JVNDB RSS Feed - 2019 Years Entry
https://jvndb.jvn.jp/en/
JVN iPedia Yearly Entry2024-03-24T09:10:24+09:002024-03-24T09:10:24+09:00WordPress plugin "spam-byebye" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000001.html
The WordPress plugin "spam-byebye" contains a reflected cross-site scripting vulnerability (CWE-79)
qw3rTyTy reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000001https://jvn.jp/en/jp/JVN58010349/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16206https://nvd.nist.gov/vuln/detail/CVE-2018-16206https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ohtanz:spam-byebye2019-08-28T09:54+09:002019-01-10T15:45+09:002019-08-28T09:54+09:00HOUSE GATE App for iOS vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000003.html
HOUSE GATE App for iOS provided by HOUSE GATE inc. uses the old version of cordova-plugin-ionic-webview, and inherits a directory traversal vulnerability (CWE-22, CVE-2018-16202).
Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000003https://jvn.jp/en/jp/JVN98505783/index.htmlhttps://jvn.jp/en/jp/JVN69812763/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5910https://nvd.nist.gov/vuln/detail/CVE-2019-5910https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:housegate:house_gate2019-01-24T15:37+09:002019-01-24T15:37+09:002019-01-24T15:37+09:00UNLHA32.DLL, UNARJ32.DLL, LHMelting and LMLzh32.DLL may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000004.html
UNLHA32.DLL, UNARJ32.DLL, LHMelting and LMLzh32.DLL provided by Micco contain vulnerabilities listed below.
* Self-Extracting Archives created by UNLHA32.DLL may insecurely load Dynamic Link Libraries (CWE-427) - CVE-2018-16189
* Insecurely load specific DLL file in the same directory (CWE-427) - CVE-2018-16190
Eili Masami reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000004https://jvn.jp/en/jp/JVN52168232/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16189https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16190https://nvd.nist.gov/vuln/detail/CVE-2018-16189https://nvd.nist.gov/vuln/detail/CVE-2018-16190https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:micco:lhmeltingcpe:/a:micco:micco_lmlzh32dllcpe:/a:micco:unarj32.dllcpe:/a:micco:unlha32.dll2019-09-26T18:08+09:002019-01-31T15:46+09:002019-09-26T18:08+09:00The installers of UNLHA32.DLL, UNARJ32.DLL and LHMelting may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000005.html
The installers of UNLHA32.DLL, UNARJ32.DLL and LHMelting provided by Micco use the old version of Self-Extracting Archives created by UNLHA32.DLL.
They contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427, CVE-2018-16189).
Eili Masami reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000005https://jvn.jp/en/jp/JVN83826673/index.htmlhttps://jvn.jp/en/jp/JVN52168232/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5911https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5912https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5913https://nvd.nist.gov/vuln/detail/CVE-2019-5911https://nvd.nist.gov/vuln/detail/CVE-2019-5912https://nvd.nist.gov/vuln/detail/CVE-2019-5913https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:micco:lhmeltingcpe:/a:micco:unarj32.dllcpe:/a:micco:unlha32.dll2019-08-28T12:08+09:002019-01-31T15:35+09:002019-08-28T12:08+09:00POWER EGG vulnerability where EL expression may be executed
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000006.html
POWER EGG provided by D-CIRCLE inc. is an integrated collaboration tool. POWER EGG contains a vulnerability where an arbitray EL expression may be executed (CWE-20).
Touma Hatano reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000006https://jvn.jp/en/jp/JVN63860183/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5916https://nvd.nist.gov/vuln/detail/CVE-2019-5916https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_eggcpe:/a:d-circle:power_egg2019-09-26T18:05+09:002019-02-05T14:09+09:002019-09-26T18:05+09:00OpenAM (Open Source Edition) vulnerable to open redirect
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000007.html
OpenAM (Open Source Edition) contains an open redirect vulnerability.
Norihito Aimoto of Open Source Solution Technology Corporation reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developers.JVNDB-2019-000007https://jvn.jp/en/jp/JVN43193964/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5915https://nvd.nist.gov/vuln/detail/CVE-2019-5915https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:osstech:openam2019-08-28T11:00+09:002019-02-06T15:45+09:002019-08-28T11:00+09:00A vulnerability in V20 PRO L-01J that may cause a crash
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000008.html
V20 PRO L-01J provided by NTT DOCOMO, INC. is an Android smartphone. V20 PRO L-01J contains a flaw in processing connection using Wi-Fi CERTIFIED Passpoint which may result in the device to crash when Poasspoint is enabled.
Hiroyuki Harada of Sapporo Gakuin University, Masashi Honma of Sole Proprietorship, and Hideaki Goto of Tohoku University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000008http://jvn.jp/en/jp/JVN40439414/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5914https://nvd.nist.gov/vuln/detail/CVE-2019-5914https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:nttdocomo:v20_pro_l-01j_firmware2019-02-12T17:23+09:002019-02-12T17:23+09:002019-02-12T17:23+09:00Installer of Adobe Creative Cloud Desktop Application may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000009.html
Installer of Creative Cloud Desktop Application provided by Adobe contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Tomohisa Hasegawa of Canon Marketing Japan Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000009https://jvn.jp/en/jp/JVN50810870/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7093https://nvd.nist.gov/vuln/detail/CVE-2019-7093https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:adobe:creative_cloud2019-10-01T10:15+09:002019-02-18T15:16+09:002019-10-01T10:15+09:00azure-umqtt-c vulnerable to denial-of-service (DoS)
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000010.html
azure-umqtt-c contains a denial-of-service (DoS) vulnerability (CWE-400).
Masataka Sakaguchi, Bintatsu Noda and Hisashi Kojima of FUJITSU LABORATORIES LTD. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000010http://jvn.jp/en/jp/JVN05875753/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5917https://nvd.nist.gov/vuln/detail/CVE-2019-5917https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:microsoft_japan_co_ltd_azure-umqtt-c2019-02-20T16:59+09:002019-02-20T16:59+09:002019-02-20T16:59+09:00WordPress plugin "FormCraft" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000011.html
The WordPress plugin "FormCraft" provided by nCrafts contains a cross-site request forgery vulnerability (CWE-352).
Masaki Saito of TDU Cryptography Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
JVNDB-2019-000011https://jvn.jp/en/jp/JVN83501605/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5920https://nvd.nist.gov/vuln/detail/CVE-2019-5920https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ncrafts:formcraft2019-09-27T10:12+09:002019-02-26T14:46+09:002019-09-27T10:12+09:00Multiple vulnerabilities in Nablarch
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000012.html
Nablarch provided by TIS Inc. contains multiple vulnerabilities listed below.
*The vulnerability in the function of generic formatter by XXE attacks (CWE-611) - CVE-2019-5918
*An incomplete cryptography of the data store function by using hidden tag (CWE-310) - CVE-2019-5919
TIS Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and TIS Inc. coordinated under the Information Security Early Warning Partnership.JVNDB-2019-000012https://jvn.jp/en/jp/JVN56542712/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5918https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5919https://nvd.nist.gov/vuln/detail/CVE-2019-5918https://nvd.nist.gov/vuln/detail/CVE-2019-5919https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:nablarch_project:nablarch2019-09-27T10:15+09:002019-02-27T17:14+09:002019-09-27T10:15+09:00Windows 7 may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000013.html
In standard DLL files provided by Windows 7, there are some DLL files read from the same directory where the program resides when executing the program (CWE-427).
Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting", thus there is no plan to release any security updates for Windows 7 to address this issue.
For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft.
Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000013https://jvn.jp/en/ta/JVNTA91240916/https://jvn.jp/en/jp/JVN69181574/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5921https://nvd.nist.gov/vuln/detail/CVE-2019-5921https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:microsoft:windows_72019-09-27T10:09+09:002019-02-28T15:52+09:002019-09-27T10:09+09:00The installer of Microsoft Teams may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000014.html
The installer of Microsoft Teams contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Microsoft states that the root cause of this vulnerability is "Application Directory (App Dir) DLL planting", thus there is no plan to release any security updates to address this issue.
For details, refer to "Application Directory (App Dir) DLL planting" released by Microsoft.
Asuka Nakajima of NTT Secure Platform Laboratories reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000014http://jvn.jp/en/jp/JVN79543573/index.htmlhttps://jvn.jp/en/ta/JVNTA91240916/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5922https://nvd.nist.gov/vuln/detail/CVE-2019-5922https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:microsoft:teams2020-04-01T16:55+09:002019-04-02T14:18+09:002020-04-01T16:55+09:00iChain Insurance Wallet App for iOS vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000015.html
iChain Insurance Wallet App for iOS provided by iChain, Inc. uses the old version of cordova-plugin-ionic-webview, and inherits a directory traversal vulnerability (CWE-22, CVE-2018-16202).
Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000015https://jvn.jp/en/jp/JVN11622218/index.htmlhttps://jvn.jp/en/jp/JVN69812763/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5923https://nvd.nist.gov/vuln/detail/CVE-2019-5923https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ichain:insurance_wallet2019-09-27T10:04+09:002019-03-12T14:28+09:002019-09-27T10:04+09:00WordPress plugin "Smart Forms" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000016.html
The WordPress plugin "Smart Forms" provided by RedNao contains a cross-site request forgery vulnerability (CWE-352).
Masaki Saito of TDU Cryptography Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
JVNDB-2019-000016https://jvn.jp/en/jp/JVN97656108/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5924https://nvd.nist.gov/vuln/detail/CVE-2019-5924https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:rednao:smart_forms2019-09-27T09:59+09:002019-02-28T15:57+09:002019-09-27T09:59+09:00Dradis Community Edition and Dradis Professional Edition vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000017.html
Dradis Community Edition and Dradis Professional Edition provided by Security Roots Ltd contain a cross-site scripting vulnerability (CWE-79).
Ohji Kashiwazaki of Ierae Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000017https://jvn.jp/en/jp/JVN40288903/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5925https://nvd.nist.gov/vuln/detail/CVE-2019-5925https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:dradisframework:dradis2019-09-27T09:54+09:002019-03-05T14:18+09:002019-09-27T09:54+09:00"an" App for iOS vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000018.html
"an" App for iOS provided by PERSOL CAREER CO., LTD. uses the old version of cordova-plugin-ionic-webview, and inherits a directory traversal vulnerability (CWE-22, CVE-2018-16202).
Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this Vuerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000018https://jvn.jp/en/jp/JVN60497148/index.htmlhttps://jvn.jp/en/jp/JVN69812763/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5927https://nvd.nist.gov/vuln/detail/CVE-2019-5927https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:weban:an2019-09-26T17:56+09:002019-03-19T15:51+09:002019-09-26T17:56+09:00KinagaCMS vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000019.html
KinagaCMS is an opensource Contents Management System (CMS). KinagaCMS uses the old version of Bootstrap thus inherits multiple cross-site scripting vulnerabilities (CWE-79: CVE-2018-14040, CVE-2018-14041, CVE-2019-8331) existed in Bootstrap.
Project Kinaga reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Project Kinaga coordinated under the Information Security Early Warning Partnership.
JVNDB-2019-000019https://jvn.jp/en/jp/JVN06527859/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5926https://nvd.nist.gov/vuln/detail/CVE-2019-5926https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:kinagacms_project:kinagacms2019-09-26T17:10+09:002019-03-15T17:03+09:002019-09-26T17:10+09:00PowerAct Pro Master Agent for Windows fails to restrict acess permissions
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000020.html
PowerAct Pro Master Agent for Windows provided by OMRON SOCIAL SOLUTIONS Co.,Ltd. fails to restrict access permissions.
Hosono, Akane reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000020https://jvn.jp/en/jp/JVN63981842/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16207https://nvd.nist.gov/vuln/detail/CVE-2018-16207https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:omron_socilal_solutions:poweract_pro_master_agent2019-09-27T10:38+09:002019-03-27T14:41+09:002019-09-27T10:38+09:00API server used by JR East Japan train operation information push notification App for Android fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000021.html
JR East Japan train operation information push notification App for Android provided by East Japan Railway Company fails to restrict access permissions (CWE-284).
The application is no longer available/supported, and its service was ended in 2019 march 23.
Tomoya Takahashi of TCU Communication engineering Club reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000021https://jvn.jp/en/jp/JVN01119243/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5954https://nvd.nist.gov/vuln/detail/CVE-2019-5954https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:jreast:jreast_trainserviceinfo2019-04-01T15:42+09:002019-04-01T15:42+09:002019-04-01T15:42+09:00GNU Wget vulnerable to buffer overflow
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000022.html
GNU Wget contains a buffer overflow vulnerability (CWE-119).
Kusano Kazuhiko reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000022https://jvn.jp/en/jp/JVN25261088/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5953https://nvd.nist.gov/vuln/detail/CVE-2019-5953https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:gnu:wget2019-09-30T18:08+09:002019-04-03T14:58+09:002019-09-30T18:08+09:00Multiple vulnerabilities in Cybozu Garoon
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000023.html
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* Cross-site scripting in the additional processing of Customize Item function (CWE-79) - CVE-2019-5928
* Cross-site scripting in the application "Memo" (CWE-79) - CVE-2019-5929
* Browse restriction bypass in the application "Management of Basic System" (CWE-264) - CVE-2019-5930
* Improper verification of file path in installer (CWE-20) - CVE-2019-5931
* Stored cross-site scripting in the application "Portal" (CWE-79) - CVE-2019-5932
* Browse restriction bypass in the application "Bulletin" (CWE-284) - CVE-2019-5933
* SQL injection in the Log Search function of application "logging" (CWE-89) - CVE-2019-5934
* Operation restriction bypass in the Item function of User Information (CWE-264) - CVE-2019-5935
* Directory traversal in the application "Work Flow" (CWE-22) - CVE-2019-5936
* Cross-site scripting in the user information (CWE-79) - CVE-2019-5937
* Stored cross-site scripting in the application "Mail" (CWE-79) - CVE-2019-5938
* Cross-site scripting in the application "Portal" (CWE-79) - CVE-2019-5939
* Cross-site scripting in the application "Scheduler" (CWE-79) - CVE-2019-5940
* Operation restriction bypass in the application "Multi Report" (CWE-264) - CVE-2019-5941
* Browse restriction bypass in the Multiple Files Download function of application "Cabinet" (CWE-284) - CVE-2019-5942
* Browse restriction bypass in the application "Bulletin" and the application "Cabinet" (CWE-284) - CVE-2019-5943
* Operation restriction bypass in the application "Address" (CWE-264) - CVE-2019-5944
* Information disclosure in the authentication of Cybozu Garoon (CWE-287) - CVE-2019-5945
* Open redirect in the Login Screen (CWE-601) - CVE-2019-5946
* Cross-site scripting in the application "Cabinet" (CWE-79) - CVE-2019-5947
* Server-side request forgery in the V-CUBE Meeting function (CWE-918) - CVE-2020-5562
Cybozu, Inc. reported the following vulnerabilities to JPCERT/CC to notify users of the solution through JVN.
* CVE-2019-5928, CVE-2019-5930, CVE-2019-5931, CVE-2019-5932, CVE-2019-5935, CVE-2019-5936, CVE-2019-5942 and CVE-2019-5947 by Cybozu, Inc.
* CVE-2019-5929, CVE-2019-5937, CVE-2019-5938, CVE-2019-5939 and CVE-2019-5940 by Masato Kinugawa
* CVE-2019-5933, CVE-2019-5941 and CVE-2019-5946 by Yuji Tounai
* CVE-2019-5934 and CVE-2019-5945 by Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc.
* CVE-2019-5943 by ixama
* CVE-2019-5944 by Tanghaifeng
* CVE-2020-5562 by Kanta NishitaniJVNDB-2019-000023https://jvn.jp/en/jp/JVN58849431/index.htmlhttps://www.cve.org/CVERecord?id=CVE-2020-5562https://www.cve.org/CVERecord?id=CVE-2019-5928https://www.cve.org/CVERecord?id=CVE-2019-5929https://www.cve.org/CVERecord?id=CVE-2019-5930https://www.cve.org/CVERecord?id=CVE-2019-5931https://www.cve.org/CVERecord?id=CVE-2019-5932https://www.cve.org/CVERecord?id=CVE-2019-5933https://www.cve.org/CVERecord?id=CVE-2019-5934https://www.cve.org/CVERecord?id=CVE-2019-5935https://www.cve.org/CVERecord?id=CVE-2019-5936https://www.cve.org/CVERecord?id=CVE-2019-5937https://www.cve.org/CVERecord?id=CVE-2019-5938https://www.cve.org/CVERecord?id=CVE-2019-5939https://www.cve.org/CVERecord?id=CVE-2019-5940https://www.cve.org/CVERecord?id=CVE-2019-5941https://www.cve.org/CVERecord?id=CVE-2019-5942https://www.cve.org/CVERecord?id=CVE-2019-5943https://www.cve.org/CVERecord?id=CVE-2019-5944https://www.cve.org/CVERecord?id=CVE-2019-5945https://www.cve.org/CVERecord?id=CVE-2019-5946https://www.cve.org/CVERecord?id=CVE-2019-5947https://nvd.nist.gov/vuln/detail/CVE-2019-5928https://nvd.nist.gov/vuln/detail/CVE-2019-5929https://nvd.nist.gov/vuln/detail/CVE-2019-5930https://nvd.nist.gov/vuln/detail/CVE-2019-5931https://nvd.nist.gov/vuln/detail/CVE-2019-5932https://nvd.nist.gov/vuln/detail/CVE-2019-5933https://nvd.nist.gov/vuln/detail/CVE-2019-5934https://nvd.nist.gov/vuln/detail/CVE-2019-5935https://nvd.nist.gov/vuln/detail/CVE-2019-5936https://nvd.nist.gov/vuln/detail/CVE-2019-5937https://nvd.nist.gov/vuln/detail/CVE-2019-5938https://nvd.nist.gov/vuln/detail/CVE-2019-5939https://nvd.nist.gov/vuln/detail/CVE-2019-5940https://nvd.nist.gov/vuln/detail/CVE-2019-5941https://nvd.nist.gov/vuln/detail/CVE-2019-5942https://nvd.nist.gov/vuln/detail/CVE-2019-5943https://nvd.nist.gov/vuln/detail/CVE-2019-5944https://nvd.nist.gov/vuln/detail/CVE-2019-5945https://nvd.nist.gov/vuln/detail/CVE-2019-5946https://nvd.nist.gov/vuln/detail/CVE-2019-5947https://nvd.nist.gov/vuln/detail/CVE-2020-5562https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:garooncpe:/a:cybozu:garooncpe:/a:cybozu:garooncpe:/a:cybozu:garooncpe:/a:cybozu:garooncpe:/a:cybozu:garoon2023-11-08T16:39+09:002019-04-25T17:13+09:002023-11-08T16:39+09:00CREATE SD official App for Android fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000024.html
CREATE SD official App for Android provided by CREATE SD CO., LTD. implements the function to access a requested URL using an Intent. This function contains an improper access control vulnerability (CWE-284) that may allow the vulnerable App to receive an Intent from an arbitrary App and to access an arbitrary URL requested by an Intent.
