Last Update: July 02, 2024
HIRT thanks the following for working with us to help vulnerability handling and incident response:
Thanks to Shun Suzaki, Yutaka Kokubu and Kazuki Hirota (Mitsui Bussan Secure Directions, Inc.) for reporting this vulnerability. HIRT promoted to fix this vulnerability in line with "Information Security Early Warning Partnership Guidelines".
Title |
Folder Permission Vulnerability in JP1/Extensible SNMP Agent |
---|---|
CVE | CVE-2024-4679 |
CVSS |
CVSS:2.0 AV:L/AC:L/Au:N/C:C/I:C/A:C [7.2] CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8] |
CWE |
CWE-284: Improper Access Control |
Timeline |
April 09, 2024: HIRT receives about these vulnerabilities. July 02, 2024: Hitachi publishes an advisory and announces a fixed. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-127/ July 02, 2024: Acknowledgment publicly disclosed. |
Thanks to Taku Toyama and Masaya Suzuki (NEC Corporation) for reporting this vulnerability.
Title |
File and Directory Permissions Vulnerability in JP1/Performance Management |
---|---|
CVE | CVE-2023-3440 |
CVSS |
CVSS:2.0 AV:L/AC:L/Au:N/C:C/I:C/A:C [7.2] CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [8.4] |
CWE |
CWE-284: Improper Access Control |
Timeline |
April 04, 2023: HIRT receives about these vulnerabilities. July 07, 2023: HIRT notifies a release schedule of these vulnerabilities. October 03, 2023: Hitachi publishes an advisory and announces a fixed. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-145/ October 03, 2023: Acknowledgment publicly disclosed. |
Thanks to Jose Carlos Exposito Bueno for reporting this vulnerability.
Title |
SQL Injection on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] |
CWE |
CWE-89: SQL Injection |
Timeline |
April 18, 2023: HIRT receives about this vulnerability. August 24, 2023: HIRT notifies a fix of this vulnerability. August 24, 2023: Acknowledgment publicly disclosed. |
Thanks to Eddie Zaltsman (ULTRA RED) for reporting this vulnerability.
Title |
Open Redirect on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N [6.4] CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1] |
CWE |
CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
Timeline |
December 24, 2022: HIRT receives about this vulnerability. April 27, 2023: HIRT notifies a fix of this vulnerability. April 27, 2023: Acknowledgment publicly disclosed. |
Thanks to Muhammad Imran for reporting this vulnerability.
Title |
Server-Side Request Forgery issue (CVE-2020-10770) on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:P/A:N [5.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3] |
CWE |
CWE-918: Server-Side Request Forgery (SSRF) |
Timeline |
May 17, 2022: HIRT receives about this vulnerability. April 18, 2023: HIRT notifies a fix of this vulnerability. April 18, 2023: Acknowledgment publicly disclosed. |
Thanks to Jose Carlos Exposito Bueno for reporting this vulnerability.
Title |
Cross-site Scripting on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N [4.3] CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1] |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Timeline |
May 14, 2022: HIRT receives about this vulnerability. April 18, 2023: HIRT notifies a fix of this vulnerability. April 18, 2023: Acknowledgment publicly disclosed. |
Thanks to Michael Heinzl for offering a technical notification.
Title |
Technical notification of HMI Configurator: EH-VIEW and PLC Programming Software: Pro-H |
---|---|
Timeline |
March 08, 2023: HIRT receives a technical notification related to EH-VIEW and Pro-H. March 09, 2023: Mail reception reply (send, but not reached) March 10, 2023: HIRT receives a request for a status update. March 29, 2023: HIRT receives a related notification from JPCERT/CC. April 10, 2023: HIRT notifies a status update (send, but not reached). April 10, 2023: Acknowledgment publicly disclosed. April 20, 2023: HIRT receives a related notification from JPCERT/CC. April 20, 2023: Mail reception and a status update reply re-sent (reached). April 21, 2023: HIRT receives technical details of EH-VIEW. August 23, 2023: HIRT publishes an advisory of EH-VIEW. https://www.hitachi.com/hirt/hitachi-sec/2023/002.html |
Thanks to Eddie Zaltsman (ULTRA RED) for reporting these vulnerabilities.
