Subscribe: JVNDB RSS Feed - 2010 Years Entry
http://jvndb.jvn.jp/en/rss/years/jvndb_2010.rdf
Preview: JVNDB RSS Feed - 2010 Years Entry

JVNDB RSS Feed - 2010 Years Entry



JVN iPedia Yearly Entry



Published: 2018-04-15T09:03:48+09:00

 



Movable Type access restriction bypass vulnerability

2010-01-06T16:26+09:00

Movable Type contains an access restriction bypass vulnerability. Movable Type, a web log system from Six Apart KK, contains a vulnerability that allows a remote attacker to bypass access restrictions. This vulnerability is different from JVN#08369659.



WebCalenderC3 cross-site scripting vulnerability

2010-01-14T21:23+09:00

WebCalenderC3 from C3 Corp. contains a cross-site scripting vulnerability. WebCalenderC3 from C3 Corp. is a calender software. WebCalenderC3 contains a cross-site scripting vulnerability. According to the developer, they were not able to reproduce the vulnerability. However, to mitigate against potential security risks, the developer has released a security enhanced version. Masako Oono reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



WebCalenderC3 vulnerable to directory traversal

2010-01-14T21:24+09:00

WebCalenderC3 from C3 Corp. contains a directory traversal vulnerability. WebCalenderC3 from C3 Corp. is a calender software. WebCalenderC3 contains a directory traversal vulnerability. Masako Oono reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Oracle Application Server vulnerable to cross-site scripting

2010-01-14T21:24+09:00

Oracle Application Server from Oracle contains a cross-site scripting vulnerability. Oracle Application Server from Oracle is an application server. Oracle Application Server contains a cross-site scripting vulnerability. Daiki Fukumori reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



tDiary plugin tb-send.rb vulnerable to cross-site scripting

2010-02-26T12:45+09:00

tDiary plugin tb-send.rb contains a cross-site scripting vulnerability. tDiary is a weblog software. tDiary plugin tb-send.rb contains a cross-site scripting vulnerability. The developer has confirmed that tDiary 2.3.x are not affected by this vulnerability. Project VEX of UBsecure, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



OpenPNE authentication bypass vulnerability

2010-03-12T15:29+09:00

OpenPNE contains an authentication bypass vulnerability. OpenPNE is an open source SNS (Social Networking Service) software. OpenPNE provides an "IP address range limitation" function to provide access to certain pages only to mobile devices. OpenPNE has an issue with the IP address range limitation function that may lead to an authentication bypass vulnerability. As a result, the "simple login" function for mobile phones may allow a remote attacker to bypass authentication. Note that products are affected by this vulnerability only when mobile device support and IP address range limitation are both enabled. According to the developer, in all versions of OpenPNE 1.6 and later, the IP adress range limitation function is either not implemented or not enabled by default. The developer has released information regarding this issue. For more information, refer to the information provided by the developer. Hiromitsu Takagi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



PrettyFormMail vulnerable to cross-site scripting

2010-04-02T17:31+09:00

PrettyFormMail from PrettyBook contains a cross-site scripting vulnerability. PrettyFormMail from PrettyBook is a software that sends emails with contents that are input into a HTML form. PrettyFormMail contains a cross-site scripting vulnerability. Masako Ohono reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Compiere vulnerable to cross-site scripting

2010-04-02T17:32+09:00

Compiere provided by Almas Inc. contains a cross-site scripting vulnerability. Compiere provided by Almas Inc. is an Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) software. Compiere contains a cross-site scripting vulnerability. This vulnerability is different from JVN#38687002. Naruhisa Tadokoro of Kobe Digital Labo Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Compiere vulnerable to cross-site scripting

2010-04-02T17:32+09:00

Compiere provided by Almas Inc. contains a cross-site scripting vulnerability. Compiere provided by Almas Inc. is an Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) software. Compiere contains a cross-site scripting vulnerability. This vulnerability is different from JVN#57963254. Naruhisa Tadokoro of Kobe Digital Labo Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



HL-SiteManager vulnerable to SQL injection

2010-04-02T17:33+09:00

HL-SiteManager from Heartlogic contains a SQL injection vulnerability. HL-SiteManager from Heartlogic is a contents management system (CMS) software. HL-SiteManager contains a SQL injection vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Internet Explorer information disclosure vulnerability