Norio Abe reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000024https://jvn.jp/en/jp/JVN87655507/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5955https://nvd.nist.gov/vuln/detail/CVE-2019-5955https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:create-sd:create_sd2019-12-27T18:07+09:002019-05-10T13:55+09:002019-12-27T18:07+09:00Installer of Electronic reception and examination of application for radio licenses Online may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000025.html
Installer of Electronic reception and examination of application for radio licenses Online contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
JVNDB-2019-000025https://jvn.jp/en/ta/JVNTA91240916/https://jvn.jp/en/jp/JVN91361851/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5957https://nvd.nist.gov/vuln/detail/CVE-2019-5957https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:soumu:electronic_reception_and_examination_of_application_for_radio_licenses2019-10-01T10:11+09:002019-05-10T14:49+09:002019-10-01T10:11+09:00Electronic reception and examination of application for radio licenses Offline may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000026.html
Electronic reception and examination of application for radio licenses Offline contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).JVNDB-2019-000026https://jvn.jp/en/ta/JVNTA91240916/https://jvn.jp/en/jp/JVN69903953/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5958https://nvd.nist.gov/vuln/detail/CVE-2019-5958https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:soumu:electronic_reception_and_examination_of_application_for_radio_licenses2019-10-01T10:08+09:002019-05-10T14:55+09:002019-10-01T10:08+09:00Apache Camel vulnerable to XML external entity injection (XXE)
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000027.html
Apache Camel provided by The Apache Software Foundation contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library.
Takayoshi Isayama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000027https://jvn.jp/en/jp/JVN71498764/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0188https://nvd.nist.gov/vuln/detail/CVE-2019-0188https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:apache:camel2019-09-30T18:14+09:002019-05-22T14:37+09:002019-09-30T18:14+09:00WordPress plugin "WP Open Graph" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000028.html
WordPress plugin "WP Open Graph" provided by Custom4Web contains a cross-site request forgery vulnerability (CWE-352).
Koichi Kuriyama of Cryptography Laboratory,Department ofInformation and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000028https://jvn.jp/en/jp/JVN33652328/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5960https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:custom4web:wp_open_graph2019-10-01T11:11+09:002019-05-23T14:10+09:002019-10-01T11:11+09:00Android App "Tootdon for Mastodon" fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000029.html
Android App "Tootdon for Mastodon" provided by Tsukurito, Inc. fails to verify SSL server certificates (CWE-295).
Gomasy reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000029https://jvn.jp/en/jp/JVN57806517/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5961https://nvd.nist.gov/vuln/detail/CVE-2019-5961https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:mastodon-tootdon:tootdon_for_mastodon2019-10-04T15:50+09:002019-05-24T15:13+09:002019-10-04T15:50+09:00Multiple vulnerabilities in WordPress Plugin "Zoho SalesIQ"
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000030.html
WordPress Plugin "Zoho SalesIQ" provided by Zoho SalesIQ Team contains multiple vulnerabilities listed below.
* Cross-site Scripting (CWE-79) - CVE-2019-5962
* Cross-site Request Forgery (CWE-352) - CVE-2019-5963
Kouhei Ikeda of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000030https://jvn.jp/en/jp/JVN88962935/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5962https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5963https://nvd.nist.gov/vuln/detail/CVE-2019-5962https://nvd.nist.gov/vuln/detail/CVE-2019-5963https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:zohocorp:zoho_salesiq2019-10-01T10:54+09:002019-05-31T13:51+09:002019-10-01T10:54+09:00Multiple vulnerabilities in Joruri Mail
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000031.html
Joruri Mail provided by SiteBridge Inc. contains multiple vulnerabilities listed below.
* Open Redirect (CWE-601) - CVE-2019-5965
* Session Management (CWE-639) - CVE-2019-5966
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000031https://jvn.jp/en/jp/JVN58052567/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5965https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5966https://nvd.nist.gov/vuln/detail/CVE-2019-5965https://nvd.nist.gov/vuln/detail/CVE-2019-5966https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:joruri:joruri_mail2019-10-01T10:50+09:002019-06-07T15:03+09:002019-10-01T10:50+09:00Joruri CMS 2017 vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000032.html
Joruri CMS 2017 provided by SiteBridge Inc. contains a cross-site scripting vulnerability (CWE-79).
Yuji Tounai of Mercari, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000032https://jvn.jp/en/jp/JVN29188908/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5967https://nvd.nist.gov/vuln/detail/CVE-2019-5967https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:joruri:joruri_cms_20172019-10-02T17:53+09:002019-06-07T15:09+09:002019-10-02T17:53+09:00Multiple vulnerabilities in GROWI
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000033.html
GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below.
* Cross-site request forgery vulnerability in the process of updating user's "Basic Info" (CWE-352) - CVE-2019-5968
* Open redirect vulnerability in the process of login (CWE-601) - CVE-2019-5969
Security Group of DeCurret Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000033https://jvn.jp/en/jp/JVN84876282/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5968https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5969https://nvd.nist.gov/vuln/detail/CVE-2019-5968https://nvd.nist.gov/vuln/detail/CVE-2019-5969https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:weseek:growi2019-10-01T10:46+09:002019-06-07T15:18+09:002019-10-01T10:46+09:00Multiple vulnerabilities in WordPress Plugin "Attendance Manager"
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000034.html
WordPress Plugin "Attendance Manager" provided by SUKIMALAB.COM contains multiple vulnerabilities listed below.
* Stored cross-site scripting vulnerability (CWE-79) - CVE-2019-5970
* Cross-site request forgery vulnerability (CWE-352) - CVE-2019-5971
Natsumi Matsuoka of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported these vulnerabilities to the developer and coordinated on her own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000034https://jvn.jp/en/jp/JVN95685939/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5970https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5971https://nvd.nist.gov/vuln/detail/CVE-2019-5970https://nvd.nist.gov/vuln/detail/CVE-2019-5971https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:sukimalab:attendance_manager2019-10-01T10:56+09:002019-06-10T15:31+09:002019-10-01T10:56+09:00Multiple vulnerabilities in WordPress Plugin "Online Lesson Booking"
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000035.html
WordPress Plugin "Online Lesson Booking" provided by SUKIMALAB.COM contains multiple vulnerabilities listed below.
* Stored cross-site scripting vulnerability (CWE-79) - CVE-2019-5972
* Cross-site request forgery vulnerability (CWE-352) - CVE-2019-5973
Natsumi Matsuoka of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported these vulnerabilities to the developer and coordinated on her own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000035https://jvn.jp/en/jp/JVN96988995/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5972https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5973https://nvd.nist.gov/vuln/detail/CVE-2019-5972https://nvd.nist.gov/vuln/detail/CVE-2019-5973https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:sukimalab:online_lesson_booking2019-10-02T17:50+09:002019-06-10T15:33+09:002019-10-02T17:50+09:00WordPress Plugin "Contest Gallery" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000036.html
WordPress Plugin "Contest Gallery" provided by Contest-Gallery contains a cross-site request forgery vulnerability (CWE-352).