Title |
Multiple issues on Web site. |
---|---|
CVSS CWE |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:P [7.5] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L [7.3] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) |
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] CWE-89: SQL Injection | |
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] CWE-284: Improper Access Control | |
Timeline |
February 11, 2023: HIRT receives about the the initial notification of these vulnerabilities. April 10, 2023: HIRT notifies a fix of these vulnerabilities. April 10, 2023: Acknowledgment publicly disclosed. |
Thanks to Arman Ktk for offering a technical report.
Title |
Technical report of DKIM (DomainKeys Identified Mail). |
---|---|
Timeline |
January 25, 2023: HIRT receives a technical report related to DKIM. March 24, 2023: Acknowledgment publicly disclosed. |
Thanks to Tim Dijkman (Powerspex Instrumentation) for reporting this vulnerability and Patrick Binnendijk (HIFLEX Automatiseringstechniek) for supporting this vulnerability handling.
Title |
Path Traversal Vulnerability in HX series CPU module |
---|---|
CVE | CVE-2018-25048 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] |
CWE |
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Timeline |
August 03, 2022: HIFLEX receives about this vulnerability. August 15, 2022: CODESYS receives about this vulnerability. October 25, 2022: CODESYS publishes an advisory (Advisory 2018-04). October 28, 2022: Hitachi receives about this vulnerability. February 08, 2023: Hitachi Industrial Equipment Systems publishes an advisory in Japanese (hitachi-sec-2022-002). March 08, 2023: Acknowledgment publicly disclosed. |
Thanks to Eddie Zaltsman (ULTRA RED) for reporting these vulnerabilities.
Title |
Cross-site Scripting on Web applications |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N [4.3] CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1] |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Timeline |
December 22, 2022: HIRT receives about the the initial notification of these vulnerabilities. December 24, 2022: HIRT receives about the additional notification of these vulnerabilities. February 17, 2023: HIRT notifies a fix of these vulnerabilities. February 20, 2022: Acknowledgment publicly disclosed. |
Thanks to Yotam Zaltsman (Sling Cyber Insurance) for reporting these vulnerabilities.
Title |
Multiple issues on Web site. |
---|---|
CVSS CWE |
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:N/A:N [7.8] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] CWE-89: SQL Injection | |
Timeline |
December 06, 2022: HIRT receives about these vulnerabilities. December 17, 2022: HIRT notifies a fix of these vulnerabilities. December 19, 2022: Acknowledgment publicly disclosed. |
Thanks to Thomas Knudsen (Necrum Security Labs) and Samy Younsi (Necrum Security Labs) for reporting these vulnerabilities.
Title |
Multiple Vulnerabilities in HC-IP9050HD and HC-IP9100HD |
---|---|
CVE CVSS CWE |
CVE-2022-37680: Improper Access Control CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:N/A:C [7.8] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5] CWE-306: Missing Authentication for Critical Function |
CVE-2022-37681: Unauthenticated Directory Traversal CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:N/A:N [7.8] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | |
Timeline |
August 19, 2022: HIRT receives about these vulnerabilities. August 31, 2022: CVE-2022-37680 and CVE-2022-37681 public. October 26, 2022: HIRT notifies a release schedule of these vulnerabilities. November 11, 2022: Hitachi Kokusai Electric publishes an advisory. https://www.hitachi-kokusai.co.jp/global/en/products/info/vulnerable/hitachi-sec-2022-001 November 14, 2022: Acknowledgment publicly disclosed. |
Thanks to Vinayak Sakhare for reporting this vulnerability.
Title |
Open Redirect on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N [6.4] CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1] |
CWE |
CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
Timeline |
September 27, 2022: HIRT receives about this vulnerability. October 19, 2022: HIRT notifies a fix of this vulnerability. October 20, 2022: Acknowledgment publicly disclosed. |
Thanks to Anthony Maestre for reporting this vulnerability.
