager" provided by NetWebLogic contains a stored cross-site scripting vulnerability (CWE-79).
Daichi Takaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000037https://jvn.jp/en/jp/JVN85531148/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0576https://nvd.nist.gov/vuln/detail/CVE-2018-0576https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html2018-08-30T11:48+09:002018-04-27T14:00+09:002018-08-30T11:48+09:00WordPress plugin "WP Google Map Plugin" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000038.html
The WordPress plugin "WP Google Map Plugin" provided by Flipper Code contains a reflected cross-site scripting vulnerability (CWE-79).
Chris Liu reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000038https://jvn.jp/en/jp/JVN01040170/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0577https://nvd.nist.gov/vuln/detail/CVE-2018-0577https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:flippercode:google_map2018-08-30T12:00+09:002018-04-27T14:15+09:002018-08-30T12:00+09:00WordPress plugin "PixelYourSite" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000039.html
The WordPress plugin "PixelYourSite" provided by Minimal Work SRL contains a reflected cross-site scripting vulnerability (CWE-79).
Chris Liu reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000039https://jvn.jp/en/jp/JVN61081552/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0578https://nvd.nist.gov/vuln/detail/CVE-2018-0578https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:minimal_work_srl_pixelyoursite2018-08-30T11:55+09:002018-04-27T14:24+09:002018-08-30T11:55+09:00WordPress plugin "Open Graph for Facebook, Google+ and Twitter Card Tags" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000040.html
The WordPress plugin "Open Graph for Facebook, Google+ and Twitter Card Tags" provided by Webdados contains a reflected cross-site scripting vulnerability (CWE-79).
Chris Liu reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000040https://jvn.jp/en/jp/JVN08386386/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0579https://nvd.nist.gov/vuln/detail/CVE-2018-0579https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:webdados_Open_Graph_for_Facebook_Google_and_Twitter_Card_Tags2018-08-30T13:54+09:002018-04-27T15:01+09:002018-08-30T13:54+09:00The installers of multiple CELSYS,Inc. software may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000041.html
The installers of multiple software provided by CELSYS,Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
JVNDB-2018-000041https://jvn.jp/en/jp/JVN68345747/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0580https://nvd.nist.gov/vuln/detail/CVE-2018-0580https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:celsys_clip_studio_actioncpe:/a:misc:celsys_clip_studio_modelercpe:/a:misc:celsys_clip_studio_paintcpe:/a:misc:celsys_clip_studio_paint2018-08-30T14:12+09:002018-04-27T15:19+09:002018-08-30T14:12+09:00RT-AC87U vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000042.html
RT-AC87U provided by ASUS Japan Inc. is a wireless LAN router. RT-AC87U contains a cross-site scripting vulnerability (CWE-79).
Keigo Yamazaki of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000042https://jvn.jp/en/jp/JVN33901663/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0581https://nvd.nist.gov/vuln/detail/CVE-2018-0581https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:misc:asus_japan_rt-ac87u2018-08-30T12:32+09:002018-05-09T15:37+09:002018-08-30T12:32+09:00RT-AC1200HP vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000043.html
RT-AC1200HP provided by ASUS Japan Inc. is a wireless LAN router. RT-AC1200HP contains a cross-site scripting vulnerability (CWE-79).
Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000043https://jvn.jp/en/jp/JVN34562916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0583https://nvd.nist.gov/vuln/detail/CVE-2018-0583https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:misc:asus_japan_rt-ac1200hp2018-08-30T12:15+09:002018-05-09T15:37+09:002018-08-30T12:15+09:00RT-AC68U vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000044.html
RT-AC68U provided by ASUS Japan Inc. is a wireless LAN router. RT-AC68U contains a cross-site scripting vulnerability (CWE-79).
Yuto MAEDA of University of Tsukuba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000044http://jvn.jp/en/jp/JVN73742314/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0582https://nvd.nist.gov/vuln/detail/CVE-2018-0582https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html2018-08-30T12:20+09:002018-05-09T15:38+09:002018-08-30T12:20+09:00Multiple vulnerabilities in WordPress plugin "Ultimate Member"
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000045.html
The WordPress plugin "Ultimate Member" provided by Ultimate Member contains multiple vulnerabilities listed below.
* Cross-site Scripting (CWE-79) - CVE-2018-0585
* Directory Traversal in the shortcodes function (CWE-22) - CVE-2018-0586
* Arbitrary File Upload (CWE-434) - CVE-2018-0587
* Directory Traversal in the AJAX function (CWE-22) - CVE-2018-0588
* Access Restriction Bypass in the "Forms" page (CWE-284) - CVE-2018-0589
* Access Restriction Bypass due to an issue in processing "Role" (CWE-284) - CVE-2018-0590
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000045https://jvn.jp/en/jp/JVN28804532/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0585https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0586https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0587https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0588https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0589https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0590https://nvd.nist.gov/vuln/detail/CVE-2018-0585https://nvd.nist.gov/vuln/detail/CVE-2018-0586https://nvd.nist.gov/vuln/detail/CVE-2018-0587https://nvd.nist.gov/vuln/detail/CVE-2018-0588https://nvd.nist.gov/vuln/detail/CVE-2018-0589https://nvd.nist.gov/vuln/detail/CVE-2018-0590https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ultimatemember:ultimate_member2018-08-30T18:11+09:002018-05-10T13:44+09:002018-08-30T18:11+09:00The installer of PlayMemories Home for Windows may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000046.html
PlayMemories Home for Windows provided by Sony Corporation is Image Management Software. The installer of PlayMemories Home for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000046http://jvn.jp/en/jp/JVN13940333/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0600https://nvd.nist.gov/vuln/detail/CVE-2018-0600https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:sony:playmemories_home2019-07-02T14:31+09:002018-05-24T15:25+09:002019-07-02T14:31+09:00IIJ SmartKey App for Android vulnerable to authentication bypass
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000047.html
IIJ SmartKey App for Android contains an authentication bypass vulnerability.
IIJ SmartKey App for Android provided by Internet Initiative Japan Inc. is an application that enables two-step authentication (two-factor authentication) for a website from an Android device. IIJ SmartKey App for Android contains an authentication bypass vulnerability (CWE-287).
Ryo Tateguchi of AndroPlus reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000047http://jvn.jp/en/jp/JVN27137002/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0584https://nvd.nist.gov/vuln/detail/CVE-2018-0584https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:iij:iij_smartkey2019-12-27T18:11+09:002018-05-11T14:34+09:002019-12-27T18:11+09:00KINEPASS App fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000048.html
KINEPASS App provided by T-JOY CO.,LTD fails to verify SSL server certificates.
Seigo Yamamoto of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000048https://jvn.jp/en/jp/JVN83671755/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0591https://nvd.nist.gov/vuln/detail/CVE-2018-0591https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:t-joy_kinepass2018-08-30T15:01+09:002018-05-11T14:34+09:002018-08-30T15:01+09:00Multiple Microsoft Windows applications and installers may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000049.html
Multiple Windows applications and installers provided by Microsoft contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the same directory where applications and/or installers reside (CWE-427).
Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting" and attacks exploiting this vulnerability are limited, thus there is no plan to release any security updates to address this issue.
For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft.
Following researchers reported respective vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning partnership.
CVE-2018-0592, CVE-2018-0593, CVE-2018-0596
Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc.
CVE-2018-0594
BlackWingCat of Pink Flying Whale
CVE-2018-0595, CVE-2018-0597
Eili MasamiJVNDB-2018-000049http://jvn.jp/en/jp/JVN91151862/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0592https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0593https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0594https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0595https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0596https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0597https://nvd.nist.gov/vuln/detail/CVE-2018-0592https://nvd.nist.gov/vuln/detail/CVE-2018-0593https://nvd.nist.gov/vuln/detail/CVE-2018-0594https://nvd.nist.gov/vuln/detail/CVE-2018-0595https://nvd.nist.gov/vuln/detail/CVE-2018-0596https://nvd.nist.gov/vuln/detail/CVE-2018-0597https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:microsoft:onedrivecpe:/a:microsoft:skypecpe:/a:microsoft:visual_studio_codecpe:/a:microsoft:visual_studio_community2019-07-05T16:40+09:002018-05-17T15:18+09:002019-07-05T16:40+09:00Self-Extracting Archive files created by IExpress may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000050.html
Self-extracting archive files created by IExpress provided Microsoft contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting" and attacks exploiting this vulnerability are limited, thus there is no plan to release any security updates to address this issue.
For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft.
Eili Masami reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000050https://jvn.jp/en/jp/JVN72748502/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0598https://nvd.nist.gov/vuln/detail/CVE-2018-0598https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:microsoft:iexpresscpe:/o:microsoft:windows2018-08-21T16:40+09:002018-05-17T14:57+09:002018-08-21T16:40+09:00The installer of Visual C++ Redistributable may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000051.html
The installer of Visual C++ Redistributable provided Microsoft contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries in the same directory as the installer (CWE-427).
Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting" and attacks exploiting this vulnerability are limited, thus there is no plan to release any security updates to address this issue.
For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft.JVNDB-2018-000051https://jvn.jp/en/jp/JVN81196185/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0599https://nvd.nist.gov/vuln/detail/CVE-2018-0599https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:microsoft:visual_c%2B%2B_redistributable_package2019-07-05T16:41+09:002018-05-17T14:57+09:002019-07-05T16:41+09:00Nessus vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000052.html
Nessus provided by Tenable, Inc. contains a stored cross-site scripting vulnerability (CWE-79).