Okazawa Yoshihiro of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000036https://jvn.jp/en/jp/JVN80925867/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5974https://nvd.nist.gov/vuln/detail/CVE-2019-5974https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:contest-gallery:contest_gallery2019-10-04T16:19+09:002019-06-12T14:21+09:002019-10-04T16:19+09:00A map plugin for Mincraft server "Dynmap" fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000037.html
A map plugin for Mincraft server "Dynmap" fails to restrict access permissions (CWE-284).
RyotaK directly reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early WarningJVNDB-2019-000037https://jvn.jp/en/jp/JVN89046645/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12395https://nvd.nist.gov/vuln/detail/CVE-2019-12395https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:dynmap_project:dynmap2019-10-01T10:18+09:002019-06-13T13:57+09:002019-10-01T10:18+09:00WordPress Plugin "Personalized WooCommerce Cart Page" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000038.html
WordPress Plugin "Personalized WooCommerce Cart Page" provided by N-MEDIA contains a cross-site request forgery vulnerability (CWE-352).
Akira Yamasaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000038https://jvn.jp/en/jp/JVN88804335/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5979https://nvd.nist.gov/vuln/detail/CVE-2019-5979https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:najeebmedia:personalized_woocommerce_cart_page2019-10-04T16:13+09:002019-06-19T14:13+09:002019-10-04T16:13+09:00WordPress Plugin "Related YouTube Videos" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000039.html
WordPress Plugin "Related YouTube Videos" provided by Chris Doerr contains a cross-site request forgery vulnerability (CWE-352).
Shoichiro Ishikawa of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000039https://jvn.jp/en/jp/JVN31406910/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5980https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:meomundo:related_youtube_videos2019-10-04T16:02+09:002019-06-17T14:55+09:002019-10-04T16:02+09:00Multiple vulnerabilities in VAIO Update
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000040.html
VAIO Update provided by Sony Corporation contains multiple vulnerabilities listed below.
*Improper authorization process (CWE-285) - CVE-2019-5981
*Improper verification of download file (CWE-669) - CVE-2019-5982
Device Security reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000040https://jvn.jp/en/jp/JVN13555032/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5981https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5982https://nvd.nist.gov/vuln/detail/CVE-2019-5981https://nvd.nist.gov/vuln/detail/CVE-2019-5982https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:sony:vaio_update2019-10-01T11:12+09:002019-06-21T14:22+09:002019-10-01T11:12+09:00WordPress Plugin "HTML5 Maps" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000041.html
WordPress Plugin "HTML5 Maps" provided by Fla-Shop.com contains a cross-site request forgery vulnerability (CWE-352).
Daisuke Shimizu of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000041https://jvn.jp/en/jp/JVN49575131/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5983https://nvd.nist.gov/vuln/detail/CVE-2019-5983https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:fla-shop:html5_maps2019-10-01T10:24+09:002019-06-24T14:22+09:002019-10-01T10:24+09:00WordPress Plugin "Custom CSS Pro" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000042.html
WordPress Plugin "Custom CSS Pro" provided by WaspThemes contains a cross-site request forgery vulnerability (CWE-352).
Dai Nakamura of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000042https://jvn.jp/en/jp/JVN29933378/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5984https://nvd.nist.gov/vuln/detail/CVE-2019-5984https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:waspthemes:custom_css_pro2019-10-01T10:22+09:002019-06-24T14:27+09:002019-10-01T10:22+09:00Multiple vulnerabilities in Hikari Denwa router/Home GateWay
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000043.html
Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION and NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains multiple vulnerabilities listed below.
* Cross-site Scripting (CWE-79) - CVE-2019-5985
* Cross-site Request Forgery (CWE-352) - CVE-2019-5986
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000043https://jvn.jp/en/jp/JVN43172719/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5985https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5986https://nvd.nist.gov/vuln/detail/CVE-2019-5985https://nvd.nist.gov/vuln/detail/CVE-2019-5986https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/h:ntt_east:pr-400kicpe:/h:ntt_east:pr-400micpe:/h:ntt_east:pr-400necpe:/h:ntt_east:pr-500kicpe:/h:ntt_east:pr-500micpe:/h:ntt_east:pr-s300hicpe:/h:ntt_east:pr-s300necpe:/h:ntt_east:pr-s300secpe:/h:ntt_east:rs-500kicpe:/h:ntt_east:rs-500micpe:/h:ntt_east:rt-400kicpe:/h:ntt_east:rt-400micpe:/h:ntt_east:rt-400necpe:/h:ntt_east:rt-500kicpe:/h:ntt_east:rt-500micpe:/h:ntt_east:rt-s300hicpe:/h:ntt_east:rt-s300necpe:/h:ntt_east:rt-s300secpe:/h:ntt_east:rv-440kicpe:/h:ntt_east:rv-440micpe:/h:ntt_east:rv-440necpe:/h:ntt_east:rv-s340hicpe:/h:ntt_east:rv-s340necpe:/h:ntt_east:rv-s340secpe:/h:ntt_west:pr-400kicpe:/h:ntt_west:pr-400micpe:/h:ntt_west:pr-400necpe:/h:ntt_west:pr-500kicpe:/h:ntt_west:pr-500micpe:/h:ntt_west:pr-s300hicpe:/h:ntt_west:pr-s300necpe:/h:ntt_west:pr-s300secpe:/h:ntt_west:rt-400kicpe:/h:ntt_west:rt-400micpe:/h:ntt_west:rt-400necpe:/h:ntt_west:rt-500kicpe:/h:ntt_west:rt-500micpe:/h:ntt_west:rt-s300hicpe:/h:ntt_west:rt-s300necpe:/h:ntt_west:rt-s300secpe:/h:ntt_west:rv-440kicpe:/h:ntt_west:rv-440micpe:/h:ntt_west:rv-440necpe:/h:ntt_west:rv-s340hicpe:/h:ntt_west:rv-s340necpe:/h:ntt_west:rv-s340se2019-10-08T17:22+09:002019-06-27T15:36+09:002019-10-08T17:22+09:00The management console of iDoors Reader vulnerable to authentication bypass
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000044.html
The management console of iDoors Reader provided by A.T.WORKS, Inc. contains an authentication bypass vulnerability (CWE-288).
Yusuke Nakano of Secure Cycle Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000044http://jvn.jp/en/jp/JVN28218613/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5964https://nvd.nist.gov/vuln/detail/CVE-2019-5964https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:idoors:idoors_reader2019-10-04T15:45+09:002019-07-01T14:31+09:002019-10-04T15:45+09:00Multiple vulnerabilities in Access analysis CGI An-Analyzer
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000045.html
Access analysis CGI An-Analyzer provided by ANGLERSNET Co,.Ltd. contains multiple vulnerabilities listed below.
* OS command injection in the Management Page (CWE-78) - CVE-2019-5987
* Stored cross-site scripting in the Management Page (CWE-79) - CVE-2019-5988
* DOM-based cross-site scripting in the Analysis Object Page (CWE-79) - CVE-2019-5989
* Information disclosure (CWE-200) - CVE-2019-5990
Yuuta Watanabe of STNet, Incorporated reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000045https://jvn.jp/en/jp/JVN37230341/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5987https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5988https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5989https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5990https://nvd.nist.gov/vuln/detail/CVE-2019-5987https://nvd.nist.gov/vuln/detail/CVE-2019-5988https://nvd.nist.gov/vuln/detail/CVE-2019-5989https://nvd.nist.gov/vuln/detail/CVE-2019-5990https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:anglers-net:cgi_an-anlyzer2019-07-05T15:28+09:002019-07-05T15:28+09:002019-07-05T15:28+09:00Intel Dual Band Wireless-AC 8260 vulnerable to denial-of-service (DoS)
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000046.html
Intel Dual Band Wireless-AC 8260 contains a denial-of-service (DoS) vulnerability (CWE-400).
Yusuke Ogawa of Cisco Systems G.K. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000046http://jvn.jp/en/jp/JVN75617741/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0136https://nvd.nist.gov/vuln/detail/CVE-2019-0136https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:intel:dual_band_wireless-ac_82602019-07-10T14:07+09:002019-07-10T14:07+09:002019-07-10T14:07+09:00Multiple vulnerabilities in Cybozu Garoon
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000047.html
Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* DOM-based cross-site scripting in the application "Portal" (CWE-79) - CVE-2019-5975
* Denial-of-service (DoS) (CWE-20) - CVE-2019-5976
* Mail header injection in the application "E-mail" (CWE-74) - CVE-2019-5977
* Open redirect in the application "Scheduler" (CWE-601) - CVE-2019-5978
Masato Kinugawa reported CVE-2019-5975 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Kanta Nishitani reported CVE-2019-5976 and CVE-2019-5978 vulnerabilities to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.