Title |
Information Disclosure Vulnerability in Hitachi Content Platform |
---|---|
CVE | CVE-2021-28052 |
CVSS |
CVSS:2.0 AV:N/AC:H/Au:S/C:C/I:C/A:C [7.1] CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.5] |
CWE |
CWE-264: Permissions, Privileges, and Access Controls |
Timeline |
January 29, 2021: HIRT receives about this vulnerability. March 07, 2021: HIRT requests a CVE to MITRE. March 31, 2021: Hitachi Vantara publishes a Customer Alert. https://support.hitachivantara.com/en/user/tech-tips/2021april/A2021040101.html August 23, 2022: Hitachi Vantara publishes an advisory. https://knowledge.hitachivantara.com/Security/HCP_Multitenancy_Vulnerability September 20, 2022: Acknowledgment publicly disclosed. September 20, 2022: HIRT publishes an advisory. https://www.hitachi.com/hirt/hitachi-sec/2021/604.html |
Thanks to Miguel Santareno for reporting this vulnerability.
Title |
Cross-site Scripting on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N [4.3] CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1] |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Timeline |
January 28, 2022: HIRT receives about this vulnerability. February 12, 2022: HIRT notifies a fix of this vulnerability. February 14, 2022: Acknowledgment publicly disclosed. |
Thanks to Alberto Favero (HAWSEC - Security & Services) and Altion Malka for reporting these vulnerabilities.
Title |
Multiple Vulnerabilities in Pentaho |
---|---|
CVE CVSS CWE |
CVE-2021-31599: Remote Code Execution through Pentaho Report Bundles CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:C/A:C [9.0] CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8] CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
CVE-2021-34684: Unauthenticated SQL Injection CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] CWE-89: SQL Injection | |
CVE-2021-31601: Insufficient Access Control of Data Source Management Service CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:P/A:N [7.5] CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N [7.1] CWE-319: Cleartext Transmission of Sensitive Information | |
CVE-2021-31602: Authentication Bypass of Spring APIs CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N [5.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3] CWE-285: Improper Authorization | |
Jackrabbit User Enumeration
CVE-2021-31600 describes to be an issue in Hitachi Vantara Pentaho Business Analytics Server. This is a feature of products, and not a vulnerability. | |
CVE-2021-34685: Bypass of Filename Extension Restrictions CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N [3.5] CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N [2.7] CWE-434: Unrestricted Upload of File with Dangerous Type | |
Timeline |
January 31, 2021: HIRT receives about these vulnerabilities. March 29, 2021: HIRT receives testing tool "Ginger" for Pentaho. April 07, 2021: HIRT receives two new vulnerabilities. November 01, 2021: Acknowledgment publicly disclosed. November 11, 2021: HIRT publishes an advisory. https://www.hitachi.com/hirt/hitachi-sec/2021/603.html |
Thanks to Ruslan Sayfiev and Denis Faiustov of (Ierae Security Inc.) for reporting these vulnerabilities.
Title |
Multiple Vulnerabilities in JP1/IT Desktop Management 2, JP1/NETM/DM, JP1/Remote Control and Hitachi IT Operations Director |
---|---|
CVE CVSS CWE |
CVE-2021-29644: Remote Code Execution Vulnerability CVSS:2.0 AV:N/AC:H/Au:N/C:C/I:C/A:C [7.6] CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1] CWE-190: Integer Overflow or Wraparound |
CVE-2021-29645: Local Privilege Escalation Vulnerability CVSS:2.0 AV:L/AC:H/Au:S/C:C/I:C/A:C [6.0] CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.0] CWE-264: Permissions, Privileges, and Access Controls | |
Timeline |
February 16, 2021: HIRT receives about this vulnerability from Ierae Security. February 17, 2021: HIRT asks for technical description about the vulnerability. February 19, 2021: HIRT receives technical details. September 30, 2021: HIRT notifies a status of this vulnerability. October 08, 2021: Hitachi publishes an advisory and announces a fixed. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2021-133 October 08, 2021: Acknowledgment publicly disclosed. |
Thanks to Hiroki Matsukuma (of Cyber Defense Institute, Inc) for reporting this vulnerability. HIRT promoted to fix this vulnerability in line with "Information Security Early Warning Partnership Guidelines".