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
JVNDB-2018-000052https://jvn.jp/en/jp/JVN96954395/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1147https://nvd.nist.gov/vuln/detail/CVE-2018-1147https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:tenable:nessus2018-08-30T13:47+09:002018-05-21T13:39+09:002018-08-30T13:47+09:00Multiple vulnerabilities in Cybozu Office
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000053.html
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
*Information disclosure in the application "Message" when viewing an external image (CWE-200) - CVE-2018-0526
*Stored cross-site scripting in "E-mail Details Screen" of the application "E-mail" (CWE-79) - CVE-2018-0527
*Browse restriction bypass in the application "Scheduler" (CWE-264) - CVE-2018-0528
*Denial-of-service (DoS) in the application "Message" due to a flaw in processing of an attached file (CWE-20) - CVE-2018-0529
*Reflected cross-site scripting in the application "MultiReport" (CWE-79) - CVE-2018-0565
*Browse restriction bypass in the application "Scheduler" (CWE-264) - CVE-2018-0566
*Operation restriction bypass in the application "Bulletin" (CWE-264) - CVE-2018-0567
Jun Kokatsu reported CVE-2018-0526 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Masato Kinugawa reported CVE-2018-0527 and CVE-2018-0565 vulnerabilities to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Cybozu, Inc. reported CVE-2018-0528, CVE-2018-0529 and CVE-2018-0566 vulnerabilities to JPCERT/CC to notify users of respective solutions through JVN.
Yuji Tounai reported CVE-2018-0567 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.JVNDB-2018-000053https://jvn.jp/jp/JVN51737843/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0526https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0527https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0528https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0529https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0565https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0566https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0567https://nvd.nist.gov/vuln/detail/CVE-2018-0565https://nvd.nist.gov/vuln/detail/CVE-2018-0566https://nvd.nist.gov/vuln/detail/CVE-2018-0567https://nvd.nist.gov/vuln/detail/CVE-2018-0526https://nvd.nist.gov/vuln/detail/CVE-2018-0527https://nvd.nist.gov/vuln/detail/CVE-2018-0528https://nvd.nist.gov/vuln/detail/CVE-2018-0529https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:office2018-08-30T16:03+09:002018-05-22T14:30+09:002018-08-30T16:03+09:00Multiple cross-site scripting vulnerabilities in Cybozu Mailwise
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000054.html
Cybozu Mailwise contains multiple cross-site scripting vulnerabilities below.
* Stored cross-site scripting vulnerability in "E-mail Details Screen" (CWE-79) - CVE-2018-0557
* Reflected cross-site scripting vulnerability in "System settings" (CWE-79) - CVE-2018-0558
* Reflected cross-site scripting vulnerability in "Address" (CWE-79) - CVE-2018-0559
Masato Kinugawa reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000054https://jvn.jp/en/jp/JVN52319657/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0557https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0558https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0559https://nvd.nist.gov/vuln/detail/CVE-2018-0557https://nvd.nist.gov/vuln/detail/CVE-2018-0558https://nvd.nist.gov/vuln/detail/CVE-2018-0559https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:mailwise2018-08-30T17:47+09:002018-05-22T15:26+09:002018-08-30T17:47+09:00Multiple vulnerabilities in baserCMS
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000055.html
baserCMS provided by baserCMS Users Community is an opensource content management system. baserCMS contains multiple vulnerabilities listed below.
*Command injection (CWE-94) - CVE-2018-0569
*Cross-site scripting (CWE-79) - CVE-2018-0570
*Unrestricted Upload of File with Dangerous Type in upload file management function (CWE-434) - CVE-2018-0571
*Restrict access permissions failure in contents management function (CWE-264) - CVE-2018-0572
*Restrict access permissions failture for a content with a period being public is expired (CWE-264) - CVE-2018-0573
*Cross-site scripting in theme management function (CWE-79) - CVE-2018-0574
*Restrict access permissions failure in the function to attach files in mail form (CWE-264) - CVE-2018-0575
Following researchers reported respective vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning partnership.
CVE-2018-0569, CVE-2018-0570, CVE-2018-0571, CVE-2018-0572, and CVE-2018-0573
Toshitsugu Yoneyama and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.
CVE-2018-0574 and CVE-2018-0575
Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.
JVNDB-2018-000055http://jvn.jp/en/jp/JVN67881316/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0569https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0570https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0571https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0572https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0573https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0574https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0575https://nvd.nist.gov/vuln/detail/CVE-2018-0569https://nvd.nist.gov/vuln/detail/CVE-2018-0570https://nvd.nist.gov/vuln/detail/CVE-2018-0571https://nvd.nist.gov/vuln/detail/CVE-2018-0572https://nvd.nist.gov/vuln/detail/CVE-2018-0573https://nvd.nist.gov/vuln/detail/CVE-2018-0574https://nvd.nist.gov/vuln/detail/CVE-2018-0575https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:basercms:basercms2019-12-27T18:10+09:002018-05-22T14:53+09:002019-12-27T18:10+09:00Susie plug-in "axpdfium" may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000056.html
Susie plug-in "axpdfium" contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).JVNDB-2018-000056http://jvn.jp/en/jp/JVN79301396/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0601https://nvd.nist.gov/vuln/detail/CVE-2018-0601https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:axpdfium_project:axpdfium2019-07-02T14:53+09:002018-05-24T15:15+09:002019-07-02T14:53+09:00The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" may insecurely invoke an executable file
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000057.html
The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION contains an issue with the DLL search path, which may lead to insecurely invoke an executable file (CWE-427).
DigiGnome reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000057http://jvn.jp/en/jp/JVN20040004/index.htmlhttp://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0563https://nvd.nist.gov/vuln/detail/CVE-2018-0563https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ntt_east:flet%27s_virus_clear_easy_setup_%26_application_toolcpe:/a:ntt_east:flet%27s_virus_clear_v6_easy_setup_%26_application_tool2019-12-27T18:09+09:002018-05-29T13:47+09:002019-12-27T18:09+09:00WordPress plugin "Email Subscribers & Newsletters" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000058.html
The WordPress plugin "Email Subscribers & Newsletters" provided by Icegram contains a reflected cross-site scripting vulnerability (CWE-79).
Chris Liu reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000058http://jvn.jp/en/jp/JVN16471686/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0602https://nvd.nist.gov/vuln/detail/CVE-2018-0602https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:icegram:email_subscribers_%26_newsletters2019-07-02T14:50+09:002018-05-28T14:11+09:002019-07-02T14:50+09:00WordPress plugin "Site Reviews" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000059.html
The WordPress plugin "Site Reviews" provided by Gemini Labs contains a stored cross-site scripting vulnerability (CWE-79).
Keita Uchida of TDU Cryptography Lab reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000059http://jvn.jp/en/jp/JVN60978548/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0603https://nvd.nist.gov/vuln/detail/CVE-2018-0603https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:gemini_labs:site_reviews2019-07-02T14:25+09:002018-05-28T14:11+09:002019-07-02T14:25+09:00Multiple vulnerabilities in Pixelpost
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000060.html
Pixelpost provided by Pixelpost.org contains multiple vulnerabilities listed below.
* Arbitrary code execution - CVE-2018-0604
* Cross-site scripting (CWE-79) - CVE-2018-0605
* SQL injection (CWE-89) - CVE-2018-0606
ASAI Ken reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000060http://jvn.jp/en/jp/JVN27978559/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0604https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0605https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0606https://nvd.nist.gov/vuln/detail/CVE-2018-0604https://nvd.nist.gov/vuln/detail/CVE-2018-0605https://nvd.nist.gov/vuln/detail/CVE-2018-0606https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:pixelpost:pixelpost2018-05-31T14:07+09:002018-05-31T14:07+09:002018-05-31T14:07+09:00H2O vulnerable to buffer overflow
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000061.html
H2O is open source web server software. H2O contains a buffer overflow vulnerability (CWE-119) due to a processing flaw in the output of Access Log.
Marlies Ruck of ForAllSecure reported this vulnerability to Kazuho Oku, and Kazuho Oku reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Kazuho Oku coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000061https://jvn.jp/en/jp/JVN93226941/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0608https://nvd.nist.gov/vuln/detail/CVE-2018-0608https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:h2o_project:h2o2018-06-04T14:10+09:002018-06-04T14:10+09:002018-06-04T14:10+09:00Local File Inclusion vulnerability in Zenphoto
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000062.html
Zenphoto is a content management system (CMS). Zenphoto contains a Local File Inclusion vulnerability.
ASAI Ken reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000062http://jvn.jp/en/jp/JVN33124193/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0610https://nvd.nist.gov/vuln/detail/CVE-2018-0610https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:zenphoto:zenphoto2018-06-13T15:11+09:002018-06-13T15:11+09:002018-06-13T15:11+09:00LINE for Windows may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000063.html
LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software.
If a user launches LINE for Windows by clicking the specially crafted link prepared by a remote attacker, it may result in insecurely loading Dynamic Link Libraries (CWE-427).
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of respective solutions through JVN.JVNDB-2018-000063http://jvn.jp/en/jp/JVN92265618/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0609https://nvd.nist.gov/vuln/detail/CVE-2018-0609https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:linecorp:line2018-06-12T14:44+09:002018-06-12T14:44+09:002018-06-12T14:44+09:00Chrome Extension "5000 trillion yen converter" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000064.html
Chrome Extension "5000 trillion yen converter" provided by Owen contains a cross-site scripting vulnerability (CWE-79).JVNDB-2018-000064http://jvn.jp/en/jp/JVN98975951/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0612https://nvd.nist.gov/vuln/detail/CVE-2018-0612https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:Owen:5000_trillion_yen_converter2018-06-15T14:36+09:002018-06-15T14:36+09:002018-06-15T14:36+09:00ANA App for iOS fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000065.html
ANA App for iOS provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates (CWE-295).
Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000065http://jvn.jp/en/jp/JVN71535108/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0611https://nvd.nist.gov/vuln/detail/CVE-2018-0611https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ana:all_nippon_airways2019-12-27T18:08+09:002018-06-15T14:40+09:002019-12-27T18:08+09:00MemoCGI vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000066.html
MemoCGI provided by ChamaNet contains a directory traversal vulnerability (CWE-22).
