Subscribe: JVNDB RSS Feed - Update Entry
http://jvndb.jvn.jp/rss/en/jvndb.rdf
Preview: JVNDB RSS Feed - Update Entry

JVNDB RSS Feed - Update Entry



JVN iPedia Update Entry



Published: 2018-04-26T12:00:17+09:00

 



Spring Security and Spring Framework vulnerable to authentication bypass

2018-04-18T11:55+09:00

Spring Framework and Spring Security provided by Pivotal Software, Inc. contain an authentication bypass vulnerability. Macchinetta Framework Development Team : NTT COMWARE, NTT DATA Corporation, and NTT reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



EC-CUBE vulnerable to session fixation

2018-04-17T13:39+09:00

EC-CUBE provided by LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a session fixation vulnerability (CWE-384). LOCKON CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LOCKON CO.,LTD. coordinated under the Information Security Early Warning Partnership.



Installer of SoundEngine Free may insecurely load Dynamic Link Libraries

2018-04-13T13:52+09:00

Installer of SoundEngine Free contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Tenable Appliance vulnerable to cross-site scripting

2018-04-12T14:33+09:00

Tenable Appliance provided by Tenable, Inc. contains a stored cross-site scripting vulnerability (CWE-79). Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



The installer of PhishWall Client Internet Explorer edition may insecurely load Dynamic Link Libraries

2018-04-12T14:27+09:00

PhishWall Client Internet Explorer edition provided by SecureBrain Corporation is anti-phishing and anti-MITB software. The installer of PhishWall Client Internet Explorer edition contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). According to the developer, the affected installer was built using Install Shield with all Hotfixes applied as of November 2017. The developer has confirmed that the most recent Hotfix applied Install Shield addresses this issue. For details on Install Shield Hotfixes, refer to Best Practices to Avoid Windows Setup Launcher Executable Issues. Note that this vulnerability is different from JVN#93699304. Yuto Iso of NTT Security (Japan) KK and BlackWingCat of PinkFlyingWhale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple vulnerabilities in FS010W

2018-04-11T12:31+09:00

FS010W provided by FUJI SOFT INCORPORATED is a WiFi router. FS010W contains multiple vulnerabilities listed below. * Stored cross-site scripting (CWE-79) - CVE-2018-0519 * Cross-site request forgery (CWE-352) - CVE-2018-0520 Manabu Kobayashi reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Application and self-extracting archive containing the application of "FLET'S v4 / v6 address selection tool" may insecurely load Dynamic Link Libraries

2018-04-11T12:28+09:00

Application and self-extracting archive containing the application of "FLET'S v4 / v6 address selection tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer of "FLET'S Azukeru Backup Tool" may insecurely load Dynamic Link Libraries

2018-04-11T12:25+09:00

"FLET'S Azukeru Backup Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION is software to automatically back up files in the user's computer to "FLET'S Azukeru" service. Installer of "FLET'S Azukeru Backup Tool" contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Insecure DLL Loading issue in multiple Trend Micro products

2018-04-11T12:23+09:00

Multiple products provided by Trend Micro Incorporated contain an insecure DLL loading issue (CWE-427). When invoking the installers of other applications while the concerned products are installed to the PC, the DLL placed in the same directory as the the installers (of the other applications) may be insecurely loaded. Hidenori Ohta of Mitsubishi Electric Information Systems Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



The installer of Anshin net security for Windows may insecurely load Dynamic Link Libraries

2018-04-11T12:13+09:00

Anshin net security for Windows provided by KDDI CORPORATION is an Internet Security suite. The installer of Anshin net security for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



MP Form Mail CGI eCommerce Edition vulnerable to OS command injection

2018-04-11T11:57+09:00

MP Form Mail CGI eCommerce Edition provided by futomi Co., Ltd. is a CGI used to send mail from a web form. MP Form Mail CGI eCommerce Edition contains an OS command injection vulnerability (CWE-78). Daiki Ichinose of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



WordPress plugin "MTS Simple Booking C" vulnerable to cross-site scripting

2018-04-11T11:53+09:00

The WordPress plugin "MTS Simple Booking C" provided by MT Systems Co., Ltd. contains a stored cross-site scripting vulnerability (CWE-79). Daichi Takaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