Title |
Command Injection Vulnerability in Hitachi File Services Manager |
---|---|
CVE | CVE-2021-20740 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:C/A:C CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CWE |
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Timeline |
January 17, 2020: HIRT receives about this vulnerability from "Information Security Early Warning Partnership". June 18, 2021: Acknowledgment publicly disclosed. |
Thanks to Yuji Tounai (of Mitsui Bussan Secure Directions, Inc.) for reporting this vulnerability. HIRT promoted to fix this vulnerability in line with "Information Security Early Warning Partnership Guidelines".
Title |
Cross-site Scripting Vulnerability in Hitachi Application Server Help |
---|---|
CVE | CVE-2021-20741 |
CVSS |
CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Timeline |
December 12, 2019: HIRT receives about this vulnerability from "Information Security Early Warning Partnership". February 05, 2021: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2021-104 February 05, 2021: Acknowledgment publicly disclosed. |
Thanks to Andrej Šimko (CVE-2020-24664, CVE-2020-24670 and CVE-2020-24665), Klára Szvitková (CVE-2020-24669) and Stanislav Dusek (CVE-2020-24666) of (Accenture) for reporting these vulnerabilities.
Thanks to Miguel Santareno for reporting this vulnerability.
Title |
Information Exposure issue on Web site. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:N/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CWE |
CWE-200: Information Exposure |
Timeline |
October 13, 2020: HIRT receives about this vulnerability. October 15, 2020: HIRT asks for technical description about the vulnerability. October 15, 2020: HIRT receives technical details. January 04, 2021: HIRT notifies a fix of this vulnerability. January 05, 2021: Acknowledgment publicly disclosed. |
Thanks to Shivang Trived for offering a technical report.
Title |
Technical report for mod_http2 in Apache HTTP Server. |
---|---|
Timeline |
September 01, 2020: HIRT receives a technical report for mod_http2 in Apache HTTP Server. January 05, 2021: Acknowledgment publicly disclosed. |
Thanks to SecurityMate for reporting this vulnerability.
Title |
Path Traversal (CVE-2020-3452) on Cisco Adaptive Security Appliance |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CWE |
CWE-20: Improper Input Validation |
Timeline |
July 31, 2020: HIRT receives about this vulnerability. July 31, 2020: HIRT asks for technical description about the vulnerability. July 31, 2020: HIRT receives technical details. August 17, 2020: HIRT notifies a fix of this vulnerability. August 20, 2020: Acknowledgment publicly disclosed. |
Thanks to Dhiraj Mishra for reporting this vulnerability.
Title |
Insecure Loading of Dynamic Link Libraries in the application installer |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:P CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CWE |
CWE-427: Uncontrolled Search Path Element Ref.HIRT-PUB17011 : Insecure Loading of Dynamic Link Libraries HIRT recommend "Run executable files, such as installers and self-extracting documents, in a safe manner." |
Timeline |
April 30, 2020: HIRT receives about this vulnerability. July 27, 2020: HIRT notifies a fix of this vulnerability. July 28, 2020: Acknowledgment publicly disclosed. |
Thanks to Ross Derewianko for reporting this vulnerability.
Title |
Information Exposure issue on Web site. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CWE |
CWE-200: Information Exposure |
Timeline |
June 02, 2020: HIRT receives about this vulnerability. July 27, 2020: HIRT notifies a fix of this vulnerability. July 28, 2020: Acknowledgment publicly disclosed. |
Thanks to Ravi Ashok Prajapati for reporting this vulnerability.
Title |
Cross-site Scripting on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) Ref. OBB-1112840 |
Timeline |
March 07, 2020: Vulnerability Reported to OpenBugBounty. June 05, 2020: HIRT follows up about this vulnerability. June 10, 2020: HIRT confirms a fix of this vulnerability. June 17, 2020: HIRT notifies a fix of this vulnerability. June 18, 2020: Acknowledgment publicly disclosed. |
Thanks to Naresh Chowdary and Venkata Sateesh Netti for reporting this vulnerability.