Shuichi Uruma reported CVE-2019-5977 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.JVNDB-2019-000047https://jvn.jp/en/jp/JVN62618482/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5975https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5976https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5977https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5978https://nvd.nist.gov/vuln/detail/CVE-2019-5975https://nvd.nist.gov/vuln/detail/CVE-2019-5976https://nvd.nist.gov/vuln/detail/CVE-2019-5977https://nvd.nist.gov/vuln/detail/CVE-2019-5978https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:garooncpe:/a:cybozu:garoon2019-10-08T17:19+09:002019-07-16T16:08+09:002019-10-08T17:19+09:00WordPress Plugin "WordPress Ultra Simple Paypal Shopping Cart" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000048.html
WordPress Plugin "WordPress Ultra Simple Paypal Shopping Cart" provided by Mike Castro Demaria contains a cross-site request forgery vulnerability (CWE-352).
Yuta Kikuchi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000048https://jvn.jp/en/jp/JVN48981892/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5992https://nvd.nist.gov/vuln/detail/CVE-2019-5992https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ultra-prod:wordpress_ultra_simple_paypal_shopping_cart2019-10-08T16:38+09:002019-07-16T16:16+09:002019-10-08T16:38+09:00WordPress Plugin "Category Specific RSS feed Subscription" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000049.html
WordPress Plugin "Category Specific RSS feed Subscription" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability (CWE-352).
Gota Abe of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000049https://jvn.jp/en/jp/JVN92510087/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5993https://nvd.nist.gov/vuln/detail/CVE-2019-5993https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:tips_and_tricks_hq:category_specific_rss_feed_subscription2019-10-08T16:28+09:002019-07-18T13:56+09:002019-10-08T16:28+09:00Central Dogma vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000050.html
Central Dogma provided by LINE Corporation contains a cross-site scripting vulnerability (CWE-79).
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.JVNDB-2019-000050https://jvn.jp/en/jp/JVN94889214/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6002https://nvd.nist.gov/vuln/detail/CVE-2019-6002https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:linecorp:central_dogma2019-10-04T16:37+09:002019-07-31T15:29+09:002019-10-04T16:37+09:00EC-CUBE plugin "Amazon Pay Plugin 2.12,2.13" vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000051.html
EC-CUBE plugin "Amazon Pay Plugin 2.12,2.13" provided by IPLOGIC CO.,LTD. contains a cross-site scripting vulnerability (CWE-79).
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000051https://jvn.jp/en/jp/JVN29343839/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6003https://nvd.nist.gov/vuln/detail/CVE-2019-6003https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:amazon_pay2019-08-07T13:58+09:002019-08-07T13:58+09:002019-08-07T13:58+09:00ApeosWare Management Suite and ApeosWare Management Suite 2 contain open redirect vulnerability
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000052.html
ApeosWare Management Suite and ApeosWare Management Suite 2 provided by Fuji Xerox Co.,Ltd. are software products to manage devices and their usages; providing authentication, printing, log accounting, and document distribution.
These software products contain an open redirect vulnerability (CWE-601).
KOBAYASHI Haruki of Cryptography Laboratory, Department of Information and Communication Engineering, Graduate School of Tokyo Denki University and NAKAMURA Dai of Cryptography Laboratory, Department of Information and Communication Engineering, Tokyo Denki University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000052https://jvn.jp/en/jp/JVN07679150/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6004https://nvd.nist.gov/vuln/detail/CVE-2019-6004https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:fuji_xerox:apeosware_management_suitecpe:/a:fuji_xerox:apeosware_management_suite_22021-04-12T13:30+09:002019-08-15T14:29+09:002021-04-12T13:30+09:00Smart TV Box fails to restrict access permissions
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000053.html
Smart TV Box provided by KDDI CORPORATION enables access to Android Debug Bridge via port 5555/TCP of LAN side interface.
When a cable television provider sets up Smart TV Box at an individual residence, direct access from outside to the LAN side interface of Smart TV Box is disabled. However if the original setting is changed later, for example, LAN side interface connection to internet directly is enabled, access to Android Debug Bridge via port 5555/TCP of LAN side interface becomes enabled. As a result, arbitrary operations without users intent becomes possible, and a remote attacker may conduct arbitrary operations on the device.
Yoshiki Mori and Masaki Kubo of Cybersecurity Laboratory, National Institute of Information and Communications Technology reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000053https://jvn.jp/en/jp/JVN17127920/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6005https://nvd.nist.gov/vuln/detail/CVE-2019-6005https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:kddi:smart_tv_box_firmware2019-10-08T17:35+09:002019-08-23T15:57+09:002019-10-08T17:35+09:00Cybozu Garoon vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000054.html
Cybozu Garoon provided by Cybozu, Inc. contains an SQL injection vulnerability (CWE-89) in the processing of Todo portlet.
Shoji Baba reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.JVNDB-2019-000054http://jvn.jp/en/jp/JVN71877187/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5991https://nvd.nist.gov/vuln/detail/CVE-2019-5991https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:garoon2019-10-08T16:48+09:002019-08-26T13:48+09:002019-10-08T16:48+09:00Panasonic Video Insight VMS vulnerable to SQL injection
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000056.html
Video Insight VMS provided by Panasonic Corporation is a video management suite for video security system. Vide Insight VMS contains a SQL injection vulnerability (CWE-89).
Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information Security Early Warning Partnership.JVNDB-2019-000056https://jvn.jp/en/jp/JVN93833849/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5996https://nvd.nist.gov/vuln/detail/CVE-2019-5996https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:panasonic:video_insight_vms2020-06-26T12:27+09:002019-09-02T13:57+09:002020-06-26T12:27+09:00SHIRASAGI vulnerable to open redirect
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000057.html
SHIRASAGI provided by SHIRASAGI Project contains an open redirect vulnerability (CWE-601).
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000057https://jvn.jp/en/jp/JVN74699196/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6009https://nvd.nist.gov/vuln/detail/CVE-2019-6009https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ss-proj:shirasagi2019-09-10T13:56+09:002019-09-10T13:56+09:002019-09-10T13:56+09:00Multiple buffer overflow vulnerabilities in multiple Ricoh printers and Multifunction Printers (MFPs)
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000058.html
Multiple printers and Multifunction Printers (MFPs) provided by RICOH COMPANY, LTD. contain multiple buffer overflows vulnerabilities listed below.
* Buffer overflow in parsing HTTP cookie header (CWE-119) - CVE-2019-14300
* Buffer overflow in parsing HTTP parameter setting for Wifi, mDNS, POP3, SMTP and alert (CWE-119) - CVE-2019-14305
* Buffer overflow in parsing HTTP parameter setting for SNMP (CWE-119) - CVE-2019-14307
* Buffer overflow in parsing LPD packet (CWE-119) - CVE-2019-14308
RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership.JVNDB-2019-000058https://jvn.jp/en/jp/JVN11708203/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14300https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14305https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14307https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14308https://nvd.nist.gov/vuln/detail/CVE-2019-14300https://nvd.nist.gov/vuln/detail/CVE-2019-14305https://nvd.nist.gov/vuln/detail/CVE-2019-14307https://nvd.nist.gov/vuln/detail/CVE-2019-14308https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:ricoh:sp_c250dn_firmwarecpe:/o:ricoh:sp_c250sf_firmwarecpe:/o:ricoh:sp_c252dn_firmwarecpe:/o:ricoh:sp_c252sf_firmware2020-02-25T17:27+09:002019-09-13T14:29+09:002020-02-25T17:27+09:00apng-drawable vulnerable to integer overflow
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000059.html
apng-drawable provided by LINE Corporation contains an integer overflow vulnerability (CWE-190).
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.JVNDB-2019-000059https://jvn.jp/en/jp/JVN39383894/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6007https://nvd.nist.gov/vuln/detail/CVE-2019-6007https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:linecorp:apng-drawable2019-10-18T15:23+09:002019-09-12T13:55+09:002019-10-18T15:23+09:00Multiple integer overflow vulnerabilities in LINE(Android)
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000060.html
LINE(Android) provided by LINE Corporation contains multiple integer overflow vulnerabilities (CWE-190) listed below.
* Integer overflow vulnerability in processing images using apng-drawable - CVE-2019-6007
* Integer overflow vulnerability in processing images - CVE-2019-6010
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
JVNDB-2019-000060http://jvn.jp/en/jp/JVN97845465/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6007https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6010https://nvd.nist.gov/vuln/detail/CVE-2019-6007https://nvd.nist.gov/vuln/detail/CVE-2019-6010https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:linecorp:line2019-10-18T15:17+09:002019-09-19T17:59+09:002019-10-18T15:17+09:00Multiple OS command injection vulnerabilities in DBA-1510P
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000062.html
DBA-1510P provided by D-Link Japan K.K. contains multiple OS command injection vulnerabilities listed below.
