Last Update: February 18, 2025
HIRT thanks the following for working with us to help vulnerability handling and incident response:
Thanks to
Sahil Shah
and
Shaurya
for offering a technical notification.
| Title |
Technical notification (CWE-427: Uncontrolled Search Path Element) of USB-CONVERTERCABLE DRIVER and HVAC Energy Savings
Program. |
|---|---|
| Timeline |
September 26, 2024: HIRT receives a technical notification
related to USB-CONVERTERCABLE DRIVER. September 30, 2024: HIRT receives a technical notification related to HIVAC Energy Savings Program. January 09, 2025: Hitachi Industrial Equipment & Solutions America, LLC publishes a Notice of End of Life of Product and Software. https://www.hitachi-iesa.com/sites/default/files/support/download/docs/EOL%20Letter%20HIESA_1.2.pdf January 31, 2025: Acknowledgment publicly disclosed. February 14, 2025: HIRT publishes an advisory of USB-CONVERTERCABLE DRIVER and HVAC Energy Savings Program. https://www.hitachi.com/hirt/hitachi-sec/2025/001.html |
Thanks to
Ahmad Alassaf
for reporting this vulnerability.
| Title | Information Exposure issue on Web site. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:S/C:P/I:N/A:N
[4.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3] |
| CWE |
CWE-497: Exposure of Sensitive System Information to an
Unauthorized Control Sphere |
| Timeline |
October 01, 2024: HIRT receives about this
vulnerability. October 21, 2024: HIRT notifies a fix of this vulnerability. October 21, 2024: Acknowledgment publicly disclosed. |
Thanks to Shun Suzaki, Yutaka Kokubu and Kazuki Hirota (Mitsui Bussan Secure Directions, Inc.) for reporting this vulnerability. HIRT promoted to fix this
vulnerability in line with
"Information Security Early Warning Partnership
Guidelines".
| Title |
Folder Permission Vulnerability in JP1/Extensible SNMP
Agent |
|---|---|
| CVE | CVE-2024-4679 |
| CVSS |
CVSS:2.0
AV:L/AC:L/Au:N/C:C/I:C/A:C
[7.2] CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8] |
| CWE |
CWE-276: Incorrect Default Permissions |
| Timeline |
April 09, 2024: HIRT receives about these
vulnerabilities. July 02, 2024: Hitachi publishes an advisory and announces a fixed. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-127/ July 02, 2024: Acknowledgment publicly disclosed. |
Thanks to Taku Toyama and Masaya Suzuki (NEC Corporation) for reporting this vulnerability.
| Title |
File and Directory Permissions Vulnerability in
JP1/Performance Management |
|---|---|
| CVE | CVE-2023-3440 |
| CVSS |
CVSS:2.0
AV:L/AC:L/Au:N/C:C/I:C/A:C
[7.2] CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [8.4] |
| CWE |
CWE-284: Improper Access Control |
| Timeline |
April 04, 2023: HIRT receives about these
vulnerabilities. July 07, 2023: HIRT notifies a release schedule of these vulnerabilities. October 03, 2023: Hitachi publishes an advisory and announces a fixed. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-145/ October 03, 2023: Acknowledgment publicly disclosed. |
Thanks to
Jose Carlos Exposito Bueno
for reporting this vulnerability.
| Title | SQL Injection on Web application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
[10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] |
| CWE |
CWE-89: SQL Injection |
| Timeline |
April 18, 2023: HIRT receives about this vulnerability. August 24, 2023: HIRT notifies a fix of this vulnerability. August 24, 2023: Acknowledgment publicly disclosed. |
Thanks to
Eddie Zaltsman
(ULTRA RED) for reporting
this vulnerability.
| Title | Open Redirect on Web application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:N
[6.4] CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1] |
| CWE |
CWE-601: URL Redirection to Untrusted Site ('Open
Redirect') |
| Timeline |
December 24, 2022: HIRT receives about this
vulnerability. April 27, 2023: HIRT notifies a fix of this vulnerability. April 27, 2023: Acknowledgment publicly disclosed. |
Thanks to
Muhammad Imran for
reporting this vulnerability.
| Title |
Server-Side Request Forgery issue (CVE-2020-10770) on Web
application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:N/I:P/A:N
[5.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3] |
| CWE |
CWE-918: Server-Side Request Forgery (SSRF) |
| Timeline |
May 17, 2022: HIRT receives about this vulnerability. April 18, 2023: HIRT notifies a fix of this vulnerability. April 18, 2023: Acknowledgment publicly disclosed. |
Thanks to
Jose Carlos Exposito Bueno
for reporting this vulnerability.