Title |
Local File Inclusion issue (CVE 2019-11510) on Pulse Secure VPN. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
CWE |
CWE-275: Permission Issues |
Timeline |
February 22, 2020: HIRT receives about this vulnerability. June 05, 2020: HIRT notifies a fix of this vulnerability. June 08, 2020: Acknowledgment publicly disclosed. |
Thanks to Jagdish Bharucha for offering a technical report.
Title |
Technical report for OTP supported by Web application |
---|---|
Timeline |
May 06, 2020: HIRT receives a technical report for OTP supported by Web application. June 08, 2020: Acknowledgment publicly disclosed. |
Thanks to Jagdish Bharucha for reporting this vulnerability.
Title |
Information Exposure issue on Web application. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:N/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CWE |
CWE-639: Authorization Bypass Through User-Controlled Key |
Timeline |
November 21, 2019: HIRT receives about this vulnerability. May 04, 2020: HIRT notifies a fix of this vulnerability. May 27, 2020: Acknowledgment publicly disclosed. |
Thanks to Hoang Quoc Thinh (OWASP Viet Nam Chapter) for reporting this vulnerability.
Title |
Remote Code Execution issue (CVE-2020-7961) on Web application. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CWE |
CWE-502: Deserialization of Untrusted Data |
Timeline |
March 29, 2020: HIRT receives about this vulnerability. April 13, 2020: HIRT notifies a fix of this vulnerability. April 14, 2020: Acknowledgment publicly disclosed. |
Thanks to Phatthanaphol Rattanapongporn for reporting this vulnerability.
Title |
Information Exposure issue on Web application. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CWE |
CWE-264: Permissions, Privileges, and Access Controls |
Timeline |
August 21, 2019: HIRT receives about this vulnerability. December 25, 2019: HIRT notifies a fix of this vulnerability. December 25, 2019: Acknowledgment publicly disclosed. |
Thanks to Piotr Madej (ING Tech Poland) for reporting this vulnerability.
Title |
Hitachi Command Suite - Information Exposure |
---|---|
CVE | CVE-2018-21032 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
CWE |
CWE-209: Information Exposure Through an Error Message |
Timeline |
March 29, 2018: HIRT receives about this vulnerability. March 30, 2018: HIRT asks for technical description about the vulnerability. April 03, 2018: HIRT receives technical details. December 20, 2019: HIRT notifies a fix of this vulnerability. December 20, 2019: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2019-128 December 20, 2019: Acknowledgment publicly disclosed. |
Thanks to Piotr Madej (ING Tech Poland) for reporting this vulnerability.
Title |
Hitachi Command Suite - Information Exposure |
---|---|
CVE | CVE-2018-21033 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CWE |
CWE-73: External Control of File Name or Path |
Timeline |
March 29, 2018: HIRT receives about this vulnerability. March 30, 2018: HIRT asks for technical description about the vulnerability. April 03, 2018: HIRT receives technical details. December 20, 2019: HIRT notifies a fix of this vulnerability. December 20, 2019: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2019-128 December 20, 2019: Acknowledgment publicly disclosed. |
Thanks to Matt Byrne (Perspective Risk) for reporting this vulnerability.
Title |
Hitachi Command Suite - Denial of Service |
---|---|
CVE | CVE-2019-17360 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:N/A:P CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
CWE |
CWE-400: Uncontrolled Resource Consumption |
Timeline |
July 30, 2019: HIRT receives about this vulnerability. July 30, 2019: HIRT asks for technical description about the vulnerability. July 30, 2019: HIRT receives technical details. October 07, 2019: HIRT notifies a fix of this vulnerability. November 08, 2019: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2019-125 November 08, 2019: Acknowledgment publicly disclosed. |
Thanks to Matt Byrne (Perspective Risk) for reporting this vulnerability.