WordPress plugin "WP Retina 2x" vulnerable to cross-site scripting

2018-04-11T11:53+09:00

The WordPress plugin "WP Retina 2x" contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple I-O DATA network devices incorporating "MagicalFinder" vulnerable to OS command injection

2018-04-11T11:51+09:00

"MagicalFinder" provided by I-O DATA DEVICE, INC. is a IP address setting tool to for I-O DATA network devices such as routers, network cameras, strages, etc. Multiple I-O DATA network devices that incorporate "MagicalFinder" contain an OS command injection vulnerability (CWE-78). Taizo Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple vulnerabilities in epg search result viewer(kkcald)

2018-04-11T11:49+09:00

epg search result viewer(kkcald) provided by kkcal contains multiple vulnerabilities listed below. * Cross-site Scripting (CWE-79) - CVE-2018-0508 * Cross-site request forgery (CWE-352) - CVE-2018-0509 * Buffer overflow (CWE-121) - CVE-2018-0510 Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Nootka App for Android vulnerable to OS command injection

2018-04-11T11:46+09:00

Nootka App for Android provided by SeeLook contains an OS command injection vulnerability (CWE-78). Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" may insecurely load Dynamic Link Libraries

2018-04-11T11:44+09:00

The installer of "FLET'S VIRUS CLEAR Easy Setup & Application Tool" and "FLET'S VIRUS CLEAR v6 Easy Setup & Application Tool" provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



GroupSession vulnerable to open redirect

2018-04-11T11:37+09:00

GroupSession provided by Japan Total System Co.,Ltd. is an open source groupware. GroupSession contains an open redirect vulnerability (CWE-601). Norihiko Hirukawa of FiveDrive Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Zend Framework vulnerable to SQL injection

2018-04-11T11:32+09:00

Zend Framework is an open source web application framework. Zend Framework contains an SQL injection vulnerability (CWE-89) due to the argument of the ORDER BY clause. Hiroshi Tokumaru of HASH Consulting Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Hatena Bookmark App for iOS contains an address bar spoofing vulnerability

2018-04-10T13:39+09:00

Hatena Bookmark App for iOS provided by Hatena Co., Ltd. contains a vulnerability where the address bar displays a different URL than the URL that is being accessed. Kenichiro Wakitani reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



DoS Vulnerability in JP1/ServerConductor/Deployment Manager and Hitachi Compute Systems Manager

2018-04-10T10:55+09:00

A DoS Vulnerability was found in JP1/ServerConductor/Deployment Manager and Hitachi Compute Systems Manager (Deployment Manager Plug-in).



Multiple vulnerabilities in Cybozu Garoon

2018-04-09T19:38+09:00

Cybozu Garoon provided by Cybozu, Inc. contains multiple vulnerabilities listed below. * SQL injection in the application "Address" (CWE-89) - CVE-2018-0530 * Operation restriction bypass in the "Folder settings" (CWE-264) - CVE-2018-0531 * Operation restriction bypass in the setting of Login authentication (CWE-264) - CVE-2018-0532 * Operation restriction bypass in the setting of Session authentication (CWE-264) - CVE-2018-0533 * Browse restriction bypass in the application "Space" (CWE-264) - CVE-2018-0548 * Stored cross-site scripting in "Rich text" of the application "Message" (CWE-79) - CVE-2018-0549 * Browse restriction bypass in the application "Cabinet" (CWE-264) - CVE-2018-0550 * Stored cross-site scripting in "Rich text" of the application "Space" (CWE-79) - CVE-2018-0551 Cybozu, Inc. reported CVE-2018-0530, CVE-2018-0531, CVE-2018-0532, CVE-2018-0533 and CVE-2018-0548 vulnerabilities to JPCERT/CC to notify users of respective solutions through JVN. Jun Kokatsu reported CVE-2018-0549 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. ixama reported CVE-2018-0550 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN. Masato Kinugawa reported CVE-2018-0551 vulnerability to Cybozu, Inc., and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.