Ikuo Shoji reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000066http://jvn.jp/en/jp/JVN58362455/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0617https://nvd.nist.gov/vuln/detail/CVE-2018-0617https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:chama:memocgi2019-07-05T17:58+09:002018-06-27T14:44+09:002019-07-05T17:58+09:00Mailman vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000067.html
Mailman provided by GNU Mailman contains a stored cross-site scripting vulnerability (CWE-79).
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000067http://jvn.jp/en/jp/JVN00846677/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0618https://nvd.nist.gov/vuln/detail/CVE-2018-0618https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:gnu:mailman2019-07-24T15:21+09:002018-06-28T12:30+09:002019-07-24T15:21+09:00Multiple vulnerabilities in Calsos CSDX and CSDJ series products
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000068.html
Calsos CSDX and CSDJ series products provided by NEC Platforms, Ltd. contain multiple vulnerabilities listed below.
* Access Restriction Bypass (CWE-284) - CVE-2018-0613
* Cross-site scripting (CWE-79) - CVE-2018-0614
NEC Platforms, Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and NEC Platforms, Ltd. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000068http://jvn.jp/en/jp/JVN63895206/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0613https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0614https://nvd.nist.gov/vuln/detail/CVE-2018-0613https://nvd.nist.gov/vuln/detail/CVE-2018-0614https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:necplatforms:nec_platforms_csdjcpe:/a:necplatforms:nec_platforms_csdjcpe:/a:necplatforms:nec_platforms_csdjcpe:/a:necplatforms:nec_platforms_csdjcpe:/o:necplatforms:calsos_csdx_firmwarecpe:/o:necplatforms:calsos_csdx_firmwarecpe:/o:necplatforms:calsos_csdx_firmwarecpe:/o:necplatforms:calsos_csdx_firmware2019-07-24T14:31+09:002018-07-02T15:22+09:002019-07-24T14:31+09:00Cybozu Garoon vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000069.html
Cybozu Garoon provided by Cybozu, Inc. contains an SQL injection vulnerability (CWE-89) in application "Notifications".
Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000069http://jvn.jp/en/jp/JVN13415512/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0607https://nvd.nist.gov/vuln/detail/CVE-2018-0607https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:garoon2019-07-05T17:55+09:002018-07-02T15:22+09:002019-07-05T17:55+09:00Installer of Glary Utilities may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000070.html
Installer of Glary Utilities provided by Glarysoft Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Eili Masami reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000070http://jvn.jp/en/jp/JVN84967039/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0619https://nvd.nist.gov/vuln/detail/CVE-2018-0619https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:glarysoft:glary_utilities2019-07-05T17:52+09:002018-07-03T13:42+09:002019-07-05T17:52+09:00DHC Online Shop App for Android fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000071.html
DHC Online Shop App for Android provided by DHC Corporation fails to verify SSL server certificates.
Sho Ueshima and Tsuyoshi Ogawa of SIE Co.,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000071http://jvn.jp/en/jp/JVN77409513/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0622https://nvd.nist.gov/vuln/detail/CVE-2018-0622https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:dhc:dhc_online_shop2019-07-05T17:35+09:002018-07-06T14:36+09:002019-07-05T17:35+09:00The installers of multiple Logicool software programs may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000072.html
The installers of multiple software programs provided by Logicool Co. Ltd contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427) .
Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000072http://jvn.jp/en/jp/JVN52574492/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0620https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0621https://nvd.nist.gov/vuln/detail/CVE-2018-0620https://nvd.nist.gov/vuln/detail/CVE-2018-0621https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:logitech:connection_utility_softwarecpe:/a:logitech:game_software2019-07-05T17:38+09:002018-07-06T14:36+09:002019-07-05T17:38+09:00Installer of ChatWork Desktop App for Windows may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000073.html
Installer of ChatWork Desktop App for Windows provided by ChatWork Co,. LTD. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Hamasaki Hiroki of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000073https://jvn.jp/en/ta/JVNTA91240916/index.htmlhttps://jvn.jp/en/jp/JVN39171169/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0648https://nvd.nist.gov/vuln/detail/CVE-2018-0648https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:chatwork:chatwork2019-07-25T16:50+09:002018-07-23T14:28+09:002019-07-25T16:50+09:00DLL planting vulnerability in multiple Yayoi 17 Series products
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000074.html
Multiple Yayoi 17 Series products provided by Yayoi Co., Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000074https://jvn.jp/en/jp/JVN06813756/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0623https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0624https://nvd.nist.gov/vuln/detail/CVE-2018-0623https://nvd.nist.gov/vuln/detail/CVE-2018-0624https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:yayoi-hanbaicpe:/a:misc:yayoi-kaikeicpe:/a:misc:yayoi_kyuyocpe:/a:misc:yayoi_no_aoiroshinkokucpe:/a:misc:yayoi_no_kokyakukanricpe:/a:misc:yayoi_no_kyuyokeisan2019-07-25T15:04+09:002018-07-20T15:41+09:002019-07-25T15:04+09:00Multiple OS command injection vulnerabilities in Aterm WG1200HP
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000075.html
Aterm WG1200HP provided by NEC Corporation contains multiple OS command injection vulnerabilities (CWE-78).
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000075http://jvn.jp/en/jp/JVN00401783/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0626https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0627https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0628https://nvd.nist.gov/vuln/detail/CVE-2018-0625https://nvd.nist.gov/vuln/detail/CVE-2018-0626https://nvd.nist.gov/vuln/detail/CVE-2018-0627https://nvd.nist.gov/vuln/detail/CVE-2018-0628https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:nec:aterm_wg1200hp_firmware2019-08-27T13:44+09:002018-07-12T15:04+09:002019-08-27T13:44+09:00Multiple vulnerabilities in Aterm W300P
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000076.html
Aterm W300P provided by NEC Corporation contains multiple vulnerabilities listed below.
* OS Command Injection (CWE-78) - CVE-2018-0629, CVE-2018-0630, CVE-2018-0631
* Buffer Overflow (CWE-119) - CVE-2018-0632, CVE-2018-0633
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000076http://jvn.jp/en/jp/JVN26629618/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0629https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0630https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0631https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0632https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0633https://nvd.nist.gov/vuln/detail/CVE-2018-0629https://nvd.nist.gov/vuln/detail/CVE-2018-0630https://nvd.nist.gov/vuln/detail/CVE-2018-0631https://nvd.nist.gov/vuln/detail/CVE-2018-0632https://nvd.nist.gov/vuln/detail/CVE-2018-0633https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:nec:aterm_w300p_firmware2019-08-27T16:56+09:002018-07-12T15:04+09:002019-08-27T16:56+09:00Multiple vulnerabilities in Aterm HC100RC
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000077.html
Aterm HC100RC provided by NEC Corporation contains multiple vulnerabilities listed below.
* OS Command Injection (CWE-78) - CVE-2018-0634, CVE-2018-0635, CVE-2018-0636, CVE-2018-0637, CVE-2018-0638, CVE-2018-0639
* Buffer Overflow (CWE-119) - CVE-2018-0640, CVE-2018-0641
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000077https://jvn.jp/en/jp/JVN84825660/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0634https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0635https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0636https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0637https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0638https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0639https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0640https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0641https://nvd.nist.gov/vuln/detail/CVE-2018-0634https://nvd.nist.gov/vuln/detail/CVE-2018-0635https://nvd.nist.gov/vuln/detail/CVE-2018-0636https://nvd.nist.gov/vuln/detail/CVE-2018-0637https://nvd.nist.gov/vuln/detail/CVE-2018-0638https://nvd.nist.gov/vuln/detail/CVE-2018-0639https://nvd.nist.gov/vuln/detail/CVE-2018-0640https://nvd.nist.gov/vuln/detail/CVE-2018-0641https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:nec:aterm_hc100rc_firmware2019-08-27T13:52+09:002018-07-12T15:04+09:002019-08-27T13:52+09:00WordPress plugin "FV Flowplayer Video Player" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000078.html
The WordPress plugin "FV Flowplayer Video Player" provided by Foliovision contains a cross-site scripting vulnerability (CWE-79).
Chris Liu reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000078http://jvn.jp/en/jp/JVN70246549/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0642https://nvd.nist.gov/vuln/detail/CVE-2018-0642https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:foliovision:fv_flowplayer_video_player2019-07-25T17:12+09:002018-07-17T12:27+09:002019-07-25T17:12+09:00Explzh vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000079.html
Explzh is a file compression/extraction software supporting multiple file formats. Explzh contains a directory traversal vulnerability (CWE-22).
Explzh is not vulnerable to relative path traversal but to absolute path traversal. Therefore, an attacker may create new files or overwrite existing files on the directory accessible with the privileges for extracting files with Explzh.
Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000079http://jvn.jp/en/jp/JVN55813866/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0646https://nvd.nist.gov/vuln/detail/CVE-2018-0646https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ponsoftware:explzh2019-07-25T16:26+09:002018-07-13T14:47+09:002019-07-25T16:26+09:00Movable Type plugin MTAppjQuery vulnerable to PHP code execution
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000080.html
MTAppjQuery provided by bit part LLC is a plugin for Movable Type. An older version PHP library Uploadify is incorporated in MTAppjQuery v1.8.1 and earlier versions and the older versions of Uploadify contains unrestricted upload of arbitrary file (CWE-434), which may lead to arbitrary PHP code execution if MTAppjQuery is used.
ASAI Ken reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000080http://jvn.jp/en/jp/JVN62423700/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0645https://nvd.nist.gov/vuln/detail/CVE-2018-0645https://blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:bit-part:mtappjquery2019-07-26T15:23+09:002018-07-18T15:35+09:002019-07-26T15:23+09:00Multiple vulnerabilities in ORCA(Online Receipt Computer Advantage)
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000081.html
ORCA(Online Receipt Computer Advantage) provided by ORCA Management Organization Co., Ltd contains vulnerabilities listed below.