Title |
Hitachi Command Suite - Information Exposure |
---|---|
CVE | CVE-2018-21026 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CWE |
CWE-200: Information Exposure |
Timeline |
July 30, 2019: HIRT receives about this vulnerability. July 30, 2019: HIRT asks for technical description about the vulnerability. July 30, 2019: HIRT receives technical details. October 07, 2019: HIRT notifies a fix of this vulnerability. November 08, 2019: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2019-124 November 08, 2019: Acknowledgment publicly disclosed. |
Thanks to Piotr Madej (ING Tech Poland) for reporting this vulnerability.
Title |
Hitachi Command Suite - Information Exposure |
---|---|
CVE | CVE-2018-21026 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CWE |
CWE-200: Information Exposure |
Timeline |
March 29, 2018: HIRT receives about this vulnerability. March 30, 2018: HIRT asks for technical description about the vulnerability. April 03, 2018: HIRT receives technical details. November 08, 2019: HIRT notifies a fix of this vulnerability. November 08, 2019: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2019-124 November 08, 2019: Acknowledgment publicly disclosed. |
Thanks to Pankaj Kumar Thakur (Nepal) for reporting this misconfiguration vulnerability.
Title |
HTTP Host Header Injection on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N |
CWE |
CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet |
Timeline |
September 12, 2019: HIRT receives about this vulnerability. October 20, 2019: HIRT notifies a fix of this vulnerability. October 21, 2019: Acknowledgment publicly disclosed. |
Thanks to serge lacroute for reporting this vulnerability.
Title |
Cross-site Scripting on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) Ref. OBB-784016 |
Timeline |
March 30, 2019: HIRT receives about this vulnerability. May 18, 2019: HIRT notifies a fix of this vulnerability. May 20, 2019: Acknowledgment publicly disclosed. |
Thanks to Jan Krissler and Julian Albrecht (Berlin University of Technology) for offering a technical report.
Title |
Technical report of finger vein device |
---|---|
Timeline |
October 04, 2018: HIRT receives a technical report of finger vein device. November 12, 2018: Hitachi has a technical meeting with them in Tokyo. November 13, 2018: HIRT catches up their presentation "Hacking Vein Recognition Systems" of PacSec 2018. November 14, 2018: Hitachi has a technical meeting with them in Tokyo. November 20, 2018: Acknowledgment publicly disclosed. December 27, 2018: HIRT catches up their presentation "Venenerkennung Hacken" of 35th Chaos Communication Congress. |
Thanks to Piotr Madej (ING Tech Poland) for reporting this vulnerability.
Title |
Hitachi Command Suite 8 - Information Exposure |
---|---|
CVE | CVE-2018-14735 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
CWE |
CWE-264: Permissions, Privileges, and Access Controls |
Timeline |
March 29, 2018: HIRT receives about this vulnerability. March 30, 2018: HIRT asks for technical description about the vulnerability. April 03, 2018: HIRT receives technical details. August 05, 2018: HIRT notifies a fix of this vulnerability. August 08, 2018: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2018-123 August 08, 2018: Acknowledgment publicly disclosed. |
Thanks to Wai Yan Aung for reporting this vulnerability.
Title |
Reflected Cross-site Scripting on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:N CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) |
Timeline |
March 10, 2018: HIRT receives about this vulnerability. May 02, 2018: HIRT notifies a fix of this vulnerability. May 02, 2018: Acknowledgment publicly disclosed. |
Thanks to Craig Young, Lamar Bailey and Tyler Reguly (Tripwire VERT) for reporting this vulnerability.
Title |
ROBOT (Return of Bleichenbacher's Oracle Threat) SSL Denial of Service vulnerability in Hitachi Unified Storage 100 series |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:N/A:C CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CWE |
Ref. The ROBOT Attack Ref. VERT Threat Alert: Return of Bleichenbacher's Oracle Threat (ROBOT) |
Timeline |
November 28, 2017: Hitachi receives report of "unexpected SSL traffic stop". December 01, 2017: HIRT receives about this vulnerability from Tripwire VERT. December 01, 2017: HIRT asks for technical description about the vulnerability. December 10, 2017: HIRT receives technical details. January 09, 2018: Hitachi releases a patch. February 22, 2018: Hitachi publishes an advisory. https://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2018_1/2018_304.html May 02, 2018: HIRT notifies a status of this vulnerability. May 02, 2018: Acknowledgment publicly disclosed. |
Thanks to Suyog Palav for reporting this vulnerability.