| Title | Cross-site Scripting on Web application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:N/C:N/I:P/A:N
[4.3] CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1] |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') |
| Timeline |
May 14, 2022: HIRT receives about this vulnerability. April 18, 2023: HIRT notifies a fix of this vulnerability. April 18, 2023: Acknowledgment publicly disclosed. |
Thanks to Michael Heinzl for offering a technical
notification.
| Title |
Technical notification of HMI Configurator: EH-VIEW and
PLC Programming Software: Pro-H |
|---|---|
| Timeline |
March 08, 2023: HIRT receives a technical notification
related to EH-VIEW and Pro-H. March 09, 2023: Mail reception reply (send, but not reached) March 10, 2023: HIRT receives a request for a status update. March 29, 2023: HIRT receives a related notification from JPCERT/CC. April 10, 2023: HIRT notifies a status update (send, but not reached). April 10, 2023: Acknowledgment publicly disclosed. April 20, 2023: HIRT receives a related notification from JPCERT/CC. April 20, 2023: Mail reception and a status update reply re-sent (reached). April 21, 2023: HIRT receives technical details of EH-VIEW. August 23, 2023: HIRT publishes an advisory of EH-VIEW. https://www.hitachi.com/hirt/hitachi-sec/2023/002.html |
Thanks to
Eddie Zaltsman
(ULTRA RED) for reporting
these vulnerabilities.
| Title | Multiple issues on Web site. |
|---|---|
| CVSS CWE |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:P
[7.5] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L [7.3] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) |
|
CVSS:2.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
[10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] CWE-89: SQL Injection |
|
|
CVSS:2.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
[10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] CWE-284: Improper Access Control |
|
| Timeline |
February 11, 2023: HIRT receives about the the initial
notification of these vulnerabilities. April 10, 2023: HIRT notifies a fix of these vulnerabilities. April 10, 2023: Acknowledgment publicly disclosed. |
Thanks to Arman Ktk for offering a technical report.
| Title |
Technical report of DKIM (DomainKeys Identified Mail). |
|---|---|
| Timeline |
January 25, 2023: HIRT receives a technical report related
to DKIM. March 24, 2023: Acknowledgment publicly disclosed. |
Thanks to
Tim Dijkman
(Powerspex Instrumentation) for reporting this vulnerability and
Patrick Binnendijk
(HIFLEX Automatiseringstechniek) for supporting this vulnerability handling.
| Title |
Path Traversal Vulnerability in HX series CPU module |
|---|---|
| CVE | CVE-2018-25048 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
[10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] |
| CWE |
CWE-22: Improper Limitation of a Pathname to a
Restricted Directory ('Path Traversal') |
| Timeline |
August 03, 2022: HIFLEX receives about this
vulnerability. August 15, 2022: CODESYS receives about this vulnerability. October 25, 2022: CODESYS publishes an advisory (Advisory 2018-04). October 28, 2022: Hitachi receives about this vulnerability. February 08, 2023: Hitachi Industrial Equipment Systems publishes an advisory in Japanese (hitachi-sec-2022-002). March 08, 2023: Acknowledgment publicly disclosed. |
Thanks to
Eddie Zaltsman
(ULTRA RED) for reporting
these vulnerabilities.
| Title | Cross-site Scripting on Web applications |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:N/C:N/I:P/A:N
[4.3] CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1] |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') |
| Timeline |
December 22, 2022: HIRT receives about the the initial
notification of these vulnerabilities. December 24, 2022: HIRT receives about the additional notification of these vulnerabilities. February 17, 2023: HIRT notifies a fix of these vulnerabilities. February 20, 2022: Acknowledgment publicly disclosed. |
Thanks to
Yotam Zaltsman
(Sling Cyber Insurance)
for reporting these vulnerabilities.
| Title | Multiple issues on Web site. |
|---|---|
| CVSS CWE |
CVSS:2.0
AV:N/AC:L/Au:N/C:C/I:N/A:N
[7.8] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CVSS:2.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
[10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] CWE-89: SQL Injection |
|
| Timeline |
December 06, 2022: HIRT receives about these
vulnerabilities. December 17, 2022: HIRT notifies a fix of these vulnerabilities. December 19, 2022: Acknowledgment publicly disclosed. |
Thanks to
Thomas Knudsen
(Necrum Security Labs) and
Samy Younsi
(Necrum Security Labs) for reporting these vulnerabilities.