The installer of Content Manager Assistant for PlayStation may insecurely load Dynamic Link Libraries

2018-04-04T14:04+09:00

Content Manager Assistant for PlayStation provided by Sony Interactive Entertainment Inc. is a data transfer tool. The installer of Content Manager Assistant for PlayStation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Shun Suzaki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



MQTT issue in handling PUBLISH packets

2018-04-04T14:02+09:00

MQTT is a client library for MQTT. MQTT contains an issue in handling PUBLISH packets sent from an MQTT Broker. Masataka Sakaguchi, Bintatsu Noda and Hisashi Kojima of Fujitsu Laboratories Ltd.reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



OneThird CMS vulnerable to directory traversal

2018-04-04T13:58+09:00

OneThird CMS provided by SpiQe Software is a Contents Management System (CMS). OneThird CMS contains a directory traversal vulnerability (CWE-22). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



The installer of Music Center for PC may insecurely load Dynamic Link Libraries

2018-04-04T13:53+09:00

Music Center for PC provided by Sony Video & Sound Products Inc. is a file management tool. The installer of Music Center for PC contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Note that this vulnerability is different from JVN#08517069. DigiGnome(@biz4g) reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple vulnerabilities in H2O

2018-04-04T13:49+09:00

H2O is an open source web server software. H2O contains multiple vulnerabilities listed below. * A Denial-of-service (DoS) due to a flaw in processing HTTP/1 header (CWE-20) - CVE-2017-10868 * Stack-based buffer overflow (CWE-121) - CVE-2017-10869 * A Denial-of-service (DoS) due to a flaw in outputting of the access log (CWE-118) - CVE-2017-10872 * A Denial-of-service (DoS) due to a flaw in processing HTTP/2 header (CWE-20) - CVE-2017-10908 Kazuho Oku reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Kazuho Oku coordinated under the Information Security Early Warning Partnership.



Lhaplus vulnerable to improper verification when expanding ZIP64 archives

2018-04-04T12:33+09:00

Lhaplus is file compression/decompression software. Lhaplus does not treat ZIP64 archives properly when expanding. Koji Ando of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Yodobashi App for Android fails to verify SSL server certificates

2018-04-04T12:28+09:00

Yodobashi App for Android provided by Yodobashi Camera Co.,Ltd. fails to verify SSL server certificates. Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Apache ActiveMQ vulnerable to cross-site scripting

2018-04-04T12:25+09:00

Apache ActiveMQ provided by the Apache Software Foundation is a middleware that implements Java Message Service. Apache ActiveMQ contains a stored cross-site scripting vulnerability (CWE-79). Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Safari vulnerable to script injection

2018-03-30T13:39+09:00

Safari provided by Apple Inc. contains a script injection vulnerability (CWE-81) in the processing of displaying an error page when it fails to verify server certificates. In an error page Safari displays when it fails to verify server certificates, a domain name of the website accessed is output straightly. Therefore by exploiting this vulnerability, an arbitrary script may be executed on the user's web browser via an error page that is displayed when a user is led to visit a website with a specially crafted domain name. Yuji Tonai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



LXR vulnerable to OS command injection

2018-03-29T14:00+09:00

LXR provided by LXR Project contains an OS command injection vulnerability (CWE-78). Touma Hatano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple vulnerabilities in WZR-1750DHP2

2018-03-29T13:52+09:00

WZR-1750DHP2 provided by BUFFALO INC. is a wireless LAN router. WXR-1900DHP2 contains multiple vulnerabilities listed below. * Missing Authentication for Critical Function (CWE-306) - CVE-2018-0554 * Buffer Overflow (CWE-119) - CVE-2018-0555 * OS Command Injection (CWE-78) - CVE-2018-0556 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



iRemoconWiFi App for Android fails to verify SSL server certificates

2018-03-27T13:40+09:00

iRemoconWiFi App for Android provided by Glamo Inc. fails to verify SSL server certificates. Seigo Yamamoto of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



The installer of PhishWall Client Firefox and Chrome edition for Windows may insecurely load Dynamic Link Libraries

2018-03-15T13:38+09:00

PhishWall Client Firefox and Chrome edition for Windows provided by SecureBrain Corporation is an anti-phishing and anti-MITB software. The installer of PhishWall Client Firefox and Chrome edition for Windows contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eiji James Yoshida of Security Professionals Network Inc. and Yuto Iso of NTT Security (Japan) KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



StreamRelay.net.exe and sDNSProxy.exe vulnerable to denial-of-service (DoS)

2018-03-14T14:26+09:00

StreamRelay.net.exe and sDNSProxy.exe fail to properly process ICMP Port Unreachable message (CWE-703). Tomoki Sanaki reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Tomoki Sanaki coordinated under the Information Security Early Warning Partnership.