Title |
Email Flooding issue on Web newsletter sign up application. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:N/A:P CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
CWE |
CWE-399: Resource Management Errors |
Timeline |
July 05, 2017: HIRT receives about this vulnerability. October 19, 2017: HIRT notifies a fix of this vulnerability. October 20, 2017: Acknowledgment publicly disclosed. |
Thanks to Ketankumar Godhani for reporting this vulnerability.
Title |
Clickjacking issue on Web login application. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
CWE |
Ref. OWASP Clickjacking |
Timeline |
June 20, 2017: HIRT receives about this vulnerability. August 22, 2017: HIRT notifies a fix of this vulnerability. August 24, 2017: Acknowledgment publicly disclosed. |
Thanks to Piotr Domirski and Marcin Woloszyn (ING Services Polska) for reporting this vulnerability.
Title |
Hitachi Command Suite 8 - Remote Execution of Internal Commands via RMI w/o Authentication |
---|---|
CVE | CVE-2017-9294 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CWE |
CWE-285: Improper Authorization (2.9) CWE-306: Missing Authentication for Critical Function (2.9) |
Timeline |
January 05, 2017: HIRT receives about this vulnerability. January 05, 2017: HIRT asks for technical description about the vulnerability. January 06, 2017: HIRT receives technical details. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to Piotr Domirski (ING Services Polska) for reporting this vulnerability.
Title |
Hitachi Command Suite 8 - External XML Entity |
---|---|
CVE | CVE-2017-9295 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
CWE |
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') Ref. OWASP: XML External Entity (XXE) Processing Ref. NIICosulting: Server side request forgery |
Timeline |
January 05, 2017: HIRT receives about this vulnerability. January 05, 2017: HIRT asks for technical description about the vulnerability. January 06, 2017: HIRT receives technical details. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.
Title |
Hitachi Command Suite 8 Replication Manager - XML External Entity |
---|---|
CVE | CVE-2017-9295 |
CVSS |
CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
CWE |
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') Ref. OWASP: XML External Entity (XXE) Processing Ref. NIICosulting: Server side request forgery |
Timeline |
January 05, 2017: HIRT receives about this vulnerability. January 05, 2017: HIRT asks for technical description about the vulnerability. January 06, 2017: HIRT receives technical details. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.
Title |
Hitachi Command Suite 8 Device Manager, Replication Manager - Reflected Cross-Site Scripting |
---|---|
CVE | CVE-2017-9298 |
CVSS |
CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Timeline |
January 05, 2017: HIRT receives about this vulnerability. January 05, 2017: HIRT asks for technical description about the vulnerability. January 06, 2017: HIRT receives technical details. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.
Title |
Hitachi Command Suite 8 - Open Redirect |
---|---|
CVE | CVE-2017-9296 |
CVSS |
CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N |
CWE |
CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet |
Timeline |
January 05, 2017: HIRT receives about this vulnerability. January 05, 2017: HIRT asks for technical description about the vulnerability. January 06, 2017: HIRT receives technical details. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to Pawel Gocyla (ING Services Polska) for reporting this vulnerability.
Title |
Hitachi Command Suite 8 Device Manager - Sensitive Data Disclosed Via Open Redirection Vulnerability |
---|---|
CVE | CVE-2017-9297 |
CVSS |
CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
CWE |
CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet |
Timeline |
January 16, 2017: HIRT receives about this vulnerability. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to Aidan Barrington for reporting this vulnerability.