* OS command injection (CWE-78) - CVE-2018-0643
* Buffer overflow (CWE-119) - CVE-2018-0644
IoT x Security Hackathon 2016 all participants reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000081http://jvn.jp/en/jp/JVN37376131/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0643https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0644https://nvd.nist.gov/vuln/detail/CVE-2018-0643https://nvd.nist.gov/vuln/detail/CVE-2018-0644https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:orcamo:ubuntu_14.04_online_receipt_computer_advantagecpe:/a:orcamo:ubuntu_16.04_online_receipt_computer_advantage2019-07-25T16:59+09:002018-07-18T15:35+09:002019-07-25T16:59+09:00WL-330NUL vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000082.html
WL-330NUL provided by ASUS Japan Inc. is a portable wireless LAN router. WL-330NUL contains a cross-site request forgery vulnerability (CWE-352).
Masashi Sakai reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000082http://jvn.jp/en/jp/JVN71329812/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0647https://nvd.nist.gov/vuln/detail/CVE-2018-0647https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:asus_japan_wl-330nul2019-07-25T14:38+09:002018-07-20T15:41+09:002019-07-25T14:38+09:00The installers of multiple Canon IT Solutions Inc. software programs may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000083.html
The installers of multiple software programs provided by Canon IT Solutions Inc. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000083http://jvn.jp/en/jp/JVN41452671/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0649https://nvd.nist.gov/vuln/detail/CVE-2018-0649https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:eset:compuseccpe:/a:eset:deslock%2b_procpe:/a:eset:internet_securitycpe:/a:eset:nod32_antiviruscpe:/a:eset:smart_securitycpe:/a:eset:smart_security_premium2019-07-26T12:05+09:002018-07-24T14:43+09:002019-07-26T12:05+09:00LINE MUSIC for Android fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000084.html
LINE MUSIC for Android provided by LINE MUSIC CORPORATION fails to verify SSL server certificates (CWE-295).
LINE MUSIC CORPORATION reported this vulnerability to JPCERT/CC to notify users of respective solutions through JVN.JVNDB-2018-000084https://jvn.jp/en/jp/JVN16933564/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0650https://nvd.nist.gov/vuln/detail/CVE-2018-0650https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:line_music_corporation:line_music2019-07-25T17:28+09:002018-07-26T14:58+09:002019-07-25T17:28+09:00Multiple cross-site scripting vulnerabilities in GROWI
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000085.html
GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below.
* Stored cross-site scripting vulnerability in the UserGroup Management section of admin page (CWE-79) - CVE-2018-0652
* Stored cross-site scripting vulnerability in Wiki page view (CWE-79) - CVE-2018-0653
* Reflected cross-site scripting vulnerability in the modal for creating Wiki page (CWE-79) - CVE-2018-0654
* Stored cross-site scripting in the app settings section of admin page (CWE-79) - CVE-2018-0655
The following researchers reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2018-0652, CVE-2018-0653
Yoshinori Hayashi of Information Science College
CVE-2018-0654, CVE-2018-0655
Kanta Nishitani of Information Science College
JVNDB-2018-000085http://jvn.jp/en/jp/JVN18716340/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0652https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0653https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0654https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0655https://nvd.nist.gov/vuln/detail/CVE-2018-0652https://nvd.nist.gov/vuln/detail/CVE-2018-0653https://nvd.nist.gov/vuln/detail/CVE-2018-0654https://nvd.nist.gov/vuln/detail/CVE-2018-0655https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:weseek:growi2019-07-05T17:13+09:002018-08-03T15:04+09:002019-07-05T17:13+09:00Multiple vulnerabilities in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service) for EC-CUBE
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000086.html
EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service), which are additional modules for EC-CUBE, provided by GMO Payment Gateway, Inc. contain multiple vulnerabilities listed below.
* Cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2018-0657
* Input validation bypass vulnerability in the management screen (CWE-20) - CVE-2018-0658
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000086https://jvn.jp/en/jp/JVN06372244/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0657https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0658https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:gmo_payment_gateway:ec-cubepayment_settlement_modulecpe:/a:gmo_payment_gateway:gmo-pg_settlement_module2018-08-09T16:43+09:002018-08-09T16:43+09:002018-08-09T16:43+09:00The installer of Digital Paper App may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000087.html
Digital Paper App provided by Sony Corporation is document management software exclusively for Sony Digital Paper. The installer of Digital Paper App contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000087https://jvn.jp/en/ta/JVNTA91240916/http://jvn.jp/en/jp/JVN75700242/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0656https://nvd.nist.gov/vuln/detail/CVE-2018-0656https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:sony:digital_paper_app2019-07-25T16:17+09:002018-08-21T15:59+09:002019-07-25T16:17+09:00Multiple vulnerabilities in multiple I-O DATA network camera products
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000089.html
Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities listed below.
* Permissions, Privileges, and Access Controls (CWE-264) - CVE-2018-0661
* Insufficient Verification of Data Authenticity (CWE-345) - CVE-2018-0662
* Use of Hard-coded Credentials (CWE-798) - CVE-2018-0663
The following researchers reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2018-0661
Yutaka Kokubu, Toshitsugu Yoneyama, and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc.
CVE-2018-0662
Daiki Ichinose of Mitsui Bussan Secure Directions, Inc.
CVE-2018-0663
Yutaka Kokubu and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc.JVNDB-2018-000089https://jvn.jp/en/jp/JVN83701666/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0661https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0662https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0663https://nvd.nist.gov/vuln/detail/CVE-2018-0661https://nvd.nist.gov/vuln/detail/CVE-2018-0662https://nvd.nist.gov/vuln/detail/CVE-2018-0663https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:i-o_data_device:ts-wrlp%2Fecpe:/h:i-o_data_device:ts-wrlacpe:/h:i-o_data_device:ts-wrlp2019-07-25T16:00+09:002018-08-07T14:33+09:002019-07-25T16:00+09:00Multiple directory traversal vulnerabilities in AttacheCase
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000090.html
AttacheCase is an open source file encryption software provided by HiBARA Software. AttacheCase contains a directory traversal vulnerability (CWE-22) due to a flaw in processing filenames in ATC files.
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported CVE-2018-0660 vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000090https://jvn.jp/en/jp/JVN62121133/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0659https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0660https://nvd.nist.gov/vuln/detail/CVE-2018-0659https://nvd.nist.gov/vuln/detail/CVE-2018-0660https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hibara:attachecasecpe:/a:hibara:attachecase2019-07-25T14:32+09:002018-08-06T14:10+09:002019-07-25T14:32+09:00NoMachine App for Android vulnerable to environment variables alteration
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000091.html
NoMachine App for Android contains an information alteration vulnerability.
Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000091https://jvn.jp/en/jp/JVN14451678/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0664https://nvd.nist.gov/vuln/detail/CVE-2018-0664https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:nomachine:nomachine2019-07-25T17:17+09:002018-08-17T13:49+09:002019-07-25T17:17+09:00Multiple vulnerabilities in INplc
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000092.html
INplc provided by MICRONET CORPORATION contains multiple vulnerabilities listed below.
*DLL preloading vulnerability (CWE-427) - CVE-CVE-2018-0667
*Buffer overflow (CWE-119) - CVE-2018-0668
*Authentication bypass (CWE-287) - CVE-2018-0669
*Authentication bypass (CWE-287) - CVE-2018-0670
*Privilege escalation - CVE-2018-0671
Kotatsu Shiraki of University of Tokyo/NEC reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000092http://jvn.jp/en/jp/JVN59624986/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0667https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0668https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0669https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0670https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0671https://nvd.nist.gov/vuln/detail/CVE-2018-0667https://nvd.nist.gov/vuln/detail/CVE-2018-0668https://nvd.nist.gov/vuln/detail/CVE-2018-0669https://nvd.nist.gov/vuln/detail/CVE-2018-0670https://nvd.nist.gov/vuln/detail/CVE-2018-0671https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:mnc:inplc-rtcpe:/a:mnc:inplc-rt_sdk_expresscpe:/a:mnc:inplc_sdk_pro%2b2019-08-28T09:51+09:002018-09-07T16:49+09:002019-08-28T09:51+09:00Multiple script injection vulnerabilities in multiple Yamaha network devices
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000093.html
The management screen of multiple network devices provided by Yamaha Corporation contains multiple script injection vulnerabilities (CWE-74).
The following researchers reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2018-0665
Hayato Doi of Kanazawa Institute of Technology
CVE-2018-0666
Tomonori Yamamoto of Mitsui Bussan Secure Directions, Inc.JVNDB-2018-000093https://jvn.jp/en/jp/JVN69967692/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0665https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0666https://nvd.nist.gov/vuln/detail/CVE-2018-0665https://nvd.nist.gov/vuln/detail/CVE-2018-0666https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:yamaha:fwx120_firmwarecpe:/o:yamaha:nvr500_firmwarecpe:/o:yamaha:rt57i_firmwarecpe:/o:yamaha:rt58i_firmwarecpe:/o:yamaha:rtx810_firmware2019-08-27T17:53+09:002018-08-29T18:01+09:002019-08-27T17:53+09:00Movable Type vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000094.html
Movable Type provided by Six Apart, Ltd. is a content management system. Movable Type contains a cross-site scripting vulnerability (CWE-79).
ASAI Ken reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000094http://jvn.jp/en/jp/JVN89550319/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0672https://nvd.nist.gov/vuln/detail/CVE-2018-0672https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:sixapart:movabletype2019-07-25T14:25+09:002018-08-30T17:34+09:002019-07-25T14:25+09:00AttacheCase vulnerable to arbitrary script execution
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000095.html
AttacheCase is an open source file encryption software provided by HiBARA Software.
If a setting file _AtcCase.ini is specially crafted and it resides in the same folder where ATC file resides, it is leveraged to execute an arbitrary script when ATC file is decrypted.
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000095http://jvn.jp/en/jp/JVN02037158/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0674https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0675https://nvd.nist.gov/vuln/detail/CVE-2018-0674https://nvd.nist.gov/vuln/detail/CVE-2018-0675https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html2019-07-26T12:19+09:002018-08-31T15:59+09:002019-07-26T12:19+09:00QNAP Photo Station vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000096.html
Photo Station provided by QNAP Systems, Inc. contains a reflected cross-site scripting vulnerability (CWE-79).