The installer of Media Go and Music Center for PC may insecurely load Dynamic Link Libraries

2018-03-14T14:25+09:00

Media Go and Music Center for PC provided by Sony Group are file management tools. The installer of Media Go and Music Center for PC contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. and Shun Suzaki reported CVE-2017-10891 vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Movable Type plugin A-Member and A-Reserve vulnerable to SQL injection

2018-03-14T14:20+09:00

A-Member and A-Reserve provided by ARK-Web co., ltd. are plugins for Movable Type which provide functions to build a membership website or a reservation website. A-Member and A-Reserve contain SQL injection (CWE-89) vulnerability due to the issue in processing cookie values. Yuuta Watanabe of STNet, Incorporated reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



PWR-Q200 vulnerable to DNS cache poisoning attacks

2018-03-14T14:19+09:00

PWR-Q200 provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION is a mobile WiFi router. PWR-Q200 is vulnerable to DNS cache poisoning attacks as DNS queries are done with a fixed source port (CWE-330). Toshifumi Sakaguchi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



QND Advance/Standard vulnerable to directory traversal

2018-03-14T14:17+09:00

QND Advance/Standard provided by QualitySoft Corporation contains a directory traversal vulnerability. QND Advance/Standard provided by QualitySoft Corporation contains a directory traversal vulnerability (CWE-22) in an administrative server due to the issue in processing input from an agent program. An administrative server does not require authentication in the communication between a server and an agent program either, therefore an arbitrary request from an arbitrary device with access to an administrative server can be sent and processed. Muneaki Nishimura of of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer.



Multiple vulnerabilities in multiple Buffalo broadband routers

2018-03-14T14:15+09:00

BBR-4HG and BBR-4MG provided by BUFFALO INC. are wireless LAN routers. BBR-4HG and BBR-4MG contain multiple vulnerabilities listed below. * Cross-site Scripting (CWE-79) - CVE-2017-10896 * Improper Input Validation (CWE-20) - CVE-2017-10897 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple vulnerabilities in Wireless mobile storage "Digizo ShAirDisk" PTW-WMS1

2018-03-14T14:13+09:00

Wireless mobile storage "Digizo ShAirDisk" PTW-WMS1 provided by Princeton Ltd. is a Wi-Fi storage. Wireless mobile storage "Digizo ShAirDisk" PTW-WMS1 contains multiple vulnerabilities listed below. * Improper Access Restriction (CWE-284) - CVE-2017-10900 * Buffer Overflow (CWE-119) - CVE-2017-10901 * OS Command Injection (CWE-78) - CVE-2017-10902 * Improper Authentication (CWE-287) - CVE-2017-10903 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Robotic appliance COCOROBO vulnerable to session management

2018-03-14T14:09+09:00

Robotic appliance COCOROBO provided by Sharp Corporation is a robot with cleaning function. Robotic appliance COCOROBO contains a vulnerability in session management (CWE-639). Kiyotaka ATSUMI of IoT Technology Laboratory, Cyber Grid Japan, LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



The installer of The Public Certification Service for Individuals "The JPKI user's software" may insecurely load Dynamic Link Libraries

2018-03-14T14:07+09:00

The installer of The Public Certification Service for Individuals "The JPKI user's software" provided by Japan Agency for Local Authority Information Systems (J-LIS) contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Note that this vulnerability is different from JVN#91002412 and JVN#39605485. BlackWingCat of Pink Flying Whale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



OpenAM (Open Source Edition) vulnerable to authentication bypass

2018-03-14T14:03+09:00

OpenAM (Open Source Edition) contains an authentication bypass vulnerability. Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Memory corruption vulnerability in Rakuraku Hagaki and Rakuraku Hagaki Select for Ichitaro

2018-03-14T14:01+09:00

Rakuraku Hagaki and Rakuraku Hagaki Select for Ichitaro contain a memory corruption vulnerability.