* OS command injection vulnerability in Command Line Interface (CLI) (CWE-78) - CVE-2019-6013
* OS command injection vulnerability in Web User Interface (CWE-78) - CVE-2019-6014
Katsuhiko Sato(a.k.a. goroh_kun) of COCON Inc, Technical Research Lab. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000062https://jvn.jp/en/jp/JVN95875796/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6013https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6014https://nvd.nist.gov/vuln/detail/CVE-2019-6013https://nvd.nist.gov/vuln/detail/CVE-2019-6014https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:dlink-j:dba-1510p_firmware2019-10-07T15:17+09:002019-10-07T15:17+09:002019-10-07T15:17+09:00Multiple vulnerabilities in EC-CUBE module "REMISE Payment module (2.11, 2.12 and 2.13)"
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000063.html
EC-CUBE module "REMISE Payment module (2.11, 2.12 and 2.13)" provided by REMISE Corporation contains multiple vulnerabilities listed below.
* Cross-site scripting (CWE-79) - CVE-2019-6016
* Information disclosure (CWE-200) - CVE-2019-6017
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000063https://jvn.jp/en/jp/JVN59436681/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6016https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6017https://nvd.nist.gov/vuln/detail/CVE-2019-6016https://nvd.nist.gov/vuln/detail/CVE-2019-6017https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:remise:payment_module2019-10-07T15:09+09:002019-10-07T15:09+09:002019-10-07T15:09+09:00Multiple vulnerabilities in WordPress Plugin "wpDataTables Lite"
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000064.html
WordPress Plugin "wpDataTables Lite" provided by TMS-Plugins contains multiple vulnerabilities listed below.
* Cross-site Scripting (CWE-79) - CVE-2019-6011
* SQL Injection (CWE-89) - CVE-2019-6012
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000064https://jvn.jp/en/jp/JVN14776551/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6011https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6012https://nvd.nist.gov/vuln/detail/CVE-2019-6011https://nvd.nist.gov/vuln/detail/CVE-2019-6012https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc_tms-outsource:wpdatatables_lite2019-10-16T12:40+09:002019-10-11T15:08+09:002019-10-16T12:40+09:00NetCommons3 vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000065.html
NetCommons3 provided by The NetCommons Project contains a cross-site scripting vulnerability (CWE-79).
Toshiki Sasazaki of Waseda University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000065https://jvn.jp/en/jp/JVN74530672/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6018https://nvd.nist.gov/vuln/detail/CVE-2019-6018https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:netcommons:netcommons2019-10-15T12:39+09:002019-10-15T12:39+09:002019-10-15T12:39+09:00PowerCMS vulnerable to open redirect
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000066.html
PowerCMS provided by Alfasado Inc. contains an open redirect vulnerability (CWE-601).
Hidetomo Hosono of EG Secure Solutions Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000066https://jvn.jp/en/jp/JVN34634458/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6020https://nvd.nist.gov/vuln/detail/CVE-2019-6020https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:alfasado:powercms2019-10-23T16:00+09:002019-10-23T16:00+09:002019-10-23T16:00+09:00Library Information Management System LIMEDIO vulnerable to open redirect
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000067.html
Library Information Management System LIMEDIO provided by RICOH COMPANY, LTD. contains an open redirect vulnerability (CWE-601).
Takeshi Imai of Internet Initiative Japan Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000067http://jvn.jp/en/jp/JVN45633549/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6021https://nvd.nist.gov/vuln/detail/CVE-2019-6021https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ricoh:limedio2019-10-28T15:37+09:002019-10-28T15:37+09:002019-10-28T15:37+09:00Rakuma App vulnerable to authentication information disclosure
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000068.html
Rakuma App provided by Rakuten, Inc. contains an authentication information disclosure vulnerability (CWE-200).
Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000068https://jvn.jp/en/jp/JVN41566067/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6024https://nvd.nist.gov/vuln/detail/CVE-2019-6024https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:rakuten:rakuma2019-11-07T14:50+09:002019-11-07T14:50+09:002019-11-07T14:50+09:00Movable Type vulnerable to open redirect
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000069.html
Movable Type provided by Six Apart Ltd. contains an open redirect vulnerability (CWE-601).
Hidetomo Hosono of EG Secure Solutions Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000069https://jvn.jp/en/jp/JVN65280626/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6025https://nvd.nist.gov/vuln/detail/CVE-2019-6025https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:sixapart:movabletype2019-11-13T13:59+09:002019-11-13T13:59+09:002019-11-13T13:59+09:00WordPress Plugin "WP Spell Check" vulnerable to cross-site request forgery
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000070.html
WordPress Plugin "WP Spell Check" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability (CWE-352).
Takuya Yamaguchi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported these vulnerabilities to the developer and coordinated on her own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000070https://jvn.jp/en/jp/JVN26838191/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6027https://nvd.nist.gov/vuln/detail/CVE-2019-6027https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:wpspellcheck:wpspellcheck2019-11-26T18:16+09:002019-11-26T18:16+09:002019-11-26T18:16+09:00STAMP Workbench installer may insecurely load Dynamic Link Libraries
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000071.html
STAMP Workbench is a modeling tool for STAMP provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN (IPA). It is distirbuted as a ZIP archive or an Windows executable installer.
The Windows executable installer contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Yuji Tonai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000071https://jvn.jp/en/ta/JVNTA91240916/http://jvn.jp/en/jp/JVN19386781/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6019https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ipa:stamp_workbench2019-11-27T10:31+09:002019-11-27T10:31+09:002019-11-27T10:31+09:00Multiple MOTEX products vulnerable to privilege escalation
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000072.html
LanScope Cat and LanScope An provided by MOTEX Inc. contain a privilege escalation vulnerability.
Mitsuaki (Mitch) Shiraishi of Secureworks Japan and Yoshimasa Obana reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000072http://jvn.jp/en/jp/JVN49068796/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6026https://nvd.nist.gov/vuln/detail/CVE-2019-6026https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:motex:lanscope_ancpe:/a:motex:lanscope_cat2019-12-03T13:34+09:002019-12-03T13:34+09:002019-12-03T13:34+09:00Kinza vulnerable to cross-site scripting
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000073.html
Kinza provided by Dayz Inc. contains a cross-site scripting vulnerability (CWE-79).
RyotaK reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000073https://jvn.jp/en/jp/JVN63047298/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6031https://nvd.nist.gov/vuln/detail/CVE-2019-6031https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:dayz:kinza2019-12-11T09:56+09:002019-12-11T09:56+09:002019-12-11T09:56+09:00Athenz vulnerable to open redirect
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000074.html
Athenz provided by Verizon Media contains an open redirect vulnerability (CWE-601).
Akaki Tsunoda reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000074https://jvn.jp/en/jp/JVN57070811/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6035https://nvd.nist.gov/vuln/detail/CVE-2019-6035https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:misc:verizonmedia_athenz2019-12-26T17:14+09:002019-12-12T15:00+09:002019-12-26T17:14+09:00Multiple vulnerabilities in "Custom Body Class"
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000075.html
WordPress Plugin "Custom Body Class" provided by Andrei Lupu contains multiple vulnerabilities listed below.
* Cross-site Scripting (CWE-79) - CVE-2019-6029
* Cross-site Request Forgery (CWE-352) - CVE-2019-6030
Shirai Masatake of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported these vulnerabilities to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.JVNDB-2019-000075https://jvn.jp/en/jp/JVN26847507/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6029https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6030https://nvd.nist.gov/vuln/detail/CVE-2019-6029https://nvd.nist.gov/vuln/detail/CVE-2019-6030https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:custom_body_class_project:custom_body_class2019-12-12T14:55+09:002019-12-12T14:55+09:002019-12-12T14:55+09:00Multiple vulnerabilities in Cybozu Office
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000076.html
Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.
* Directory traversal in the "Customapp" function (CWE-22) - CVE-2019-6022
* Browse restriction bypass in the application "Address" (CWE-284) - CVE-2019-6023
Two vulnerabilities were reported by the following persons to Cybozu, Inc. directly, and Cybozu Inc. reported the vulnerabilities to JPCERT/CC to notify users of the solution through JVN.
CVE-2019-6022 by Shoji Baba
CVE-2019-6023 by TanghaifengJVNDB-2019-000076https://jvn.jp/en/jp/JVN79854355/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6022https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6023https://nvd.nist.gov/vuln/detail/CVE-2019-6022https://nvd.nist.gov/vuln/detail/CVE-2019-6023https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlhttps://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:cybozu:officecpe:/a:cybozu:office2019-12-17T13:55+09:002019-12-17T13:55+09:002019-12-17T13:55+09:00Android App "NTV News24" fails to verify SSL server certificates
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000077.html
Android App "NTV News24" provided by Nippon Television Network Corporation fails to verify SSL server certificates (CWE-295).