Mitsuaki (Mitch) Shiraishi of Secureworks Japan reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000096http://jvn.jp/en/jp/JVN63556416/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0715https://nvd.nist.gov/vuln/detail/CVE-2018-0715https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:qnap:photo_station2019-07-25T16:09+09:002018-08-31T15:48+09:002019-07-25T16:09+09:00Multiple FXC network devices vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000097.html
Multiple network devices provided by FXC Inc. contain a stored cross-site scripting vulnerability (CWE-79).
SUNAGAWA, Masanori of Japan Advanced Institute of Science and Technology Graduate School of Advanced Science and Technology Security and Networks reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000097http://jvn.jp/en/jp/JVN68528150/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0679https://nvd.nist.gov/vuln/detail/CVE-2018-0679https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:fxc:ae1021pe_firmwarecpe:/o:fxc:ae1021_firmwarecpe:/o:fxc:fxc5210pe_firmwarecpe:/o:fxc:fxc5210_firmwarecpe:/o:fxc:fxc5218pe_firmwarecpe:/o:fxc:fxc5218_firmwarecpe:/o:fxc:fxc5224pe_firmwarecpe:/o:fxc:fxc5224_firmwarecpe:/o:fxc:fxc5426f_firmwarecpe:/o:fxc:fxc5428_firmware2019-08-27T11:30+09:002018-09-13T13:57+09:002019-08-27T11:30+09:00Cybozu Garoon vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000099.html
Cybozu Garoon provided by Cybozu, Inc. contains a directory traversal vulnerability (CWE-22) due to a flaw in processing of the session information.
Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000099http://jvn.jp/en/jp/JVN12583112/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0673https://nvd.nist.gov/vuln/detail/CVE-2018-0673https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:garoon2019-07-26T15:28+09:002018-09-10T14:01+09:002019-07-26T15:28+09:00+Message App fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000100.html
+Message App fails to verify SSL server certificates.
ma.la of LINE Corporation reported this vulnerability to the developer, and also to IPA in order to notify users of its solution through JVN.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000100https://jvn.jp/en/jp/JVN37288228/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0691https://nvd.nist.gov/vuln/detail/CVE-2018-0691https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:kddi:%2b_messagecpe:/a:nttdocomo:%2b_messagecpe:/a:softbank:%2b_message2019-08-27T17:22+09:002018-09-27T16:52+09:002019-08-27T17:22+09:00The installer of Baidu Browser may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000101.html
Baidu Browser provided by Baidu, Inc. is a Web browser. The installer of Baidu Browser contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Asuka Nakajima of NTT Secure Platform Laboratories reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000101https://jvn.jp/en/jp/JVN77885134/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0692https://nvd.nist.gov/vuln/detail/CVE-2018-0692https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:baidu:baidu_browser2019-08-27T10:39+09:002018-10-03T15:02+09:002019-08-27T10:39+09:00Multiple vulnerabilities in Denbun
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000102.html
Denbun provided by NEOJAPAN Inc. is a WebMail System. Denbun contains multiple vulnerabilities listed below.
* Hard-coded credentials for user account (CWE-798) - CVE-2018-0680
* Hard-coded credentials for the configuration management page (CWE-798) - CVE-2018-0681
* Improper session management (CWE-639) - CVE-2018-0682
* Stack-based buffer overflow due to a flaw in processing Cookie data (CWE-121) - CVE-2018-0683
* Stack-based buffer overflow due to a flaw in processing multipart/form-data format data (CWE-121) - CVE-2018-0684
* SQL injection due to a flaw in processing HTTP requests for mail search (CWE-89) - CVE-2018-0685
* Arbitrary executable files can be uploaded (CWE-434) - CVE-2018-0686
* Cross-site scripting in HTML mail view (CWE-79) - CVE-2018-0687JVNDB-2018-000102http://jvn.jp/en/jp/JVN00344155/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0680https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0681https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0682https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0683https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0684https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0685https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0686https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0687https://nvd.nist.gov/vuln/detail/CVE-2018-0680https://nvd.nist.gov/vuln/detail/CVE-2018-0681https://nvd.nist.gov/vuln/detail/CVE-2018-0682https://nvd.nist.gov/vuln/detail/CVE-2018-0683https://nvd.nist.gov/vuln/detail/CVE-2018-0684https://nvd.nist.gov/vuln/detail/CVE-2018-0685https://nvd.nist.gov/vuln/detail/CVE-2018-0686https://nvd.nist.gov/vuln/detail/CVE-2018-0687https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:neo_japan:denbun_imapcpe:/a:neo_japan:denbun_pop2019-07-11T16:02+09:002018-10-04T16:11+09:002019-07-11T16:02+09:00Music Center for PC improperly verifies software update files
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000103.html
Music Center for PC provided by Sony Video & Sound Products Inc. contains an issue in software update process (CWE-669). As a result, under a man-in-the-middle attack, a specially crafted executable file may be downloaded and executed.
DigiGnome reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000103http://jvn.jp/en/jp/JVN36623716/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0690https://nvd.nist.gov/vuln/detail/CVE-2018-0690https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:sony:music_center2019-07-26T15:57+09:002018-10-09T16:22+09:002019-07-26T15:57+09:00Multiple vulnerabilities in FileZen
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000104.html
FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface.
FileZen contains multiple vulnerabilities listed below.
* Directory traversal (CWE-22) - CVE-2018-0693
* OS command injection (CWE-78) - CVE-2018-0694
Soliton Systems K.K. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000104http://jvn.jp/en/jp/JVN95355683/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0693https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0694https://nvd.nist.gov/vuln/detail/CVE-2018-0693https://nvd.nist.gov/vuln/detail/CVE-2018-0694https://www.ipa.go.jp/security/ciadr/vul/20181015-jvn.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:soliton:filezen2019-07-26T17:00+09:002018-10-15T15:26+09:002019-07-26T17:00+09:00Metabase vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000105.html
Metabase provided by Metabase, Inc. contains a reflected cross-site scripting vulnerability (CWE-79).
Yuuta Watanabe of STNet, Incorporated reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000105http://jvn.jp/en/jp/JVN14323043/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0697https://nvd.nist.gov/vuln/detail/CVE-2018-0697https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:metabase:metabase2019-07-26T17:49+09:002018-10-11T15:54+09:002019-07-26T17:49+09:00User-friendly SVN vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000106.html
User-friendly SVN provided by USVN Team contains a reflected cross-site scripting vulnerability (CWE-79).
Jun Okutsu of NTT TechnoCross Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000106http://jvn.jp/en/jp/JVN73794686/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0695https://nvd.nist.gov/vuln/detail/CVE-2018-0695https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:usvn:usvn2019-07-11T18:00+09:002018-10-09T16:27+09:002019-07-11T18:00+09:00OpenAM (Open Source Edition) vulnerable to session management
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000107.html
OpenAM (Open Source Edition) contains a vulnerability in session management.
Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000107http://jvn.jp/en/jp/JVN49995005/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0696https://nvd.nist.gov/vuln/detail/CVE-2018-0696https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:osstech:openam2019-09-26T18:10+09:002018-10-12T14:44+09:002019-09-26T18:10+09:00Multiple vulnerabilities in YukiWiki
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000109.html
YukiWiki is a Wiki engine. YukiWiki contains multiple vulnerabilities listed below.
* Cross-site scripting (CWE-79) - CVE-2018-0699
* Processing a particular request consumes large amounts of CPU and memory resources (CWE-400) - CVE-2018-0700
Tanaka Akira of National Institute of Advanced Industrial Science and Technology (AIST) reported CVE-2018-0700 vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000109https://jvn.jp/en/jp/JVN36343375/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0699https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0700https://nvd.nist.gov/vuln/detail/CVE-2018-0699https://nvd.nist.gov/vuln/detail/CVE-2018-0700https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://cwe.mitre.org/data/definitions/400.htmlcpe:/a:hyuki:yukiwiki2019-08-27T10:32+09:002018-10-19T14:31+09:002019-08-27T10:32+09:00Web Isolation vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000110.html
Web Isolation provided by Symantec Corporation contains a reflected cross-site scripting vulnerability (CWE-79).JVNDB-2018-000110https://jvn.jp/en/jp/JVN58005743/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12246https://nvd.nist.gov/vuln/detail/CVE-2018-12246https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:symantec:web_isolation2019-07-26T14:06+09:002018-10-19T14:45+09:002019-07-26T14:06+09:00BlueStacks App Player fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000111.html
BlueStacks App Player fails to restrict access permissions (CWE-284).
Masaki Kubo and Yoshiki Mori of Cybersecurity Laboratory, National Institute of Information and Communications Technology reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000111http://jvn.jp/en/jp/JVN60702986/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0701https://nvd.nist.gov/vuln/detail/CVE-2018-0701https://cwe.mitre.org/data/definitions/284.htmlcpe:/a:bluestacks:bluestacks2019-08-27T10:35+09:002018-10-24T16:13+09:002019-08-27T10:35+09:00SecureCore Standard Edition vulnerable to authentication bypass
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000112.html
SecureCore Standard Edition provided by Feitian Japan Co., Ltd. contains an authentication bypass vulnerability (CWE-287).
Daisuke Ota of BizReach, inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000112http://jvn.jp/en/jp/JVN21528670/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16160https://nvd.nist.gov/vuln/detail/CVE-2018-16160https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:feitian_japan_securecore_standard_edition2019-08-06T17:34+09:002018-10-24T16:07+09:002019-08-06T17:34+09:00Multiple vulnerabilities in OpenDolphin
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000113.html
OpenDolphin provided by Life Sciences Computing Corporation contains multiple vulnerabilities listed below.