Qt for Android vulnerable to OS command injection

2018-03-14T13:48+09:00

Qt for Android provided by The Qt Company contains an OS command injection vulnerability (CWE-78). Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer of "Flets Easy Setup Tool" may insecurely load Dynamic Link Libraries

2018-03-14T13:48+09:00

Installer of "Flets Easy Setup Tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Qt for Android environment variables alteration

2018-03-14T13:44+09:00

Qt for Android contains an information alteration vulnerability. Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Rakuten card App for iOS fails to verify SSL server certificates

2018-03-14T12:30+09:00

Rakuten card App for iOS provided by Rakuten Card Co., Ltd. fails to verify SSL server certificates. AOKI Keiichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



WebProxy vulnerable to directory traversal

2018-03-13T16:48+09:00

WebProxy provided by LunarNight Laboratory is software for creating a proxy server. WebProxy contains a directory traversal vulnerability (CWE-22) due to a flaw in processing certain requests. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate



TinyFTP Daemon vulnerable to buffer overflow

2018-03-13T16:48+09:00

TinyFTP Daemon provided by Hisayuki Nomura is a FTP (File Transfer Protocol) server. TinyFTP Daemon contains a buffer overflow vulnerability (CWE-121). During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate



ViX may insecurely load Dynamic Link Libraries

2018-03-13T16:48+09:00

ViX provided by K_OKADA is a Graphics Viewer Software for Windows. ViX contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries contained in the same directory as an image file (CWE-427). During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate



PHP 2chBBS vulnerable to cross-site scripting

2018-03-13T16:47+09:00

PHP 2chBBS provided by Kagaminokuni is software that can be downloaded from the Internet. PHP 2chBBS is a bulletin board software that can be used by placing it on a website. PHP 2chBBS contains a cross-site scripting vulnerability (CWE-79). During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate



ArsenoL vulnerable to cross-site scripting

2018-03-13T16:46+09:00

ArsenoL provided by FlaFla... is software that can be downloaded from the Internet. ArsenoL is a dictionay software that is placed on a website used to post words and their meanings. ArsenoL contains a cross-site scripting vulnerability (CWE-79) where an arbitrary script may be executed when the victim accesses a malicious page created by an attacker. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate



QQQ SYSTEMS vulnerable to arbitrary command injection

2018-03-13T16:43+09:00

QQQ SYSTEMS provided by Gundam Cult QQQ is a perl CGI script to create quiz pages. QQQ SYSTEMS contains an OS command injection vulnerability (CWE-78). During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on December 5, 2017, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Vulnerability related Information of Software Products and Others and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate



QQQ SYSTEMS vulnerable to cross-site scripting

2018-03-13T16:43+09:00

QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. QQQ SYSTEMS contains a stored cross-site scripting vulnerability (CWE-79). When an administrative user of the software accesses a malicious page created by an attacker, an arbitrary script may be executed. Note that this vulnerability is different either from JVN#64990648 or JVN#96655441. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate



QQQ SYSTEMS vulnerable to cross-site scripting

2018-03-13T16:43+09:00

QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. quiz_op.cgi of QQQ SYSTEMS contains a cross-site scripting vulnerability (CWE-79). When a user accesses a malicious page and is redirected to a page created with the product, an arbitrary script may be executed on the user's browser. Note that this vulnerability is different either from JVN#64990648 or JVN#46471407. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate



QQQ SYSTEMS vulnerable to cross-site scripting

2018-03-13T16:43+09:00

QQQ SYSTEMS provided by Gundam Cult QQQ is a CGI script to create quiz pages. quiz.cgi of QQQ SYSTEMS contains a cross-site scripting vulnerability (CWE-79). When a user accesses a malicious page and is redirected to a page created with the product, an arbitrary script may be executed on the user's browser. Note that this vulnerability is different either from JVN#96655441 or JVN#46471407. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on November 24, 2015, it was judged that an advisory for this vulnerability shall be disclosed since all the criteria and conditions described below which are stated in Standards for Handling Software Vulnerability Information and Others (Directive #110, 2014) and Information Security Early Warning Partnership Guideline have been satisfied. 1. The developer of the product is unreachable 2. Existence of vulnerability has been verified 3. Not disclosing this case may result in the risk that product users will have no means to know of the existence of the vulnerability in the product 4. There are no particular reasons that would make disclosure inappropriate



Multiple vulnerabilities in CG-WGR1200

2018-03-09T13:56+09:00

CG-WGR1200 provided by Corega Inc is a wireless LAN router. CG-WGR1200 contains multiple vulnerabilities listed below. * Buffer Overflow (CWE-119) - CVE-2017-10852 * Buffer Overflow (CWE-78) - CVE-2017-10853 * Authentication bypass (CWE-306) - CVE-2017-10854 Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



WordPress plugin "WP All Import" vulnerable to cross-site scripting

2018-03-08T14:10+09:00

The WordPress plugin "WP All Import" provided by Soflyy contains a reflected cross-site scripting vulnerability (CWE-79). Note that this vulnerability is different from JVN#33527174. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



WordPress plugin "WP All Import" vulnerable to cross-site scripting

2018-03-08T14:10+09:00

The WordPress plugin "WP All Import" provided by Soflyy contains a cross-site scripting vulnerability (CWE-79) in the file upload function. Note that this vulnerability is different from JVN#60032768. Mardan Muhidin of Gehirn Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Apache Brooklyn vulnerable to cross-site request forgery

2018-03-07T14:35+09:00

Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains a cross-site request forgery vulnerability. It is known that proof-of-concept code to exploit these vulnerabilties exist. Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



InterScan Web Security Virtual Appliance vulnerable to code injection

2018-03-07T14:32+09:00

InterScan Web Security Virtual Appliance provided by Trend Micro Incorporated contains code injection vulnerability.



SumaHo for Android fails to verify SSL/TLS server certificates

2018-03-07T14:24+09:00

SumaHo for Android fails to verify SSL/TLS server certificates. Hiroshi Kumagai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Home unit KX-HJB1000 contains multiple vulnerabilities

2018-03-07T14:24+09:00

Home unit KX-HJB1000 provided by Panasonic Corporation is a control system for home network. Home unit KX-HJB1000 contains multiple vulnerabilities listed below. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer of HYPER SBI may insecurely load Dynamic Link Libraries

2018-03-07T14:01+09:00

HYPER SBI provided by SBI SECURITIES Co.,Ltd. is a trading tool. Installer of HYPER SBI contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Yuto Iso of NTT Security (Japan) KK reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



I-O DATA LAN DISK Connect vulnerable to denial-of-service (DoS)

2018-03-07T14:01+09:00

LAN DISK Connect provided by I-O DATA DEVICE, INC. contains a denial-of-service (DoS) vulnerability (CWE-119) due to a flaw in processing certain packets. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Wi-Fi STATION L-02F vulnerable to buffer overflow

2018-03-07T14:00+09:00

Wi-Fi STATION L-02F provided by NTT DOCOMO, INC. contains a buffer overflow vulnerability. Daisuke Makita and Hayato Ushimaru of National Institute of Information and Communications Technology, Jumpei Shimamura of clwit, Inc. and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



GANMA! App for iOS fails to verify SSL server certificates

2018-03-07T13:50+09:00

GANMA! App for iOS provided by COMICSMART INC. fails to verify SSL server certificates. Yuji Tounai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



ANA App fails to verify SSL server certificates

2018-03-07T13:50+09:00

ANA App provided by ALL NIPPON AIRWAYS CO., LTD fails to verify SSL server certificates. AOKI Keiichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Smartphone Passbook fails to verify SSL server certificates

2018-03-07T13:50+09:00

Smartphone Passbook provided by Ogaki Kyoritsu bank Ltd. fails to verify SSL server certificates. Hiroshi Kumagai reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