Shinnosuke Tokusho of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000077https://jvn.jp/en/jp/JVN01236065/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6032https://nvd.nist.gov/vuln/detail/CVE-2019-6032https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ntv:news_242019-12-19T13:59+09:002019-12-19T13:59+09:002019-12-19T13:59+09:00Multiple vulnerabilities in a-blog cms
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000078.html
a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below.
* Reflected cross-site scripting (CWE-79) - CVE-2019-6033
* Script injection due to a flaw in processing cookie (CWE-74) - CVE-2019-6034
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-000078https://jvn.jp/en/jp/JVN10377257/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6033https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6034https://nvd.nist.gov/vuln/detail/CVE-2019-6033https://nvd.nist.gov/vuln/detail/CVE-2019-6034https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:appleple:a-blog_cms2019-12-20T15:43+09:002019-12-20T15:43+09:002019-12-20T15:43+09:00Information Disclosure Vulnerability in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-001094.html
An Information Disclosure Vulnerability was found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor.JVNDB-2019-001094https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:configuration_managercpe:/a:hitachi:device_managercpe:/a:hitachi:infrastructure_analytics_advisor2019-01-24T18:39+09:002019-01-22T11:47+09:002019-01-24T18:39+09:00Cross-site Scripting Vulnerability in Hitachi Device Manager
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-001095.html
A Cross-site Scripting Vulnerability was found in Hitachi Device Manager.
JVNDB-2019-001095https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:device_manager2019-01-24T18:38+09:002019-01-22T11:47+09:002019-01-24T18:38+09:00DoS Vulnerability in JP1/Base
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-001285.html
A DoS Vulnerability was found in JP1/Base.JVNDB-2019-001285https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:job_management_partner_1_basecpe:/a:hitachi:jp1_base2019-02-25T17:13+09:002019-02-25T17:13+09:002019-02-25T17:13+09:00Multiple Vulnerabilities in Cosminexus
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-002892.html
Cosminexus Developer's Kit for Java and Hitachi Developer's Kit for Java contain the following vulnerabilities:
CVE-2019-2602, CVE-2019-2684, CVE-2019-2697, CVE-2019-2698
JVNDB-2019-002892https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2602https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2684https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2697https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2698https://nvd.nist.gov/vuln/detail/CVE-2019-2602https://nvd.nist.gov/vuln/detail/CVE-2019-2684https://nvd.nist.gov/vuln/detail/CVE-2019-2697https://nvd.nist.gov/vuln/detail/CVE-2019-2698https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:ucosminexus_application_servercpe:/a:hitachi:ucosminexus_clientcpe:/a:hitachi:ucosminexus_developercpe:/a:hitachi:ucosminexus_service_architectcpe:/a:hitachi:ucosminexus_service_platform2019-04-25T15:13+09:002019-04-25T15:13+09:002019-04-25T15:13+09:00Multiple Vulnerabilities in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-003194.html
Multiple vulnerabilities have been found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor. JVNDB-2019-003194https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:automation_directorcpe:/a:hitachi:compute_systems_managercpe:/a:hitachi:device_managercpe:/a:hitachi:global_link_managercpe:/a:hitachi:infrastructure_analytics_advisorcpe:/a:hitachi:replication_managercpe:/a:hitachi:tiered_storage_managercpe:/a:hitachi:tuning_manager2019-05-13T15:25+09:002019-05-13T15:25+09:002019-05-13T15:25+09:00DoS Vulnerability in Hitachi IT Operations Director, JP1/IT Desktop Management - Manager and JP1/IT Desktop Management 2 - Manager
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-003539.html
A DoS Vulnerability was found in Hitachi IT Operations Director, JP1/IT Desktop Management - Manager and JP1/IT Desktop Management 2 - Manager. JVNDB-2019-003539https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:it_operations_directorcpe:/a:hitachi:job_management_partner_1%2Fit_desktop_management-managercpe:/a:hitachi:job_management_partner_1%2Fit_desktop_management-manager2cpe:/a:hitachi:jp1%2Fit_desktop_management-managercpe:/a:hitachi:jp1_it_desktop_management2019-05-20T15:38+09:002019-05-20T15:38+09:002019-05-20T15:38+09:00Vulnerability in Cosminexus HTTP Server and Hitachi Web Server
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-004441.html
A vulnerability (CVE-2019-0220) exists in Cosminexus HTTP Server and Hitachi Web Server.JVNDB-2019-004441https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:cosminexus_http_servercpe:/a:hitachi:hitachi_application_servercpe:/a:hitachi:hitachi_application_server_for_developerscpe:/a:hitachi:hitachi_web_servercpe:/a:hitachi:ucosminexus_application_servercpe:/a:hitachi:ucosminexus_developercpe:/a:hitachi:ucosminexus_primary_servercpe:/a:hitachi:ucosminexus_service2019-06-03T13:55+09:002019-06-03T13:55+09:002019-06-03T13:55+09:00WonderCMS vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-007404.html
WonderCMS contains a directory traversal vulnerability (CWE-22).
Note that the original fix for this vulnerability was insufficient (CVE-2018-7172). However, an updated version of the software, which completely addressed this vulnerability has been released by the developer.
Sosuke Tokuda reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.JVNDB-2019-007404https://jvn.jp/en/vu/JVNVU93628467/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5956https://nvd.nist.gov/vuln/detail/CVE-2019-5956cpe:/a:wondercms:wondercms2019-10-08T17:23+09:002019-08-09T12:23+09:002019-10-08T17:23+09:00Multiple Vulnerabilities in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-008917.html
Multiple vulnerabilities have been found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor.
JVNDB-2019-008917https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:automation_directorcpe:/a:hitachi:compute_systems_managercpe:/a:hitachi:configuration_managercpe:/a:hitachi:device_managercpe:/a:hitachi:global_link_managercpe:/a:hitachi:infrastructure_analytics_advisorcpe:/a:hitachi:replication_managercpe:/a:hitachi:tiered_storage_managercpe:/a:hitachi:tuning_manager2019-09-09T15:58+09:002019-09-09T15:58+09:002019-09-09T15:58+09:00FON routers may behave as an open resolver
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-009884.html
FON routers contain an issue where they may behave as open resolvers.
A device that behaves as a DNS resolver for recursive DNS queries from anyone on the internet is called "Open Resolver".
FON routers contain an issue where they may behave as open resolvers.
Hideyoshi Okazaki of ARTERIA Networks Corporation reported this vulnerability to JPCERT/CC, and JPCERT/CC coordinated with the developer.JVNDB-2019-009884http://jvn.jp/en/vu/JVNVU94678942/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6015https://nvd.nist.gov/vuln/detail/CVE-2019-6015cpe:/o:fon:fon_fon2601e-fsw-s_firmwarecpe:/o:fon:fon_fon2601e-re_firmwarecpe:/o:fon:fon_fon2601e-se_firmwarecpe:/o:fon:fon_fon2601fsw-b_firmware2019-12-27T18:05+09:002019-10-02T10:59+09:002019-12-27T18:05+09:00Vulnerability in Cosminexus HTTP Server and Hitachi Web Server
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-010374.html
A vulnerability (CVE-2019-10092) exists in Cosminexus HTTP Server and Hitachi Web Server.
JVNDB-2019-010374https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:cosminexus_http_servercpe:/a:hitachi:hitachi_application_servercpe:/a:hitachi:hitachi_application_server_for_developerscpe:/a:hitachi:hitachi_web_servercpe:/a:hitachi:ucosminexus_application_servercpe:/a:hitachi:ucosminexus_developercpe:/a:hitachi:ucosminexus_primary_servercpe:/a:hitachi:ucosminexus_service2019-10-18T14:18+09:002019-10-18T14:18+09:002019-10-18T14:18+09:00Multiple Vulnerabilities in Hitachi Global Link Manager
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-010375.html
Multiple vulnerabilities have been found in Hitachi Global Link Manager.
* Cross-site Scripting
* DoSJVNDB-2019-010375https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:global_link_manager2019-10-18T14:21+09:002019-10-18T14:21+09:002019-10-18T14:21+09:00Trend Micro OfficeScan vulnerable to directory traversal
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-011088.html
Trend Micro OfficeScan contains a directory traversal vulnerability (CWE-22).
If this vulnerability is exploited, an authenticated user on the administrative console of the affected product may upload an arbitrary zip file to the specific folder, then extract and execute it.