* Privilege escalation - CVE-2018-16161
* Information disclosure (CWE-200) - CVE-2018-16162
* Restrict access permissions failure (CWE-284) - CVE-2018-16163
Symantec Japan, Inc. Advisory Services Team reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000113http://jvn.jp/en/jp/JVN59394343/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16161https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16162https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16163https://nvd.nist.gov/vuln/detail/CVE-2018-16161https://nvd.nist.gov/vuln/detail/CVE-2018-16162https://nvd.nist.gov/vuln/detail/CVE-2018-16163https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:opendolphin:opendolphin2019-07-26T14:35+09:002018-10-26T16:16+09:002019-07-26T14:35+09:00Confluence Server vulnerable to script injection
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000114.html
User Macros of Confluence Server provided by Atlassian Pty Ltd. contains a script injection vulnerability (CWE-74).
Kanta Nishitani of Information Science College reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000114https://jvn.jp/en/jp/JVN37943805/index.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:atlassian:confluence2018-10-29T13:36+09:002018-10-29T13:36+09:002018-10-29T13:36+09:00WordPress plugin "Event Calendar WD" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000115.html
The WordPress plugin "Event Calendar WD" provided by Web-Dorado contains a stored cross-site scripting vulnerability (CWE-79).
Yuta Kitaoka of TokyoDenkiUniversity Cryptography Lab reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000115https://jvn.jp/en/jp/JVN75738023/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16164https://nvd.nist.gov/vuln/detail/CVE-2018-16164https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:web-dorado:event_calendar_wd2019-08-27T15:15+09:002018-11-02T14:56+09:002019-08-27T15:15+09:00Mail app for iOS vulnerable to denial-of-service (DoS)
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000116.html
Mail app for iOS provided by Apple contains a denial-of-service (DoS) vulnerability due to an issue in the handling of a maliciously crafted S/MIME signed message.
Yukinobu Nagayasu of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000116http://jvn.jp/en/jp/JVN96551318/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4400https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:apple:iphone_os2018-11-02T14:42+09:002018-11-02T14:42+09:002018-11-02T14:42+09:00Multiple vulnerabilities in WordPress plugin "LearnPress"
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000117.html
WordPress LMS plugin "LearnPress" contains multiple vulnerabilities listed below.
* Cross-site Scripting (CWE-79) - CVE-2018-16173
* Open Redirect (CWE-601) - CVE-2018-16174
* SQL Injection (CWE-89) - CVE-2018-16175
Daiki Sueyoshi of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University directly reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2018-000117http://jvn.jp/en/jp/JVN85760090/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16173https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16174https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16175https://nvd.nist.gov/vuln/detail/CVE-2018-16173https://nvd.nist.gov/vuln/detail/CVE-2018-16174https://nvd.nist.gov/vuln/detail/CVE-2018-16175https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:thimpress:learnpress2019-08-27T11:35+09:002018-11-09T16:13+09:002019-08-27T11:35+09:00The installer of Windows10 Fall Creators Update Modify module for Security Measures tool may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000118.html
The installer of Windows10 Fall Creators Update Modify module for Security Measures tool provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Tomohisa Hasegawa of Canon IT Solutions Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000118https://jvn.jp/en/jp/JVN15709478/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16177https://nvd.nist.gov/vuln/detail/CVE-2018-16177https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ntt_west:fall_creators_update2019-08-27T18:03+09:002018-11-09T16:13+09:002019-08-27T18:03+09:00Cybozu Mailwise vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000119.html
Cybozu Mailwise provided by Cybozu, Inc. contains a directory traversal vulnerability (CWE-22) due to a flaw in processing parameter of the HTTP request.
Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000119http://jvn.jp/en/jp/JVN83739174/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0702https://nvd.nist.gov/vuln/detail/CVE-2018-0702https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:mailwise2019-08-27T13:37+09:002018-11-14T15:34+09:002019-08-27T13:37+09:00Multiple directory traversal vulnerabilities in Cybozu Office
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000120.html
Cybozu Office provided by Cybozu, Inc. contains multiple directory traversal vulnerabilities below.
* Directory traversal vulnerability due to a flaw in processing parameter of the HTTP request (CWE-22) - CVE-2018-0703
* Directory traversal vulnerability due to a flaw in processing parameter when logging out Keitai Screen (CWE-22) - CVE-2018-0704
Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000120http://jvn.jp/en/jp/JVN15232217/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0703https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0704https://nvd.nist.gov/vuln/detail/CVE-2018-0703https://nvd.nist.gov/vuln/detail/CVE-2018-0704https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:office2019-08-27T12:28+09:002018-11-14T15:38+09:002019-08-27T12:28+09:00Cybozu Dezie vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000121.html
Cybozu Dezie provided by Cybozu, Inc. contains a directory traversal vulnerability (CWE-22) due to a flaw in processing parameter of the HTTP request.
Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000121http://jvn.jp/en/jp/JVN16697622/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0705https://nvd.nist.gov/vuln/detail/CVE-2018-0705https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:dezie2019-08-27T12:25+09:002018-11-14T15:42+09:002019-08-27T12:25+09:00Multiple vulnerabilities in Panasonic BN-SDWBP3
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000122.html
BN-SDWBP3 provided by Panasonic Corporation is a Wi-Fi Reader/Writer for SD Memory Cards. BN-SDWBP3 contains multiple vulnerabilities listed below.
* Improper Authentication (CWE-287) - CVE-2018-0676
* OS Command Injection(CWE-78) - CVE-2018-0677
* Buffer Overflow (CWE-119) - CVE-2018-0678
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000122http://jvn.jp/en/jp/JVN65082538/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0676https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0677https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0678https://nvd.nist.gov/vuln/detail/CVE-2018-0676https://nvd.nist.gov/vuln/detail/CVE-2018-0677https://nvd.nist.gov/vuln/detail/CVE-2018-0678https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:panasonic:bn-sdwbp3_firmware2019-08-27T17:46+09:002019-06-28T18:28+09:002019-08-27T17:46+09:00Panasonic applications register unquoted service paths
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000123.html
Some pre-installed applications on Panasonic PCs register Windows services with unquoted file paths (CWE-428).
Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000123https://jvn.jp/en/jp/JVN36895151/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16183https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:panasonic:multiple_computers2019-09-27T10:31+09:002018-11-29T14:45+09:002019-09-27T10:31+09:00Multiple vulnerabilities in RICOH Interactive Whiteboard
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000124.html
RICOH Interactive Whiteboard provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below.
* Command injection (CWE-94) - CVE-2018-16184
* Missing file signature - CVE-2018-16185
* Hard-coded credentials for the administrator settings screen - CVE-2018-16186
* The server certificate is self-signed - CVE-2018-16187
* SQL injection (CWE-89) - CVE-2018-16188
RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000124https://jvn.jp/en/jp/JVN55263945/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16184https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16185https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16186https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16187https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16188https://nvd.nist.gov/vuln/detail/CVE-2018-16184https://nvd.nist.gov/vuln/detail/CVE-2018-16185https://nvd.nist.gov/vuln/detail/CVE-2018-16186https://nvd.nist.gov/vuln/detail/CVE-2018-16187https://nvd.nist.gov/vuln/detail/CVE-2018-16188https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:ricoh:d2200_firmwarecpe:/o:ricoh:d5500_firmwarecpe:/o:ricoh:d5510_firmwarecpe:/o:ricoh:d5520_firmwarecpe:/o:ricoh:d6500_firmwarecpe:/o:ricoh:d6510_firmwarecpe:/o:ricoh:d7500_firmwarecpe:/o:ricoh:d8400_firmware2019-08-27T17:01+09:002018-11-27T15:26+09:002019-08-27T17:01+09:00The installer of MARKET SPEED may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000125.html
The installer of MARKET SPEED provided by Rakuten Securities, Inc. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Takashi Sugawara reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000125https://jvn.jp/en/jp/JVN78422300/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16182https://nvd.nist.gov/vuln/detail/CVE-2018-16182https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:rakuten-sec:market_speed2019-08-28T10:01+09:002018-11-28T17:27+09:002019-08-28T10:01+09:00Multiple vulnerabilities in Cybozu Remote Service
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000126.html
Cybozu Remote Service provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* Upload of arbitrary files in logo setting screen (CWE-434) - CVE-2018-16169
* Directory traversal in used device management screen (CWE-22) - CVE-2018-16170
* Directory traversal in client certificates registration function (CWE-22) - CVE-2018-16171
* Improper countermeasure against clickjacking attack in client certificates management screen (CWE-451) - CVE-2018-16172
Cybozu, Inc. reported CVE-2018-16169 vulnerability to JPCERT/CC to notify users of the solution through JVN.
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported CVE-2018-16170 and CVE-2018-16171 vulnerabilities to Cybozu, Inc., and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.
Kanta Nishitani reported CVE-2018-16172 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.JVNDB-2018-000126http://jvn.jp/en/jp/JVN23161885/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16169https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16170https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16171https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16172https://nvd.nist.gov/vuln/detail/CVE-2018-16169https://nvd.nist.gov/vuln/detail/CVE-2018-16170https://nvd.nist.gov/vuln/detail/CVE-2018-16171https://nvd.nist.gov/vuln/detail/CVE-2018-16172https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:remote_service2019-08-27T11:48+09:002018-12-10T14:26+09:002019-08-27T11:48+09:00EC-CUBE vulnerable to open redirect
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000127.html
EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains an open redirect vulnerability (CWE-601).
LOCKON CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LOCKON CO.,LTD. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000127https://jvn.jp/en/jp/JVN25359688/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16191https://nvd.nist.gov/vuln/detail/CVE-2018-16191https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ec-cube:ec-cube2019-08-28T09:42+09:002018-11-28T17:24+09:002019-08-28T09:42+09:00Multiple vulnerabilities in multiple SEIKO EPSON printers and scanners
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000128.html
Multiple printers and scanners provided by SEIKO EPSON CORPORATION contain multiple vulnerabilities listed below.