CS-Cart Japanese Edition vulnerable to cross-site scripting

2018-03-07T13:36+09:00

CS-Cart is a system for creating online shopping websites. CS-Cart Japanese Edition contains a cross-site scripting vulnerabulity (CWE-79). Satoshi Ogawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



WordPress plugin "TablePress" vulnerable to improper restriction of XML external entity (XXE) references

2018-03-07T13:36+09:00

The WordPress plugin "TablePress" is a plugin to create and manage tables on WordPress site. TablePress contains a vulnerability where XML external entity (XXE) references are not properly restricted (CWE-611). Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple vulnerabilities in BOOK WALKER for Windows/Mac

2018-03-07T13:36+09:00

BOOK WALKER for Windows/Mac provided by BOOK WALKER Co.,Ltd. are applications to view e-books. Installer of BOOK WALKER for Windows contains a vulnerabirity, which may lead to insecurely loading Dynamic Link Libraries. Also BOOK WALKER for Windows/Mac contain a vulnerability which may lead to information disclosure as a result of reading a specially crafted file. * DLL preloading vulnerability (CWE-427) - CVE-2017-10887 * Information disclosure vulnerability (CWE-200) - CVE-2017-10888 Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



niconico App for iOS fails to verify SSL server certificates

2018-03-07T12:26+09:00

niconico App for iOS provided by DWANGO Co., Ltd. fails to verify SSL server certificates. AOKI Keiichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



jwt-scala fails to verify token signatures

2018-03-07T12:23+09:00

jwt-scala contains a vulnerability where it fails to verify token signatures correctly. jwt-scala is a Scala library to handle JSON Web Token (JWT). jwt-scala contains a vulnerability where it fails to verify token signatures correctly due to improper processing of JWT headers. Toshiharu Sugiyama of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to the developer and JPCERT/CC and directly coordinated with the developer. JPCERT/CC published this advisory as the developer agreed with the publication on JVN.



Cybozu Office fails to restrict access permissions

2018-03-07T12:21+09:00

Cybozu Office fails to restrict access permissions. Cybozu Office provided by Cybozu, Inc. fails to restrict access permissions (CWE-284) due to an issue in "Cabinet" function. Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.



Gurunavi App for iOS fails to verify SSL server certificates

2018-03-07T12:17+09:00

Gurunavi App for iOS provided by Gurunavi, Inc. fails to verify SSL server certificates. AOKI Keiichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



HIBUN Confidential File Decryption program may insecurely load Dynamic Link Libraries

2018-03-07T12:12+09:00

HIBUN Confidential File Decryption program provided by Hitachi Solutions, Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Note that this vulnerability is different from JVN#58909026. Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer of HIBUN Confidential File Viewer may insecurely load Dynamic Link Libraries and invoke executable files

2018-03-07T12:09+09:00

Installer of HIBUN Confidential File Viewer provided by Hitachi Solutions, Ltd. contains an issue with the search path for DLL/executable files, which may lead to insecurely loading Dynamic Link Libraries and invoking executable files (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



HIBUN Confidential File Decryption program may insecurely load Dynamic Link Libraries

2018-03-07T12:06+09:00

HIBUN Confidential File Decryption program provided by Hitachi Solutions, Ltd. contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Note that this vulnerability is different from JVN#55516206. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer of WinShot may insecurely load Dynamic Link Libraries

2018-03-05T15:10+09:00

Installer of WinShot contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer of JTrim may insecurely load Dynamic Link Libraries

2018-03-05T14:07+09:00

Installer of JTrim contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple vulnerabilities in Jubatus

2018-03-02T13:45+09:00

Jubatus provided by Jubatus Community contains multiple vulnerabilities listed below. * Arbitrary code execution - CVE-2018-0524 * Directory traversal (CWE-22) - CVE-2018-0525 Symantec Japan, Inc. Advisory Services Team reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



XXE Vulnerability in Hitachi Device Manager

2018-03-01T15:20+09:00

An XXE (XML External Entity) Vulnerability was found in Hitachi Device Manager. This vulnerability only affects the Linux cluster environment.