2010-04-08T17:47+09:00

Internet Explorer contains an information disclosure vulnerability. Internet Explorer contains an issue when handling content using specific encoding strings that may lead to an information disclosure vulnerability. Daiki Fukumori of Cyber Defense Institute Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



MODx vulnerable to SQL injection

2010-04-08T17:47+09:00

MODx provided by The MODx CMS Project contains a SQL injection vulnerability. MODx provided by the MODx CMS Project is a Contents Management System (CMS) software. MODx contains a SQL injection vulnerability. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



MODx vulnerable to cross-site scripting

2010-04-08T17:47+09:00

MODx provided by The MODx CMS Project contains a cross-site scripting vulnerability. MODx provided by the MODx CMS Project is a Contents Management System (CMS) software. MODx contains a cross-site scripting vulnerability. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Cisco Router and Security Device Manager vulnerable to cross-site scripting

2010-04-08T17:47+09:00

Cisco Router and Security Device Manager (SDM) contains a cross-site scripting vulnerability. Cisco Router and Security Device Manager (SDM) is a web-based device management tool for Cisco routers. Cisco Router and Security Device Manager (SDM) contains a cross-site scripting vulnerability.



Ichitaro series vulnerable to arbitrary code execution

2010-04-12T17:17+09:00

The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. For more information, refer to the developer's website.



Multiple Cybozu products vulnerable to authentication bypass

2010-04-21T17:27+09:00

Multiple Cybozu products contain an authentication bypass vulnerability. Multiple Cybozu products contain an issue in which the login page for mobile devices is not properly restrcited, leading to an authentication bypass vulnerability. As a result, an attacker may impersonate a user of a Cybozu product.



Movable Type vulnerable to cross-site scripting

2010-05-12T15:25+09:00

Movable Type contains a cross-site scripting vulnerability. Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability. This vulnerability is different than the previous vulnerabilities disclosed on JVN.



Interstage Application Server vulnerable in request processing

2010-05-17T16:42+09:00

The Servlet service provided by the Interstage Application Server from Fujitsu Limited, contains a vulnerability where certain requests are not processed properly. The Servlet service provided by the Interstage Application Server from Fujitsu Limited, contains a vulnerability where certain requests may be handled improperly depending on the settings at the load balancing device.



WebSAM DeploymentManager vulnerable to denial of service

2010-05-17T16:42+09:00

WebSAM DeploymentManager contains a denial of service (DoS) vulnerability. WebSAM DeploymentManager is a product that manages the distribution of security patches. WebSAM DeploymentManager contains a denial of service (DoS) vulnerability. Servers or workstations that installed "Client Service for DPM" from the following products are vulnerable. * WebSAM DeploymentManager Ver5.13 and earlier The above mentioned WebSAM DeploymentManager is provided as part of the following products and are also affected by this vulnerability. * SigmaSystemCenter 2.1 Update2 and earlier * BladeSystemCenter all versions * ExpressSystemCenter all versions * VirtualPCCenter 2.2 and earlier



CapsSuite Small Edition PatchMeister vulnerable to denial of service

2010-05-17T16:43+09:00

CapsSuite Small Edition PatchMeister contains a denial of service (DoS) vulnerability. CapsSuite Small Edition PatchMeister is a product that manages the application of security patches. CapsSuite Small Edition PatchMeister contains a denial of service (DoS) vulnerability. Servers or workstations that installed "Client Service for PTM" from the following products are vulnerable. * CapsSuite Small Edition PatchMeister Ver2.0 Update2 and earlier



e-Pares vulnerable to cross-site scripting

2010-06-03T11:29+09:00

e-Pares contains a cross-site scripting vulnerability. e-Pares is a system that manages facility (conference rooms, etc.) information. e-Pares contains a cross-site scripting vulnerability. This vulnerability that was reported to IPA and JPCERT/CC was discovered as part of the Web application diagnosis service by Local Authorities Systems Development Center (LASDEC) for the 2008 fiscal year.