* Open Redirect (CWE-601) - CVE-2018-0688
* HTTP header injection (CWE-113) - CVE-2018-0689
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000128https://jvn.jp/en/jp/JVN89767228/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0688https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0689https://nvd.nist.gov/vuln/detail/CVE-2018-0688https://nvd.nist.gov/vuln/detail/CVE-2018-0689https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:epson:ds-570wcpe:/a:epson:ds-780ncpe:/a:epson:ep-10vacpe:/a:epson:ep-30vacpe:/a:epson:ep-707acpe:/a:epson:ep-708acpe:/a:epson:ep-709acpe:/a:epson:ep-777acpe:/a:epson:ep-807ab_aw_arcpe:/a:epson:ep-808ab_aw_arcpe:/a:epson:ep-879ab_aw_arcpe:/a:epson:ep-907fcpe:/a:epson:ep-977a3cpe:/a:epson:ep-978a3cpe:/a:epson:ep-979a3cpe:/a:epson:ep-m570tcpe:/a:epson:ew-m5071ftcpe:/a:epson:ew-m660ftcpe:/a:epson:ew-m770tcpe:/a:epson:pf-70cpe:/a:epson:pf-71cpe:/a:epson:pf-81cpe:/a:epson:px-048acpe:/a:epson:px-049acpe:/a:epson:px-437acpe:/a:epson:px-m350fcpe:/a:epson:px-m5040fcpe:/a:epson:px-m5041fcpe:/a:epson:px-m650acpe:/a:epson:px-m650fcpe:/a:epson:px-m680fcpe:/a:epson:px-m7050fcpe:/a:epson:px-m7050fpcpe:/a:epson:px-m7050fxcpe:/a:epson:px-m7070fxcpe:/a:epson:px-m740fcpe:/a:epson:px-m741fcpe:/a:epson:px-m780fcpe:/a:epson:px-m781fcpe:/a:epson:px-m840fcpe:/a:epson:px-m840fxcpe:/a:epson:px-m860fcpe:/a:epson:px-s05b_wcpe:/a:epson:px-s350cpe:/a:epson:px-s5040cpe:/a:epson:px-s7050cpe:/a:epson:px-s7050pscpe:/a:epson:px-s7050xcpe:/a:epson:px-s7070xcpe:/a:epson:px-s740cpe:/a:epson:px-s840cpe:/a:epson:px-s840xcpe:/a:epson:px-s8602019-09-27T09:55+09:002018-12-06T16:19+09:002019-09-27T09:55+09:00Multiple vulnerabilities in i-FILTER
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000129.html
i-FILTER provided by Digital Arts Inc. contains multiple vulnerabilities listed below.
* Cross-site scripting (CWE-79) - CVE-2018-16180
* HTTP header injection (CWE-113) - CVE-2018-16181
Keigo Yamazaki of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000129https://jvn.jp/en/jp/JVN32155106/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16180https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16181https://nvd.nist.gov/vuln/detail/CVE-2018-16180https://nvd.nist.gov/vuln/detail/CVE-2018-16181https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:daj:i-filter2019-08-27T11:45+09:002018-12-07T14:30+09:002019-08-27T11:45+09:00Cybozu Garoon access restriction bypass vulnerability
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000130.html
Single sign-on function of Cybozu Garoon provided by Cybozu, Inc. contains a restriction bypass vulnerability (CWE-284).
Kanta Nishitani reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000130http://jvn.jp/en/jp/JVN25385698/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16178https://nvd.nist.gov/vuln/detail/CVE-2018-16178https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:garoon2019-08-27T16:54+09:002018-12-10T14:14+09:002019-08-27T16:54+09:00Multiple vulnerabilities in Aterm WF1200CR and Aterm WG1200CR
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000131.html
Aterm WF1200CR and Aterm WG1200CR provided by NEC Corporation contain multiple vulnerabilities listed below.
* Information disclosure (CWE-200) - CVE-2018-16192
* Stored cross-site scripting (CWE-79) - CVE-2018-16193
* OS command injection (CWE-78) - CVE-2018-16194
* OS command injection in SOAP interface of UPnP (CWE-78) - CVE-2018-16195
Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000131http://jvn.jp/en/jp/JVN87535892/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16192https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16193https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16194https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16195https://nvd.nist.gov/vuln/detail/CVE-2018-16192https://nvd.nist.gov/vuln/detail/CVE-2018-16193https://nvd.nist.gov/vuln/detail/CVE-2018-16194https://nvd.nist.gov/vuln/detail/CVE-2018-16195https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:nec:aterm_wf1200cr_firmwarecpe:/o:nec:aterm_wg1200cr_firmware2019-08-27T11:33+09:002018-12-14T14:53+09:002019-08-27T11:33+09:00Multiple vulnerabilities in Toshiba Lighting & Technology Corporation Home gateway
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000132.html
Home gateway provided by Toshiba Lighting & Technology Corporation contains multiple vulnerabilities listed below.
* Improper access control (CWE-284) - CVE-2018-16197
* Hidden functionality (CWE-912) - CVE-2018-16198
* Cross-site scripting (CWE-79) - CVE-2018-16199
* OS command injection (CWE-78) - CVE-2018-16200
* Hard-coded credentials (CWE-798) - CVE-2018-16201
The following researchers reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2018-16197
Toshitsugu Yoneyama, Yutaka Kokubu, and Daiki Ichinose of Mitsui Bussan Secure Directions, Inc.
CVE-2018-16198, CVE-2018-16199
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc.
CVE-2018-16200, CVE-2018-16201
Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc.JVNDB-2018-000132http://jvn.jp/en/jp/JVN99810718/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16197https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16198https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16199https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16200https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16201https://nvd.nist.gov/vuln/detail/CVE-2018-16197https://nvd.nist.gov/vuln/detail/CVE-2018-16198https://nvd.nist.gov/vuln/detail/CVE-2018-16199https://nvd.nist.gov/vuln/detail/CVE-2018-16200https://nvd.nist.gov/vuln/detail/CVE-2018-16201https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:toshiba:hem-gw16a_firmwarecpe:/o:toshiba:hem-gw26a_firmware2019-08-28T10:45+09:002018-12-19T15:20+09:002019-08-28T10:45+09:00cordova-plugin-ionic-webview vulnerable to path traversal
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000133.html
cordova-plugin-ionic-webview provided by npm, Inc. contains a path traversal vulnerability (CWE-22) .
This vulnerability was first reported to npm, Inc. by the below reporters then also reported to IPA. Based on the coordination request made by the reporters, JPCERT/CC coordinated with npm, Inc. and published this advisory on JVN.
Reporters: Tatsuya Sakamto and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.JVNDB-2018-000133http://jvn.jp/en/jp/JVN69812763/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16202https://nvd.nist.gov/vuln/detail/CVE-2018-16202https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ionic:cordova-plugin-ionic-webview2019-08-28T10:04+09:002018-12-21T14:17+09:002019-08-28T10:04+09:00PgpoolAdmin fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000134.html
PgpoolAdmin provided by PgPool Global Development Group fails to restrict access permissions (CWE-264).
Fotios Rogkotis of DarkMatter reported this vulnerability to PgPool Global Development Group, and PgPool Global Development Group reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and PgPool Global Development Group coordinated under the Information Security Early Warning Partnership.JVNDB-2018-000134http://jvn.jp/en/jp/JVN13199224/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16203https://nvd.nist.gov/vuln/detail/CVE-2018-16203https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:pgpool:pgpooladmin2019-08-27T17:41+09:002018-12-21T14:10+09:002019-08-27T17:41+09:00WordPress plugin "Google XML Sitemaps" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000135.html
The WordPress plugin "Google XML Sitemaps" provided by Arne Brachhold contains a stored cross-site scripting vulnerability (CWE-79).
takagisan reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000135https://jvn.jp/en/jp/JVN27052429/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16204https://nvd.nist.gov/vuln/detail/CVE-2018-16204https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:arnebrachhold:google_xml_sitemaps2019-08-27T15:12+09:002018-12-25T16:19+09:002019-08-27T15:12+09:00Installer of Mapping Tool may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000136.html
Installer of Mapping Tool provided by Japan Atomic Energy Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Takashi Sugawara reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000136https://jvn.jp/en/jp/JVN33677949/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16176https://nvd.nist.gov/vuln/detail/CVE-2018-16176https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:jaea:mapping_tool2019-08-27T16:36+09:002018-12-25T16:18+09:002019-08-27T16:36+09:00GROWI vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000137.html
GROWI provided by WESEEK, Inc. contains a cross-site scripting vulnerability (CWE-79).
The settings option for enabling and disabling the measures against cross-site scripting ("Enable XSS prevention" option) was introduced in v3.1.12. However, there was an issue with the implementation where the option looks enabled although the measures are disabled. This vulnerability was addressed in v3.2.4 according to the developer.
Takashi Yoneuchi of The University of Tokyo College of Arts and Sciences reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2018-000137https://jvn.jp/en/jp/JVN96493183/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0698https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16205https://nvd.nist.gov/vuln/detail/CVE-2018-0698https://nvd.nist.gov/vuln/detail/CVE-2018-16205https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:weseek:growi2019-08-27T15:07+09:002018-12-26T16:36+09:002019-08-27T15:07+09:00ArsenoL vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000900.html
ArsenoL provided by FlaFla... is software that can be downloaded from the Internet. ArsenoL is a dictionay software that is placed on a website used to post words and their meanings. ArsenoL contains a cross-site scripting vulnerability (CWE-79) where an arbitrary script may be executed when the victim accesses a malicious page created by an attacker.
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriateJVNDB-2018-000900https://jvn.jp/en/jp/JVN30864198/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0534https://nvd.nist.gov/vuln/detail/CVE-2018-0534https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:arsenol_project:arsenol2018-06-14T13:58+09:002018-03-13T16:46+09:002018-06-14T13:58+09:00QQQ SYSTEMS vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000901.html
QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. quiz.cgi of QQQ SYSTEMS contains a cross-site scripting vulnerability (CWE-79).
When a user accesses a malicious page and is redirected to a page created with the product, an arbitrary script may be executed on the user's browser.
Note that this vulnerability is different either from JVN#96655441 or JVN#46471407.