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated under the Information Security Early Warning Partnership.JVNDB-2019-011088https://jvn.jp/en/vu/JVNVU96213168/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18187https://nvd.nist.gov/vuln/detail/CVE-2019-18187https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:trendmicro:virus_baster_corporate_edition2019-12-02T16:08+09:002019-10-30T10:59+09:002019-12-02T16:08+09:00Arbitrary File Deletion Vulnerability in Hitachi Command Suite
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-011486.html
An arbitrary file deletion vulnerability was found in Hitachi Command Suite.
JVNDB-2019-011486https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:compute_systems_managercpe:/a:hitachi:device_managercpe:/a:hitachi:replication_managercpe:/a:hitachi:tiered_storage_managercpe:/a:hitachi:tuning_manager2019-11-11T14:10+09:002019-11-11T14:10+09:002019-11-11T14:10+09:00DoS Vulnerability in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-011487.html
A DoS vulnerability was found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor.
JVNDB-2019-011487https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:device_managercpe:/a:hitachi:infrastructure_analytics_advisorcpe:/a:hitachi:replication_managercpe:/a:hitachi:tiered_storage_managercpe:/a:hitachi:tuning_manager2019-11-11T14:09+09:002019-11-11T14:09+09:002019-11-11T14:09+09:00Information Disclosure Vulnerability in Hitachi Command Suite
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-011488.html
An Information Disclosure Vulnerability was found in Hitachi Command Suite.
JVNDB-2019-011488https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21026https://nvd.nist.gov/vuln/detail/CVE-2018-21026https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:compute_systems_managercpe:/a:hitachi:device_managercpe:/a:hitachi:replication_managercpe:/a:hitachi:tiered_storage_managercpe:/a:hitachi:tuning_manager2019-12-02T15:46+09:002019-11-11T14:09+09:002019-12-02T15:46+09:00Ghostscript access restriction bypass vulnerability
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-012236.html
Ghostscript provided by Artifex Software Inc. contains an access restriction bypass vulnerability (CWE-284).
Hiroki MATSUKUMA of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.JVNDB-2019-012236https://jvn.jp/en/jp/JVN52486659/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14869https://nvd.nist.gov/vuln/detail/CVE-2019-14869http://www.openwall.com/lists/oss-security/2019/11/15/1https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:artifex:ghostscript2020-02-13T16:36+09:002020-02-05T13:51+09:002020-02-13T16:36+09:00Multiple Vulnerabilities in Hitachi Automation Director
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-013271.html
Multiple vulnerabilities have been found in Hitachi Automation Director.JVNDB-2019-013271https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:automation_director2019-12-24T16:02+09:002019-12-24T16:02+09:002019-12-24T16:02+09:00Multiple Vulnerabilities in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-013272.html
Multiple vulnerabilities have been found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor.
We would like to thank
Piotr Madej (ING Tech Poland)
for reporting the relevant issues.JVNDB-2019-013272https://www.cve.org/CVERecord?id=CVE-2018-21032https://www.cve.org/CVERecord?id=CVE-2018-21033https://nvd.nist.gov/vuln/detail/CVE-2018-21032https://nvd.nist.gov/vuln/detail/CVE-2018-21033https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:automation_directorcpe:/a:hitachi:compute_systems_managercpe:/a:hitachi:device_managercpe:/a:hitachi:global_link_managercpe:/a:hitachi:infrastructure_analytics_advisorcpe:/a:hitachi:replication_managercpe:/a:hitachi:tiered_storage_managercpe:/a:hitachi:tuning_manager2019-12-24T16:02+09:002019-12-24T16:02+09:002019-12-24T16:02+09:00DoS Vulnerability in Hitachi Compute Systems Manager
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-013273.html
A DoS vulnerability was found in Hitachi Compute Systems Manager.JVNDB-2019-013273https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:hitachi:compute_systems_manager2019-12-24T16:01+09:002019-12-24T16:01+09:002019-12-24T16:01+09:00Cross-site Request Forgery Vulnerability in RICOH printers
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-014031.html
Multiple RICOH printers contain Cross-site Request Forgery (CWE-352).
RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership.JVNDB-2019-014031https://jvn.jp/en/jp/JVN52962201/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14304https://nvd.nist.gov/vuln/detail/CVE-2019-14304https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:ricoh:m_c250fwb_firmwarecpe:/o:ricoh:m_c250fw_firmwarecpe:/o:ricoh:p_c300w_firmwarecpe:/o:ricoh:p_c301w_firmwarecpe:/o:ricoh:sp_330sfn_firmwarecpe:/o:ricoh:sp_330sn_firmwarecpe:/o:ricoh:sp_c250dn_firmwarecpe:/o:ricoh:sp_c250sf_firmwarecpe:/o:ricoh:sp_c252dn_firmwarecpe:/o:ricoh:sp_c252sf_firmware2020-02-25T14:06+09:002020-02-25T14:06+09:002020-02-25T14:06+09:00Information Disclosure Vulnerability in RICOH printers
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-014136.html
Multiple RICOH printers contain Information Disclosure (CWE-200).
RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership.JVNDB-2019-014136https://jvn.jp/en/jp/JVN52962201/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14301https://nvd.nist.gov/vuln/detail/CVE-2019-14301https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:ricoh:m_c250fwb_firmwarecpe:/o:ricoh:m_c250fw_firmwarecpe:/o:ricoh:p_c300w_firmwarecpe:/o:ricoh:p_c301w_firmwarecpe:/o:ricoh:sp_330sfn_firmwarecpe:/o:ricoh:sp_330sn_firmwarecpe:/o:ricoh:sp_c250dn_firmwarecpe:/o:ricoh:sp_c250sf_firmwarecpe:/o:ricoh:sp_c252dn_firmwarecpe:/o:ricoh:sp_c252sf_firmware2020-02-25T14:02+09:002020-02-25T14:02+09:002020-02-25T14:02+09:00Improper Access Control Vulnerability in RICOH printers
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-014137.html
Multiple RICOH printers contain Improper Access Control (CWE-284).
RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership. JVNDB-2019-014137https://jvn.jp/en/jp/JVN52962201/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14302https://nvd.nist.gov/vuln/detail/CVE-2019-14302https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:ricoh:sp_330dn_firmwarecpe:/o:ricoh:sp_330sfn_firmwarecpe:/o:ricoh:sp_330sn_firmwarecpe:/o:ricoh:sp_3710dn_firmwarecpe:/o:ricoh:sp_3710sf_firmwarecpe:/o:ricoh:sp_c250dn_firmwarecpe:/o:ricoh:sp_c250sf_firmwarecpe:/o:ricoh:sp_c252dn_firmwarecpe:/o:ricoh:sp_c252sf_firmwarecpe:/o:ricoh:sp_c260dnw_firmware2020-02-25T15:44+09:002020-02-25T15:44+09:002020-02-25T15:44+09:00Improper Authentication Vulnerability in RICOH printers
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-014138.html
Multiple RICOH printers contain Improper Authentication Vulnerability (CWE-287).
RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership.JVNDB-2019-014138https://jvn.jp/en/jp/JVN52962201/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14306https://nvd.nist.gov/vuln/detail/CVE-2019-14306https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/o:ricoh:sp_330dn_firmwarecpe:/o:ricoh:sp_330sfn_firmwarecpe:/o:ricoh:sp_330sn_firmwarecpe:/o:ricoh:sp_3710dn_firmwarecpe:/o:ricoh:sp_3710sf_firmwarecpe:/o:ricoh:sp_c250dn_firmwarecpe:/o:ricoh:sp_c250sf_firmwarecpe:/o:ricoh:sp_c252dn_firmwarecpe:/o:ricoh:sp_c252sf_firmwarecpe:/o:ricoh:sp_c260dnw_firmware2020-02-25T15:47+09:002020-02-25T15:47+09:002020-02-25T15:47+09:00Privilege escalation vulnerability in multiple RICOH printer drivers
https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-014437.html
Multiple RICOH printer drivers contain a privilege escalation vulnerability.
RICOH COMPANY, LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and [Name of company/Organization] coordinated under the Information Security Early Warning Partnership.JVNDB-2019-014437https://jvn.jp/en/jp/JVN15697526/index.htmlhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19363https://nvd.nist.gov/vuln/detail/CVE-2019-19363https://seclists.org/fulldisclosure/2020/Jan/34https://www.ipa.go.jp/en/security/vulnerabilities/cwe.htmlcpe:/a:ricoh:generic_pcl5_drivercpe:/a:ricoh:pcl6_%28pcl_xl%29_drivercpe:/a:ricoh:pcl6_driver_for_universal_printcpe:/a:ricoh:pc_fax_generic_drivercpe:/a:ricoh:postscript3_drivercpe:/a:ricoh:ps_driver_for_universal_printcpe:/a:ricoh:rpcs_drivercpe:/a:ricoh:rpcs_raster_driver2020-02-25T15:29+09:002020-02-25T15:29+09:002020-02-25T15:29+09:00