e-Pares vulnerable to cross-site request forgery

2010-06-03T11:29+09:00

e-Pares contains a cross-site request forgery vulnerability. e-Pares is a system that manages facility (conference rooms, etc.) information. e-Pares contains a cross-site request forgery vulnerability. This vulnerability that was reported to IPA and JPCERT/CC was discovered as part of the Web application diagnosis service by Local Authorities Systems Development Center (LASDEC) for the 2008 fiscal year.



e-Pares vulnerable to session fixation

2010-06-03T11:29+09:00

e-Pares contains a session fixation vulnerability. e-Pares is a system that manages facility (conference rooms, etc.) information. e-Pares contains a session fixation vulnerability. This vulnerability that was reported to IPA and JPCERT/CC was discovered as part of the Web application diagnosis service by Local Authorities Systems Development Center (LASDEC) for the 2008 fiscal year.



Ichitaro series vulnerable to arbitrary code execution

2010-06-01T17:37+09:00

The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. This vulnerability is different from JVN#98467259. The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution.



Multiple vulnerabilities in ActiveGeckoBrowser

2010-06-17T19:50+09:00

ActiveGeckoBrowser from Fenrir Inc. contains multiple vulnerabilities. ActiveGeckoBrowser from Fenrir Inc. is a plugin that adds the Gecko rendering engine to the Sleipnir web browser. ActiveGeckoBrowser contains multiple vulnerabilities caused by the Gecko engine.



Explzh buffer overflow vulnerability

2010-06-22T16:37+09:00

Explzh contains a buffer overflow vulnerability. Explzh, a file compression/decompression software supporting multiple compression file formats, contains a buffer overflow vulnerability when processing a LHA file header. Note that versions of Explzh that contain "Arcext.dll" version 2.16.1 and earlier are vulnerable. Kenju Takano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Winny BBS information processing vulnerability

2010-08-20T17:17+09:00

Winny contains a vulnerability in the processing of BBS information. Winny is a P2P file sharing software. Winny contains a vulnerability in the processing of BBS information, which can be used to launch Distributed Denial of Service (DDoS) attacks. Yuji Ukai of eEye Digital Security reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Winny node information processing vulnerability

2010-08-20T17:17+09:00

Winny contains a vulnerability in the processing of node information. Winny is a P2P file sharing software. Winny contains a vulnerability in the processing of node information, which can be used to launch Distributed Denial of Service (DDoS) attacks. Fuyumasa Takatsu of University of Tsukuba reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Winny vulnerable to buffer overflow

2010-08-20T17:18+09:00

Winny contains a buffer overflow vulnerability. Winny is a P2P file sharing software. Winny contains a buffer overflow vulnerability. This vulnerability is different from JVN#91740962 and JVN#74294680. Makoto Iwamura of NTT Information Sharing Platform Laboratories reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Moti Joseph and Kobi Pariente reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Winny vulnerable to buffer overflow

2010-08-20T17:18+09:00

Winny contains a buffer overflow vulnerability. Winny is a P2P file sharing software. Winny contains a buffer overflow vulnerability. This vulnerability is different from JVN#21471805 and JVN#74294680. Moti Joseph and Kobi Pariente reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Microsoft Windows denial of service (DoS) vulnerability

2010-08-13T18:44+09:00

Microsoft Windows contains a denial of service (DoS) vulnerability. Microsoft Windows contains a denial of service (DoS) vulnerability caused by IPv6 packets with malformed extension headers. Darren Willis of Fourteenforty Research Institute Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



SEIL/X Series and SEIL/B1 IPv6 Unicast RPF vulnerability

2010-08-25T13:54+09:00

SEIL/X Series and SEIL/B1 contains a vulnerability in which IPv6 Unicast Reverse Path Forwarding (RPF) does not properly function in strict mode. SEIL/X Series and SEIL/B1 are routers. SEIL/X Series and SEIL/B1 contains a vulnerability in which IPv6 Unicast Reverse Path Forwarding (RPF) does not properly function in strict mode. Only IPv6 Unicast RPF in strict mode is vulnerable. According to the developer, IPv6 Unicast RPF in loose mode and IPv4 Unicast RPF are not affected by this vulnerability.