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriateJVNDB-2018-000901https://jvn.jp/en/jp/JVN64990648/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0536https://nvd.nist.gov/vuln/detail/CVE-2018-0536https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:qqq_systems_project:qqq_systems2018-06-14T12:31+09:002018-03-13T16:43+09:002018-06-14T12:31+09:00QQQ SYSTEMS vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000902.html
QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. quiz_op.cgi of QQQ SYSTEMS contains a cross-site scripting vulnerability (CWE-79).
When a user accesses a malicious page and is redirected to a page created with the product, an arbitrary script may be executed on the user's browser.
Note that this vulnerability is different either from JVN#64990648 or JVN#46471407.
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriateJVNDB-2018-000902http://jvn.jp/en/jp/JVN96655441/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0537https://nvd.nist.gov/vuln/detail/CVE-2018-0537https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:qqq_systems_project:qqq_systems2018-06-14T13:39+09:002018-03-13T16:43+09:002018-06-14T13:39+09:00QQQ SYSTEMS vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000903.html
QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. QQQ SYSTEMS contains a stored cross-site scripting vulnerability (CWE-79).
When an administrative user of the software accesses a malicious page created by an attacker, an arbitrary script may be executed.
Note that this vulnerability is different either from JVN#64990648 or JVN#96655441.
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriateJVNDB-2018-000903http://jvn.jp/en/jp/JVN46471407/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0538https://nvd.nist.gov/vuln/detail/CVE-2018-0538https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:qqq_systems_project:qqq_systems2018-06-14T14:03+09:002018-03-13T16:43+09:002018-06-14T14:03+09:00PHP 2chBBS vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000904.html
PHP 2chBBS provided by Kagaminokuni is software that can be downloaded from the Internet. PHP 2chBBS is a bulletin board software that can be used by placing it on a website. PHP 2chBBS contains a cross-site scripting vulnerability (CWE-79).
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriateJVNDB-2018-000904https://jvn.jp/en/jp/JVN48774168/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0535https://nvd.nist.gov/vuln/detail/CVE-2018-0535https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:php_2chbbs_project:php_2chbbs2018-06-14T13:55+09:002018-03-13T16:47+09:002018-06-14T13:55+09:00ViX may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000905.html
ViX provided by K_OKADA is a Graphics Viewer Software for Windows. ViX contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries contained in the same directory as an image file (CWE-427).
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriateJVNDB-2018-000905http://jvn.jp/en/jp/JVN56764650/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0540https://nvd.nist.gov/vuln/detail/CVE-2018-0540https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:vix_project:vix2018-06-14T13:52+09:002018-03-13T16:48+09:002018-06-14T13:52+09:00TinyFTP Daemon vulnerable to buffer overflow
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000906.html
TinyFTP Daemon provided by Hisayuki Nomura is a FTP (File Transfer Protocol) server. TinyFTP Daemon contains a buffer overflow vulnerability (CWE-121).
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriate
JVNDB-2018-000906http://jvn.jp/en/jp/JVN92259864/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0541https://nvd.nist.gov/vuln/detail/CVE-2018-0541https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:tinyftp_project:tinyftp2018-06-14T14:12+09:002018-03-13T16:48+09:002018-06-14T14:12+09:00QQQ SYSTEMS vulnerable to arbitrary command injection
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000907.html
QQQ SYSTEMS provided by Gundam Cult QQQ is a perl CGI script to create quiz pages. QQQ SYSTEMS contains an OS command injection vulnerability (CWE-78).
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriateJVNDB-2018-000907http://jvn.jp/en/jp/JVN22536871/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0539https://nvd.nist.gov/vuln/detail/CVE-2018-0539https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:qqq_systems_project:qqq_systems2018-06-14T13:53+09:002018-03-13T16:43+09:002018-06-14T13:53+09:00WebProxy vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000908.html
WebProxy provided by LunarNight Laboratory is software for creating a proxy server. WebProxy contains a directory traversal vulnerability (CWE-22) due to a flaw in processing certain requests.
During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied.
1. The developer of the product is unreachable
2. Existence of vulnerability has been verified
3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product
4. There are no particular reasons that would make disclosure inappropriateJVNDB-2018-000908http://jvn.jp/en/jp/JVN87226910/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0542https://nvd.nist.gov/vuln/detail/CVE-2018-0542https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ln-lab:webproxy2018-06-14T13:51+09:002018-03-13T16:48+09:002018-06-14T13:51+09:00Multiple Vulnerabilities in Hitachi Command Suite
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-001388.html
Multiple vulnerabilities have been found in Hitachi Command Suite.
* Cross-site Scripting
* Open RedirectJVNDB-2018-001388https://cwe.mitre.org/data/definitions/601.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:device_managercpe:/a:hitachi:replication_manager2018-03-01T15:20+09:002018-02-14T14:58+09:002018-03-01T15:20+09:00XXE Vulnerability in Hitachi Device Manager
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-001389.html
An XXE (XML External Entity) Vulnerability was found in Hitachi Device Manager.
This vulnerability only affects the Linux cluster environment.JVNDB-2018-001389https://cwe.mitre.org/data/definitions/611.htmlcpe:/a:hitachi:device_manager2018-03-01T15:20+09:002018-02-14T14:59+09:002018-03-01T15:20+09:00DoS Vulnerability in JP1/ServerConductor/Deployment Manager and Hitachi Compute Systems Manager
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-002257.html
A DoS Vulnerability was found in JP1/ServerConductor/Deployment Manager and Hitachi Compute Systems Manager (Deployment Manager Plug-in). JVNDB-2018-002257https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:compute_systems_managercpe:/a:hitachi:jp1_serverconductor_deployment_managercpe:/a:hitachi:serverconductor_deployment_manager2018-04-10T10:55+09:002018-04-05T10:22+09:002018-04-10T10:55+09:00Access Control Vulnerability in Hitachi Infrastructure Analytics Advisor
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-003030.html
An Access Control Vulnerability was found in Hitachi Infrastructure Analytics Advisor.JVNDB-2018-003030https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:infrastructure_analytics_advisor2018-07-31T12:12+09:002018-05-10T15:30+09:002018-07-31T12:12+09:00Information Disclosure Vulnerability in Hitachi Automation Director
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-003553.html
An Information Disclosure Vulnerability was found in Hitachi Automation Director.JVNDB-2018-003553https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:automation_director2018-07-31T12:16+09:002018-05-28T12:13+09:002018-07-31T12:16+09:00Information Disclosure Vulnerability in Hitachi Command Suite
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-006236.html
An Information Disclosure Vulnerability was found in Hitachi Command Suite.JVNDB-2018-006236https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14735https://nvd.nist.gov/vuln/detail/CVE-2018-14735https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:compute_systems_managercpe:/a:hitachi:device_managercpe:/a:hitachi:replication_managercpe:/a:hitachi:tiered_storage_managercpe:/a:hitachi:tuning_manager2019-07-24T17:02+09:002018-08-14T10:04+09:002019-07-24T17:02+09:00Path Traversal Vulnerability in JP1/Automatic Operation
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-006459.html
A Path Traversal Vulnerability was found in JP1/Automatic Operation.
JVNDB-2018-006459https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:jp1_automatic_operation2018-08-22T17:11+09:002018-08-22T17:11+09:002018-08-22T17:11+09:00Path Traversal Vulnerability in Hitachi Automation Director
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-006460.html
A Path Traversal Vulnerability was found in Hitachi Automation Director.
JVNDB-2018-006460https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:automation_director2018-08-22T17:11+09:002018-08-22T17:11+09:002018-08-22T17:11+09:00Clickjacking Vulnerability in Hitachi Device Manager
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-008547.html
A Clickjacking Vulnerability was found in Hitachi Device Manager.
JVNDB-2018-008547https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:device_manager2018-11-20T18:14+09:002018-10-23T13:53+09:002018-11-20T18:14+09:00Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-008573.html
Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor.
JVNDB-2018-008573https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613https://nvd.nist.gov/vuln/detail/CVE-2018-1000613https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:infrastructure_analytics_advisor2018-11-20T18:15+09:002018-10-23T15:15+09:002018-11-20T18:15+09:00Multiple Vulnerabilities in JP1/VERITAS
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-009328.html
Multiple vulnerabilities have been found in JP1/VERITAS.
JVNDB-2018-009328https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:jp1_veritas_netbackupcpe:/a:veritas:netbackup2018-11-20T18:16+09:002018-11-15T17:16+09:002018-11-20T18:16+09:00Mizuho Bank Mizuho Direct App for Android fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-009387.html
Mizuho Bank Mizuho Direct App for Android fails to verify SSL server certificates.
Mizuho Bank Mizuho Direct App for Android provided by Mizuho Bank, Ltd. fails to verify SSL server certificates (CWE-295).
Reo Yoshida reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
JVNDB-2018-009387http://jvn.jp/en/vu/JVNVU91640357/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16179https://nvd.nist.gov/vuln/detail/CVE-2018-16179https://cwe.mitre.org/data/definitions/295.htmlcpe:/a:mizuhobank:mizuho_direct_application2019-08-27T16:48+09:002018-11-19T15:44+09:002019-08-27T16:48+09:00Problem with directory permissions in JP1/Operations Analytics
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-010027.html
A problem with directory permissions was found in JP1/Operations Analytics.
JVNDB-2018-010027https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:jp1_operation_analytics2019-01-24T18:36+09:002018-12-04T16:53+09:002019-01-24T18:36+09:00Multiple Vulnerabilities in Hitachi Infrastructure Analytics Advisor
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-010028.html
Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor.
JVNDB-2018-010028https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:infrastructure_analytics_advisor2019-01-24T18:35+09:002018-12-04T16:53+09:002019-01-24T18:35+09:00Clickjacking Vulnerability in Hitachi Automation Director
https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-010851.html
A Clickjacking Vulnerability was found in Hitachi Automation Director.
JVNDB-2018-010851https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:automation_director2019-01-24T18:37+09:002018-12-26T12:09+09:002019-01-24T18:37+09:00