Multiple Vulnerabilities in Hitachi Command Suite

2018-03-01T15:20+09:00

Multiple vulnerabilities have been found in Hitachi Command Suite. * Cross-site Scripting * Open Redirect



"Honda Moto LINC" App for Android fails to verify SSL server certificates

2018-02-28T14:36+09:00

"Honda Moto LINC" App for Android fails to verify SSL server certificates. Yasuyuki KOBAYASHI reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple vulnerabilities in "Dokodemo eye Smart HD" SCR02HD

2018-02-28T14:28+09:00

Wireless monitor "Dokodemo eye Smart HD" SCR02HD provided by NIPPON ANTENNA Co., Ltd contains multiple vulnerabilities listed below. * OS command injection (CWE-78) - CVE-2017-10832 * Improper access restriction (CWE-425) - CVE-2017-10833 * Directory traversal (CWE-22) - CVE-2017-10834 * Arbitrary PHP code execution (CWE-94) - CVE-2017-10835 Masashi Shiraishi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer and self-extracting archive containing the installer of "Security Setup Tool" may insecurely load Dynamic Link Libraries

2018-02-28T14:28+09:00

The installer and the self-extracting archive containing the installer of "Security Setup Tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



SEIL Series routers vulnerable to denial-of-service (DoS)

2018-02-28T14:12+09:00

The IPsec/IKE function in SEIL Series routers provided by Internet Initiative Japan Inc. contain a denial-of-service (DoS) vulnerability due to a flaw in processing certain packets. Internet Initiative Japan Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Internet Initiative Japan Inc. coordinated under the Information Security Early Warning Partnership.



Backdoor access issue in Wi-Fi STATION L-02F

2018-02-28T14:11+09:00

Wi-Fi STATION L-02F provided by NTT DOCOMO, INC. contains a backdoor access issue. Japan Computer Emergency Response Team Coordination Center Global Coordination Division Cyber Metrics Line Information Security Analyst Keisuke Shikano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Wi-Fi STATION L-02F fails to restrict access permissions

2018-02-28T14:09+09:00

Wi-Fi STATION L-02F provided by NTT DOCOMO, INC. fails to restrict access permissions. Japan Computer Emergency Response Team Coordination Center Global Coordination Division Cyber Metrics Line Information Security Analyst Keisuke Shikano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer of "Flets Azukeru for Windows Auto Backup Tool" may insecurely load Dynamic Link Libraries

2018-02-28T14:07+09:00

Installer of "Flets Azukeru for Windows Auto Backup Tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer of "Flets Install Tool" may insecurely load Dynamic Link Libraries

2018-02-28T14:07+09:00

Installer of "Flets Install Tool" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



The installer of the Ministry of Justice [The electronic authentication system based on the commercial registration system "The CRCA user's Software"] may insecurely load Dynamic Link Libraries

2018-02-28T14:04+09:00

The electronic authentication system based on the commercial registration system "The CRCA user's Software" provided by the Ministry of Justice contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). DigiGnome and BlackWingCat of Pink Flying Whale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer of "Security Kinou Mihariban" may insecurely load Dynamic Link Libraries

2018-02-28T14:04+09:00

Installer of "Security Kinou Mihariban" provided by NIPPON TELEGRAPH AND TELEPHONE WEST CORPORATION contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Installer of FENCE-Explorer may insecurely load Dynamic Link Libraries and invoke executable files

2018-02-28T13:58+09:00

FENCE-Explorer provided by FUJITSU BROAD SOLUTION & CONSULTING Inc. is a tool to view and edit a file in "FENCE Briefcase" which is created by FENCE-Pro and other FENCE series software. Installer of FENCE-Explorer contains an issue with the search path for DLL/executable files, which may lead to insecurely loading Dynamic Link Libraries and invoking executable files (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple Fuji Xerox products may insecurely load Dynamic Link Libraries

2018-02-28T13:50+09:00

Installers of multiple products, and DocuWorks self-extracting documents provided by Fuji Xerox Co.,Ltd. contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427). Eili Masami of Tachibana Lab. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



WordPress plugin "BackupGuard" vulnerable to cross-site scripting

2018-02-28T12:26+09:00

The WordPress plugin "BackupGuard" provided by BackupGuard contains a reflected cross-site scripting vulnerability (CWE-79). Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.