moobbs vulnerable to cross-site scripting

2010-08-31T14:16+09:00

moobbs contains a cross-site scripting vulnerability. moobbs from Moo is a bulletin board software. moobbs contains a cross-site scripting vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



moobbs2 vulnerable to cross-site scripting

2010-08-31T14:16+09:00

moobbs2 contains a cross-site scripting vulnerability. moobbs2 from Moo is a threaded bulletin board software. moobbs contains a cross-site scripting vulnerability. Yuji Tounai of bogus.jp reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Cross-site scripting vulnerability in Access Analyzer CGI by futomi's CGI Cafe

2010-09-10T17:25+09:00

Access Analyzer CGI from futomi's CGI Cafe contains a cross-site scripting vulnerability. This is caused by a particular method in which tags are embedded into the web page. Access Analyzer CGI provided by futomi's CGI Cafe is a software to analyze web access logs. Access Analyzer CGI contains a cross-site scripting vulnerability. This is caused by a particular method in which tags are embedded into the web page. According to the developer, users of the Professional version that are using the "Method to load js files for tags within the head tag" as stated in the manual are not affected by this vulnerability. Katsumi Kobayashi of NRI Secure Technologies, Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



AD-EDIT2 vulnerable to cross-site scripting

2010-10-05T19:31+09:00

AD-EDIT2 contains a cross-site scripting vulnerability. AD-EDIT2 is a Contents Management System (CMS) software. AD-EDIT2 contains a cross-site scripting vulnerability. Seiei Higa of IT College Okinawa reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Lhaplus may insecurely load dynamic libraries

2010-10-18T19:36+09:00

Lhaplus may use unsafe methods for determining how to load DLLs. Lhaplus is a file compression/extraction software supporting multiple file formats. Lhaplus loads certain DLL's when files are extracted. Lhaplus contains an issue with the DLL search path, which may lead to insecurely loading dynamic libraries. Hitachi Incident Response Team and Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Lhasa may insecurely load executable files

2010-10-18T19:36+09:00

Lhasa may use unsafe methods for determining how to load executables (.exe). Lhasa is a file extraction software that supports LZH and ZIP formats. Lhasa loads certain executables (.exe) when extracting files. Lhasa contains an issue with the file search path, which may insecurely load executables. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Lhaplus may insecurely load executable files

2010-10-20T17:40+09:00

Lhaplus may use unsafe methods for determining how to load executables (.exe). Lhaplus is a file compression/extraction software supporting multiple file formats. Lhaplus loads certain executables (.exe) when extracting files. Lhaplus contains an issue with the file search path, which may insecurely load executables. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



XacRett may insecurely load executable files

2010-10-20T17:40+09:00

XacRett may use unsafe methods for determining how to load executables (.exe). XacRett is a file extraction software that supports many file formats. XacRett loads certain executables (.exe) when extracting files. XacRett contains an issue with the file search path, which may insecurely load executables. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



K2Editor may insecurely load executable files

2010-10-20T17:41+09:00

K2Editor may use unsafe methods for determining how to load executables (.exe). K2Editor is a text editor. K2Editor loads certain executables (.exe) when opening the folder that contains the text file that is being edited. K2Editor contains an issue with the file search path, which may insecurely load executables. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Cross-site Request Forgery Vulnerability in Oracle iPlanet Web Server

2010-10-18T19:37+09:00

Oracle iPlanet Web Server (formerly Sun Java System Web Server) contains a cross-site request forgery vulnerability. Oracle iPlanet Web Server (formerly Sun Java System Web Server) is a web server. Oracle iPlanet Web Server contains a cross-site request forgery vulnerability. Yoshihiro Ishikawa of LAC reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Explzh may insecurely load executable files

2010-10-20T17:41+09:00

Explzh may use unsafe methods for determining how to load executables (.exe). Explzh is a file compression/extraction software supporting multiple file formats. Explzh loads certain executables (.exe) when extracting files. Explzh contains an issue with the file search path, which may insecurely load executables. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Archive Decoder may insecurely load executable files

2010-10-20T17:41+09:00

Archive Decoder may use unsafe methods for determining how to load executables (.exe). Archive Decoder is a file extraction software that supports multiple file en extracting files. Archive Decoder contains an issue with the file search path, which may insecurely load executables. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



TeraPad may insecurely load dynamic libraries

2010-10-26T16:51+09:00

TeraPad may use unsafe methods for determining how to load DLLs. TeraPad is a text editor. TeraPad loads certain DLL's when TXT files are opened. TeraPad contains an issue with the DLL search path, which may lead to insecurely loading dynamic libraries. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Apsaly may insecurely load executable files