Title |
FTP server has writable folders and files for firmware update. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:S/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CWE |
CWE-276: Incorrect Default Permissions |
Timeline |
April 25, 2016: HIRT receives about this vulnerability. April 26, 2016: HIRT asks for technical description about the vulnerability. May 06, 2016: HIRT receives technical details. June 08, 2016: HIRT notifies a fix of this vulnerability. October 09, 2016: HIRT completed additional investigation of FTP server and related products. October 11, 2016: HIRT notifies. October 14, 2016: Acknowledgment publicly disclosed. |
Thanks to tah0zoo (Independent Security Researcher) for reporting this vulnerability.
Title |
Cross-site Scripting on Web application |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:N CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) |
Timeline |
January 08, 2016: HIRT receives about this vulnerability. August 18, 2016: HIRT notifies a fix of this vulnerability. August 22, 2016: Acknowledgment publicly disclosed. |
Thanks to Anand Tendolkar for reporting this vulnerability.
Title |
Information Exposure Through Directory Listing on Web site. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CWE |
CWE-548: Information Exposure Through Directory Listing Ref. OWASP: Top 10 2013-A5-Security Misconfiguration Ref. OWASP: Top 10 2013-A6-Sensitive Data Exposure |
Timeline |
June 03, 2016: HIRT receives about this vulnerability. August 18, 2016: HIRT notifies a fix of this vulnerability. August 22, 2016: Acknowledgment publicly disclosed. |
Thanks to James Schwinabart (Qualcomm's Information Security and Risk Management team) for reporting this vulnerability.
Title |
Apache Commons Collections Java library insecurely deserializes data |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
CWE |
CWE-502: Deserialization of Untrusted Data |
Timeline |
November 13, 2015: Vulnerability Note VU#576313 published. March 23, 2016: HIRT receives about this vulnerability. March 28, 2016: Hitachi publishes an advisory and announces a patch. https://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2016/0328_acc.html March 29, 2016: HIRT notifies a fix of this vulnerability. March 31, 2016: Acknowledgment publicly disclosed. |
Thanks to BALAJI P R (Independent Security Researcher) for reporting this vulnerability.
Title |
Cross-site Scripting on Web portal application. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) |
Timeline |
February 21, 2015: HIRT receives about this vulnerability. October 30, 2015: HIRT notifies a fix of this vulnerability. November 04, 2015: Acknowledgment publicly disclosed. |
Thanks to BALAJI P R (Independent Security Researcher) for reporting this vulnerability.
Title |
Cross-site Scripting on Web search application. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N |
CWE |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) |
Timeline |
February 21, 2015: HIRT receives about this vulnerability. October 30, 2015: HIRT notifies a fix of this vulnerability. November 04, 2015: Acknowledgment publicly disclosed. |
Thanks to Taizo Tsukamoto (of GLOBAL SECURITY EXPERTS Inc.) for reporting this vulnerability. HIRT promoted to fix this vulnerability in line with "Information Security Early Warning Partnership Guidelines".
Title |
Privilege escalation vulnerabilities in JP1/IT Desktop Management - Manager and Hitachi IT Operations Director |
---|---|
CVE | CVE-2013-4697 |
CVSS |
CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N |
CWE |
CWE-264: Permissions, Privileges, and Access Controls |
Timeline |
May 22, 2013: HIRT receives about this vulnerability from "Information Security Early Warning Partnership". May 23, 2013: HIRT receives technical details. May 23, 2013: HIRT confirms the existence of the flaw. July 26, 2013: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/HS13-017 July 29, 2013: JVN publishes a vulnerability note. https://jvn.jp/en/jp/JVN00065218/ July 29, 2013: Acknowledgment publicly disclosed. |
Thanks to Muhammad Haroon for reporting this vulnerability.
Title |
Local File Download from Web application. |
---|---|
CVSS |
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:N/A:N |
CWE |
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Timeline |
March 14, 2012: Hitachi receives about this vulnerability. March 16, 2012: HIRT receives about this vulnerability. March 17, 2012: HIRT asks for technical description about the flaw. March 17, 2012: HIRT receives technical details. April 21, 2012: HIRT notifies a fix of this vulnerability. April 24, 2012: Acknowledgment publicly disclosed. |