| Title |
Multiple Vulnerabilities in HC-IP9050HD and HC-IP9100HD |
|---|---|
| CVE CVSS CWE |
CVE-2022-37680: Improper Access Control CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:N/A:C [7.8] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5] CWE-306: Missing Authentication for Critical Function |
|
CVE-2022-37681: Unauthenticated Directory Traversal CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:N/A:N [7.8] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
| Timeline |
August 19, 2022: HIRT receives about these
vulnerabilities. August 31, 2022: CVE-2022-37680 and CVE-2022-37681 public. October 26, 2022: HIRT notifies a release schedule of these vulnerabilities. November 11, 2022: Hitachi Kokusai Electric publishes an advisory. https://www.hitachi-kokusai.co.jp/global/en/products/info/vulnerable/hitachi-sec-2022-001 November 14, 2022: Acknowledgment publicly disclosed. |
Thanks to
Vinayak Sakhare
for reporting this vulnerability.
| Title | Open Redirect on Web application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:N
[6.4] CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1] |
| CWE |
CWE-601: URL Redirection to Untrusted Site ('Open
Redirect') |
| Timeline |
September 27, 2022: HIRT receives about this
vulnerability. October 19, 2022: HIRT notifies a fix of this vulnerability. October 20, 2022: Acknowledgment publicly disclosed. |
Thanks to
Anthony Maestre
for reporting this vulnerability.
| Title |
Information Disclosure Vulnerability in Hitachi Content
Platform |
|---|---|
| CVE | CVE-2021-28052 |
| CVSS |
CVSS:2.0
AV:N/AC:H/Au:S/C:C/I:C/A:C
[7.1] CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.5] |
| CWE |
CWE-264: Permissions, Privileges, and Access
Controls |
| Timeline |
January 29, 2021: HIRT receives about this
vulnerability. March 07, 2021: HIRT requests a CVE to MITRE. March 31, 2021: Hitachi Vantara publishes a Customer Alert. https://support.hitachivantara.com/en/user/tech-tips/2021april/A2021040101.html August 23, 2022: Hitachi Vantara publishes an advisory. https://knowledge.hitachivantara.com/Security/HCP_Multitenancy_Vulnerability September 20, 2022: Acknowledgment publicly disclosed. September 20, 2022: HIRT publishes an advisory. https://www.hitachi.com/hirt/hitachi-sec/2021/604.html |
Thanks to
Miguel Santareno
for reporting this vulnerability.
| Title | Cross-site Scripting on Web application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:N/C:N/I:P/A:N
[4.3] CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1] |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') |
| Timeline |
January 28, 2022: HIRT receives about this
vulnerability. February 12, 2022: HIRT notifies a fix of this vulnerability. February 14, 2022: Acknowledgment publicly disclosed. |
Thanks to
Alberto Favero
(HAWSEC - Security & Services) and
Altion Malka
for reporting these vulnerabilities.
| Title | Multiple Vulnerabilities in Pentaho |
|---|---|
| CVE CVSS CWE |
CVE-2021-31599: Remote Code Execution through Pentaho Report Bundles CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:C/A:C [9.0] CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8] CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
|
CVE-2021-34684: Unauthenticated SQL Injection CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8] CWE-89: SQL Injection |
|
|
CVE-2021-31601: Insufficient Access Control of Data Source Management
Service CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:P/A:N [7.5] CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N [7.1] CWE-319: Cleartext Transmission of Sensitive Information |
|
|
CVE-2021-31602: Authentication Bypass of Spring APIs CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N [5.0] CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3] CWE-285: Improper Authorization |
|
|
Jackrabbit User Enumeration
CVE-2021-31600 describes to be an issue in Hitachi Vantara Pentaho Business Analytics Server. This is a feature of products, and not a vulnerability. |
|
|
CVE-2021-34685: Bypass of Filename Extension Restrictions CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N [3.5] CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N [2.7] CWE-434: Unrestricted Upload of File with Dangerous Type |
|
| Timeline |
January 31, 2021: HIRT receives about these
vulnerabilities. March 29, 2021: HIRT receives testing tool "Ginger" for Pentaho. April 07, 2021: HIRT receives two new vulnerabilities. November 01, 2021: Acknowledgment publicly disclosed. November 11, 2021: HIRT publishes an advisory. https://www.hitachi.com/hirt/hitachi-sec/2021/603.html |
Thanks to
Ruslan Sayfiev
and Denis Faiustov of (Ierae Security Inc.) for reporting these vulnerabilities.