2010-10-26T16:52+09:00

Apsaly may use unsafe methods for determining how to load executables (.exe). Apsaly is a text editor that can interact with other applications. Apsaly loads certain executables when opening the folder that contains the file that is being edited, or when a particular sequence of actions are performed. Apsaly contains an issue with the file search path, which may insecurely load executables. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Sleipnir and Grani may insecurely load dynamic libraries

2010-10-25T17:42+09:00

Sleipnir and Grani may use unsafe methods for determining how to load DLLs. Sleipnir and Grani provided by Fenrir are web browsers. Sleipnir and Grani loads certain DLL's when HTML files are opened. Sleipnir and Grani contain an issue with the DLL search path, which may lead to insecurely loading dynamic libraries. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Sleipnir and Grani may insecurely load executable files

2010-10-25T17:43+09:00

Sleipnir and Grani may use unsafe methods for determining how to load executables (.exe). Sleipnir and Grani provided by Fenrir are web browsers. Sleipnir and Grani load certain executables when displaying the source code of the HTML file currently being viewed. Sleipnir and Grani contain an issue with the file search path, which may insecurely load executables. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Multiple Yokka provided products may insecurely load executable files

2010-10-25T17:43+09:00

Multiple products provided by Yokka may use unsafe methods for determining how to load executables (.exe). Multiple products provided by Yokka such as text editors, contain an issue with the file search path, which may insecurely load executables. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Active! mail 6 vulnerable to HTTP header injection

2010-10-29T20:36+09:00

Active! mail 6 from TransWARE Co. contains a HTTP header injection vulnerability. Active! mail 6 from TransWARE Co. is a web-based email software. Active! mail 6 contains a HTTP header injection vulnerability. Taketo Ikeuchi of Hitachi Solutions, Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



GVim may insecurely load dynamic libraries

2010-11-01T18:51+09:00

GVim may use unsafe methods for determining how to load DLLs. GVim is a text editor. GVim loads certain DLL's when TXT files are opened. GVim contains an issue with the DLL search path, which may lead to insecurely loading dynamic libraries. Makoto Shiotsuki reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Ichitaro series vulnerable to arbitrary code execution

2010-11-05T16:15+09:00

The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. This vulnerability differs from JVN#01948274, and other issues that were previously published on JVN.



Ichitaro series vulnerable to arbitrary code execution

2010-11-05T16:15+09:00

The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution. This vulnerability differs from JVN#19173793, and other issues that were previously published on JVN.



Flash Player access restriction bypass vulnerability

2011-02-01T16:22+09:00

Flash Player contains an access restriction bypass vulnerability. When Flash Player references a different website than the site where Flash contents are hosted, the referenced site must be allowed access by the cross-domain policy file. Flash Player contains a vulnerability where access restrictions set by the cross-domain policy file may be bypassed.



Google Chrome information disclosure vulnerability

2010-11-26T17:32+09:00

Google Chrome contains an information disclosure vulnerability. Google Chrome contains an information disclosure vulnerability caused by the improper handling of XML files. Takayoshi Isayama from Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Clipboard contents alteration vulnerability in Sleipnir

2010-12-01T20:27+09:00

Sleipnir contains a vulnerability in which the contents of the clipboard may be altered. Sleipnir, a web browser provided by Fenrir, contains a vulnerability in which the contents of the clipboard may be altered. As a result, when Sleipnir is being used under certain settings, the contents of the clipboard may be read or written from a website. According to the developer, users who are using the version 2.9.6 that was released prior to November 25, 2010 at 3pm (Japan Time) with the default settings are affected by this vulnerability.



Clipboard contents alteration vulnerability in Grani

2010-12-01T20:27+09:00

Grani contains a vulnerability in which the contents of the clipboard may be altered. Grani, a web browser provided by Fenrir, contains a vulnerability in which the contents of the clipboard may be altered. As a result, when Grani is being used under certain settings, the contents of the clipboard may be read or written from a website. According to the developer, users who are using the version 4.5 that was released prior to November 25, 2010 at 3pm (Japan Time) with the default settings are affected by this vulnerability.