| Title |
Multiple Vulnerabilities in JP1/IT Desktop Management 2,
JP1/NETM/DM, JP1/Remote Control and Hitachi IT Operations
Director |
|---|---|
| CVE CVSS CWE |
CVE-2021-29644: Remote Code Execution Vulnerability CVSS:2.0 AV:N/AC:H/Au:N/C:C/I:C/A:C [7.6] CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1] CWE-190: Integer Overflow or Wraparound |
|
CVE-2021-29645: Local Privilege Escalation Vulnerability CVSS:2.0 AV:L/AC:H/Au:S/C:C/I:C/A:C [6.0] CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.0] CWE-264: Permissions, Privileges, and Access Controls |
|
| Timeline |
February 16, 2021: HIRT receives about this vulnerability
from Ierae Security. February 17, 2021: HIRT asks for technical description about the vulnerability. February 19, 2021: HIRT receives technical details. September 30, 2021: HIRT notifies a status of this vulnerability. October 08, 2021: Hitachi publishes an advisory and announces a fixed. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2021-133 October 08, 2021: Acknowledgment publicly disclosed. |
Thanks to Hiroki Matsukuma (of Cyber Defense Institute, Inc) for
reporting this vulnerability. HIRT promoted to fix this
vulnerability in line with
"Information Security Early Warning Partnership
Guidelines".
| Title |
Command Injection Vulnerability in Hitachi File Services
Manager |
|---|---|
| CVE | CVE-2021-20740 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:S/C:C/I:C/A:C CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CWE |
CWE-78: Improper Neutralization of Special Elements
used in an OS Command ('OS Command Injection') |
| Timeline |
January 17, 2020: HIRT receives about this vulnerability
from "Information Security Early Warning Partnership". June 18, 2021: Acknowledgment publicly disclosed. |
Thanks to Yuji Tounai (of Mitsui Bussan Secure Directions, Inc.)
for reporting this vulnerability. HIRT promoted to fix this
vulnerability in line with
"Information Security Early Warning Partnership
Guidelines".
| Title |
Cross-site Scripting Vulnerability in Hitachi Application
Server Help |
|---|---|
| CVE | CVE-2021-20741 |
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:N/C:N/I:P/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') |
| Timeline |
December 12, 2019: HIRT receives about this vulnerability
from "Information Security Early Warning Partnership". February 05, 2021: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2021-104 February 05, 2021: Acknowledgment publicly disclosed. |
Thanks to
Andrej Å imko
(CVE-2020-24664, CVE-2020-24670 and CVE-2020-24665),
Klára Szvitková
(CVE-2020-24669) and Stanislav Dusek (CVE-2020-24666) of (Accenture) for reporting these vulnerabilities.
Thanks to
Miguel Santareno
for reporting this vulnerability.
| Title | Information Exposure issue on Web site. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:S/C:P/I:N/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CWE |
CWE-200: Information Exposure |
| Timeline |
October 13, 2020: HIRT receives about this
vulnerability. October 15, 2020: HIRT asks for technical description about the vulnerability. October 15, 2020: HIRT receives technical details. January 04, 2021: HIRT notifies a fix of this vulnerability. January 05, 2021: Acknowledgment publicly disclosed. |
Thanks to Shivang Trived for offering a technical report.
| Title |
Technical report for mod_http2 in Apache HTTP Server. |
|---|---|
| Timeline |
September 01, 2020: HIRT receives a technical report for
mod_http2 in Apache HTTP Server. January 05, 2021: Acknowledgment publicly disclosed. |
Thanks to SecurityMate for reporting this vulnerability.
| Title |
Path Traversal (CVE-2020-3452) on Cisco Adaptive Security
Appliance |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CWE |
CWE-20: Improper Input Validation |
| Timeline |
July 31, 2020: HIRT receives about this vulnerability. July 31, 2020: HIRT asks for technical description about the vulnerability. July 31, 2020: HIRT receives technical details. August 17, 2020: HIRT notifies a fix of this vulnerability. August 20, 2020: Acknowledgment publicly disclosed. |
Thanks to
Dhiraj Mishra
for reporting this vulnerability.
| Title |
Insecure Loading of Dynamic Link Libraries in the
application installer |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:N/C:P/I:P/A:P CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CWE |
CWE-427: Uncontrolled Search Path Element Ref.HIRT-PUB17011 : Insecure Loading of Dynamic Link Libraries HIRT recommend "Run executable files, such as installers and self-extracting documents, in a safe manner." |
| Timeline |
April 30, 2020: HIRT receives about this vulnerability. July 27, 2020: HIRT notifies a fix of this vulnerability. July 28, 2020: Acknowledgment publicly disclosed. |
Thanks to
Ross Derewianko
for reporting this vulnerability.