Vulnerability in Epson printer driver installer where access permissions are changed

2010-12-08T18:25+09:00

A vulnerability in printer driver installers provided by Epson cause access permissions to a certain folder on the system to be changed. When printer drivers provided by Epson are installed, the access permissions for the folder that contains program files (C:\Program Files) are changed. As a result, users that do not have permission to access that folder can gain access to that folder. According to the developer, printer drivers that were included with the product or downloaded from the developer website from the initial release of May 2010 through November 25, 2010 are affected by this vulnerability. Also, users of Windows Vista and later operating systems are not affected.



Movable Type vulnerable to cross-site scripting

2010-12-08T18:26+09:00

Movable Type contains a cross-site scripting vulnerability. Movable Type, a web log system from Six Apart KK, contains a cross-site scripting vulnerability. This vulnerability is different than the previous vulnerabilities disclosed on JVN.



Movable Type vulnerable to SQL injection

2010-12-08T18:28+09:00

Movable Type contains SQL injection vulnerability. Movable Type, a web log system from Six Apart KK, contains a SQL injection vulnerability.



Internet Explorer vulnerable to cross-site scripting

2010-12-15T18:18+09:00

Microsoft Internet Explorer contains a cross-site scripting vulnerability due to the way file types are determined. Microsoft Internet Explorer contains a vulnerability in handling Content-Type, which may result in cross-site scripting. For more information, refer to the information provided by Microsoft. Yoshinari Fukumoto of Rakuten, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Internet Explorer vulnerable to cross-site scripting

2010-12-15T18:19+09:00

Microsoft Internet Explorer contains a vulnerability in handling specific character encoding which may result in a cross-site scripting attack. Microsoft Internet Explorer contains a vulnerability in handling specific UTF-7 encoded characters, which may result in cross-site scripting. For more information, refer to the information provided by Microsoft. Takeshi Terada and Yutaka Kokubu from Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Internet Explorer vulnerable to cross-site scripting

2010-12-15T18:19+09:00

Microsoft Internet Explorer contains a vulnerability in handling specific character encoding which may result in a cross-site scripting attack. Microsoft Internet Explorer contains a vulnerability in handling specific EUC-JP or Shift_JIS encoded characters, which may result in cross-site scripting. For more information, refer to the information provided by Microsoft. NetAgent Co.,Ltd. and hoshikuzu|star_dust reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



Internet Explorer vulnerable to cross-site scripting

2010-12-15T18:20+09:00

Microsoft Internet Explorer contains a vulnerability in handling specific character encoding which may result in a cross-site scripting attack. Microsoft Internet Explorer contains a vulnerability in handling specific ISO-2022-JP encoded characters, which may result in cross-site scripting. For more information, refer to the information provided by Microsoft. Masatoshi Sato of AZIA CO., LTD. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



AttacheCase may insecurely load executable files

2010-12-17T18:30+09:00

AttacheCase may use unsafe methods for determining how to load executables (.exe). AttacheCase is a file encryption/decryption software. AttacheCase loads certain executables (.exe) when decrypting files, if certain settings are applied. AttacheCase contains an issue with the file search path, which may insecurely load executables. Hirotaka Katagiri reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.



uCosminexus Portal Framework Cross-Site Scripting Vulnerability

2010-03-03T12:00+09:00

uCosminexus Portal Framework has a cross-site scripting vulnerability.



JP1/Cm2/Network Node Manager Remote Console Insecure File Permissions Vulnerability

2010-03-15T12:21+09:00

Computer systems running the JP1/Cm2/Network Node Manager (NNM) Remote Console for Windows are vulnerable due to insecure file permissions set on the systems.



Accela BizSearch Access Control Bypass Vulnerability

2010-04-09T16:36+09:00

The local file seraching function in IntelligentSearch and Accela BizSearch is prone to an access control bypass vulnerability.



Several EUR Form/EUR Products Arbitrary Code Execution Vulnerability

2010-05-18T11:33+09:00

An arbitrary code execution vulnerability exists in several EUR Form and EUR products.



XMAP3 Arbitrary Code Execution Vulnerability

2010-05-18T11:34+09:00

An arbitrary code execution vulnerability exists in the system installed with XMAP3/Web, or it may experience unexpected shutdown of Internet Explorer. The same issues exist in the Web browser testing tool, a web system development feature that comes with XMAP3/NET and XMAP3/Enterprise Edition.