| Title | Information Exposure issue on Web site. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CWE |
CWE-200: Information Exposure |
| Timeline |
June 02, 2020: HIRT receives about this vulnerability. July 27, 2020: HIRT notifies a fix of this vulnerability. July 28, 2020: Acknowledgment publicly disclosed. |
Thanks to
Ravi Ashok Prajapati
for reporting this vulnerability.
| Title | Cross-site Scripting on Web application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) Ref. OBB-1112840 |
| Timeline |
March 07, 2020: Vulnerability Reported to
OpenBugBounty. June 05, 2020: HIRT follows up about this vulnerability. June 10, 2020: HIRT confirms a fix of this vulnerability. June 17, 2020: HIRT notifies a fix of this vulnerability. June 18, 2020: Acknowledgment publicly disclosed. |
Thanks to
Naresh Chowdary
and
Venkata Sateesh Netti
for reporting this vulnerability.
| Title |
Local File Inclusion issue (CVE 2019-11510) on Pulse
Secure VPN. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE |
CWE-275: Permission Issues |
| Timeline |
February 22, 2020: HIRT receives about this
vulnerability. June 05, 2020: HIRT notifies a fix of this vulnerability. June 08, 2020: Acknowledgment publicly disclosed. |
Thanks to
Jagdish Bharucha
for offering a technical report.
| Title |
Technical report for OTP supported by Web application |
|---|---|
| Timeline |
May 06, 2020: HIRT receives a technical report for OTP
supported by Web application. June 08, 2020: Acknowledgment publicly disclosed. |
Thanks to
Jagdish Bharucha
for reporting this vulnerability.
| Title |
Information Exposure issue on Web application. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:C/I:N/A:N CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CWE |
CWE-639: Authorization Bypass Through User-Controlled
Key |
| Timeline |
November 21, 2019: HIRT receives about this
vulnerability. May 04, 2020: HIRT notifies a fix of this vulnerability. May 27, 2020: Acknowledgment publicly disclosed. |
Thanks to
Hoang Quoc Thinh
(OWASP Viet Nam Chapter) for reporting this vulnerability.
| Title |
Remote Code Execution issue (CVE-2020-7961) on Web
application. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE |
CWE-502: Deserialization of Untrusted Data |
| Timeline |
March 29, 2020: HIRT receives about this vulnerability. April 13, 2020: HIRT notifies a fix of this vulnerability. April 14, 2020: Acknowledgment publicly disclosed. |
Thanks to Phatthanaphol Rattanapongporn for reporting this
vulnerability.
| Title |
Information Exposure issue on Web application. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CWE |
CWE-264: Permissions, Privileges, and Access
Controls |
| Timeline |
August 21, 2019: HIRT receives about this
vulnerability. December 25, 2019: HIRT notifies a fix of this vulnerability. December 25, 2019: Acknowledgment publicly disclosed. |
Thanks to
Piotr Madej
(ING Tech Poland) for
reporting this vulnerability.
| Title | Hitachi Command Suite - Information Exposure |
|---|---|
| CVE | CVE-2018-21032 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CWE |
CWE-209: Information Exposure Through an Error
Message |
| Timeline |
March 29, 2018: HIRT receives about this vulnerability. March 30, 2018: HIRT asks for technical description about the vulnerability. April 03, 2018: HIRT receives technical details. December 20, 2019: HIRT notifies a fix of this vulnerability. December 20, 2019: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2019-128 December 20, 2019: Acknowledgment publicly disclosed. |
Thanks to
Piotr Madej
(ING Tech Poland) for
reporting this vulnerability.
| Title | Hitachi Command Suite - Information Exposure |
|---|---|
| CVE | CVE-2018-21033 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CWE |
CWE-73: External Control of File Name or Path |
| Timeline |
March 29, 2018: HIRT receives about this vulnerability. March 30, 2018: HIRT asks for technical description about the vulnerability. April 03, 2018: HIRT receives technical details. December 20, 2019: HIRT notifies a fix of this vulnerability. December 20, 2019: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2019-128 December 20, 2019: Acknowledgment publicly disclosed. |
Thanks to
Matt Byrne
(Perspective Risk) for reporting this vulnerability.