Arbitrary Code Execution Vulnerability in CA ARCserve Backup and BrightStor ARCserve Backup

2010-06-08T14:03+09:00

The version of JRE shipped with CA ARCserve Backup and BrightStor ARCserve Backup is vulnerable to arbitrary code execution.



Stack-Based Buffer Overflow Vulnerability in Collaboration Common Utility

2010-06-08T14:03+09:00

Collaboration Common Utility, a component of multiple Hitachi products, is vulnerable to stack-based buffer overflow when the Drag and Drop Component for Collaboration feature is also installed.



TP1/Message Control Denial of Service (DoS) Vulnerability

2010-06-22T11:23+09:00

The port used by TP1/Message Control's mapping service has a vulnerability where the port is forced to keep collecting debug information when it receives a maliciously-crafted message, which in turn causes the depletion of the disk resource and leads to a denial of service (DoS) condition.



Improper Authentication Vulnerability in Handling of Revoked Certificate in Hitachi Web Server SSL Client Authentication

2010-06-22T11:23+09:00

SSL client authentication in Hitachi Web Server has a vulnerability which allows an attacker to access a Hitachi Web Server using the client certificates registered in the Certification Revocation List (CRL). This vulnerability does not apply if SSL or SSL client authentication is not in use. The vulnerability does affect the Cosminexus products bundled with Hitachi Web Server.



Groupmax World Wide Web Desktop Cross-Site Scripting Vulnerability

2010-06-22T11:23+09:00

Groupmax World Wide Web Desktop is vulnerable to cross-site scripting.



Cross-Site Scripting Vulnerability in Interstage Portalworks and Interstage Interaction Manager Portal Function

2010-06-22T11:24+09:00

The portal function of Interstage Portalworks and Interstage Interaction Manager is vulnerable to cross-site scripting.



Safari address bar spoofing vulnerability

2010-12-10T17:48+09:00

Safari contains a vulnerability where the URL displayed in the address may be spoofed. Safari contains a vulnerability where the address bar displays a character string that looks like a different URL than the URL that is being accessed.



Forced Shutdown or Restart with JP1/ServerConductor/Deployment Manager

2010-06-29T15:35+09:00

JP1/ServerConductor/Deployment Manager's Client Service for DPM has a vulnerability which could cause a shutdown or restart of the client computer when receiving ill-formed data.



Internet Navigware Server Information Disclosure Vulnerability

2010-07-28T18:14+09:00

Internet Navigware Server is vulnerable to information disclosure or data tampering.



Denial of Service (DoS) Vulnerability in HiRDB

2010-08-10T12:13+09:00

HiRDB contains a vulnerability that could cause a denial of service (DoS) condition. The vulnerability is due to the HiRDB process and unit abending when the HiRDB process receives unexpected data. After the HiRDB unit abends, the service can be restarted by rebooting HiRDB.



Arbitrary Code Execution Vulnerability in JP1/Cm2/Network Node Manager

2010-08-10T12:14+09:00

JP1/Cm2/Network Node Manager contains a vulnerability that could allow a remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.



Denial of Service (DoS) Vulnerability in Cosminexus

2010-09-01T14:11+09:00

Cosminexus series products contain a vulnerability that could cause a denial of service (DoS) condition when receiving unexpected data. After it abends, the service can be restarted by rebooting the system.



Denial of Service (DoS) Vulnerability in JP1/ServerConductor/Control Manager

2010-09-01T14:11+09:00

A built-in database in JP1/ServerConductor/Control Manager contains a vulnerability that could cause a denial of service (DoS) condition due to the abnormal ending of the database process when receiving unexpected data. After the process abends, the service can be restarted by rebooting the system.



Denial of Service (DoS) Vulnerability in JP1/AJS Built-in Database

2010-09-01T14:11+09:00

A Built-in database used by JP1/Automatic Job Management System 3 (JP1/AJS3) - Manager and JP1/Automatic Job Management System 2 (JP1/AJS2) - Manager contains a vulnerability that could cause a denial of service (DoS) condition when receiving unexpected data. As a result, Job operations of JP1/AJS3 (JP1/AJS2) will be suspended, where client operations from JP1/AJS3 (JP1/AJS2) - View will become unavailable or commands will not work on the Managers. After the built-in database abends, the service can be restarted by rebooting JP1/AJS3 (JP1/AJS2) and the built-in database.



Denial of Service (DoS) Vulnerability in JP1/PAM

2010-09-01T14:12+09:00

A Built-in database in JP1/Performance Analysis - Manager and JP1/Performance Management - Analysis Manager (JP1/PAM) contains a vulnerability that could cause a denial of service (DoS) condition due to the abnormal ending of the database process when receiving unexpected data. After the process abends, the service can be restarted by rebooting JP1/PAM.



Denial of Service (DoS) Vulnerability in JP1/Integrated Manager and JP1/Integrated Management

2010-09-01T14:12+09:00

A Built-in database in JP1/Integrated Manager and JP1/Integrated Management (JP1/IM) contains a vulnerability that could cause a denial of service (DoS) condition due to the abnormal ending of the database process when receiving unexpected data. After the process abends, the service can be restarted by rebooting JP1/IM.



Denial of Service (DoS) Vulnerability in JP1/NETM

2010-12-17T14:46+09:00

A Built-in database in JP1/NETM contains a vulnerability that could cause a denial of service (DoS) condition due to the abnormal ending of the database process when receiving unexpected data. After the process abends, the service can be restarted by rebooting JP1/IM.



Denial of Service (DoS) Vulnerability in JP1/Desktop Navigation Built-in Database

2010-09-15T13:46+09:00

When JP1/Desktop Navigation used in a cluster environment receives unexpected data, the built-in database process and unit abend, which may cause the management server service to fall into a denial of service (DoS) condition.



Denial of Service (DoS) Vulnerability in Hitachi Storage Command Suite Built-in Database

2010-09-15T13:45+09:00

A built-in database in Hitachi Storage Command Suite (HSCS) abends upon receiving maliciously-crafted data intended to exploit its denial of service (DoS) vulnerability. As a result, HSCS may become not operational or shutdown, for example, making operations from the screen and access to the database unavailable.



JP1/NETM/Remote Control Agent Authentication Bypass Vulnerability

2010-09-21T14:10+09:00

A vulnerability in the file transfer feature in the JP1/NETM/Remote Control Agent may allow authentication bypass.



Phishing Vulnerability in Accela BizSearch Document View Window

2010-10-13T16:58+09:00

The document view window in Accela BizSearch Gateway Option has the following vulnerabilities which allow a remote attacker to: * display a fraudulent web page over a legitimate web page * steal cookies stored in browser * place arbitrary cookies into browser



Multiple Vulnerabilities in Groupmax Scheduler Server

2010-10-13T16:58+09:00

A denial of service (DoS) or arbitrary file manipulation vulnerability has been reported in multiple Hitachi products.



Interstage Application Server Information Disclosure Vulnerability

2010-12-14T15:18+09:00

Interstage Application Server has an information disclosure vulnerability when used in a J2EE environment.



EUR Form Client Arbitrary File Execution Vulnerability

2010-12-14T15:21+09:00

EUR Form Client has an arbitrary file execution vulnerability.



Buffer Overflow Vulnerability in Hitachi Groupmax Related Products

2010-12-24T16:22+09:00

Hitachi Groupmax-related products have a buffer overflow vulnerability.



Access Control Security Bypass Vulnerability in Interstage Application Server

2010-12-24T16:25+09:00

Interstage Application Server has an access control security bypass vulnerability which could allow an attacker to access and execute a request from the IP address that should be denied.



Accela BizSearch Standard Search Page Cross-Site Scripting Vulnerability

2011-06-29T17:57+09:00

The standard search page of Accela BizSearch contains a cross-site scripting vulnerability.



Accela BizSearch Standard Search Page Cross-Site Scripting Vulnerability

2011-06-29T17:55+09:00

The standard search page of Accela BizSearch contains a cross-site scripting vulnerability.



Accela BizSearch Standard Search Page Cross-Site Scripting Vulnerability

2011-06-29T17:55+09:00

The standard search page of Accela BizSearch contains a cross-site scripting vulnerability.