| Title | Hitachi Command Suite - Denial of Service |
|---|---|
| CVE | CVE-2019-17360 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:N/I:N/A:P CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CWE |
CWE-400: Uncontrolled Resource Consumption |
| Timeline |
July 30, 2019: HIRT receives about this vulnerability. July 30, 2019: HIRT asks for technical description about the vulnerability. July 30, 2019: HIRT receives technical details. October 07, 2019: HIRT notifies a fix of this vulnerability. November 08, 2019: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2019-125 November 08, 2019: Acknowledgment publicly disclosed. |
Thanks to
Matt Byrne
(Perspective Risk) for reporting this vulnerability.
| Title | Hitachi Command Suite - Information Exposure |
|---|---|
| CVE | CVE-2018-21026 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CWE |
CWE-200: Information Exposure |
| Timeline |
July 30, 2019: HIRT receives about this vulnerability. July 30, 2019: HIRT asks for technical description about the vulnerability. July 30, 2019: HIRT receives technical details. October 07, 2019: HIRT notifies a fix of this vulnerability. November 08, 2019: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2019-124 November 08, 2019: Acknowledgment publicly disclosed. |
Thanks to
Piotr Madej
(ING Tech Poland) for
reporting this vulnerability.
| Title | Hitachi Command Suite - Information Exposure |
|---|---|
| CVE | CVE-2018-21026 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CWE |
CWE-200: Information Exposure |
| Timeline |
March 29, 2018: HIRT receives about this vulnerability. March 30, 2018: HIRT asks for technical description about the vulnerability. April 03, 2018: HIRT receives technical details. November 08, 2019: HIRT notifies a fix of this vulnerability. November 08, 2019: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2019-124 November 08, 2019: Acknowledgment publicly disclosed. |
Thanks to
Pankaj Kumar Thakur (Nepal)
for reporting this misconfiguration vulnerability.
| Title | HTTP Host Header Injection on Web application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N |
| CWE |
CWE-601: URL Redirection to Untrusted Site ('Open
Redirect') Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet |
| Timeline |
September 12, 2019: HIRT receives about this
vulnerability. October 20, 2019: HIRT notifies a fix of this vulnerability. October 21, 2019: Acknowledgment publicly disclosed. |
Thanks to
serge lacroute
for reporting this vulnerability.
| Title | Cross-site Scripting on Web application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) Ref. OBB-784016 |
| Timeline |
March 30, 2019: HIRT receives about this vulnerability. May 18, 2019: HIRT notifies a fix of this vulnerability. May 20, 2019: Acknowledgment publicly disclosed. |
Thanks to Jan Krissler and Julian Albrecht (Berlin University of Technology) for offering a technical report.
| Title | Technical report of finger vein device |
|---|---|
| Timeline |
October 04, 2018: HIRT receives a technical report of
finger vein device. November 12, 2018: Hitachi has a technical meeting with them in Tokyo. November 13, 2018: HIRT catches up their presentation "Hacking Vein Recognition Systems" of PacSec 2018. November 14, 2018: Hitachi has a technical meeting with them in Tokyo. November 20, 2018: Acknowledgment publicly disclosed. December 27, 2018: HIRT catches up their presentation "Venenerkennung Hacken" of 35th Chaos Communication Congress. |
Thanks to
Piotr Madej
(ING Tech Poland) for
reporting this vulnerability.
| Title |
Hitachi Command Suite 8 - Information Exposure |
|---|---|
| CVE | CVE-2018-14735 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:S/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CWE |
CWE-264: Permissions, Privileges, and Access
Controls |
| Timeline |
March 29, 2018: HIRT receives about this vulnerability. March 30, 2018: HIRT asks for technical description about the vulnerability. April 03, 2018: HIRT receives technical details. August 05, 2018: HIRT notifies a fix of this vulnerability. August 08, 2018: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2018-123 August 08, 2018: Acknowledgment publicly disclosed. |
Thanks to
Wai Yan Aung
for reporting this vulnerability.
| Title |
Reflected Cross-site Scripting on Web application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:N/C:P/I:P/A:N CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) |
| Timeline |
March 10, 2018: HIRT receives about this vulnerability. May 02, 2018: HIRT notifies a fix of this vulnerability. May 02, 2018: Acknowledgment publicly disclosed. |
Thanks to Craig Young, Lamar Bailey and Tyler Reguly (Tripwire VERT) for reporting this vulnerability.
| Title |
ROBOT (Return of Bleichenbacher's Oracle Threat) SSL
Denial of Service vulnerability in Hitachi Unified Storage
100 series |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:N/I:N/A:C CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CWE |
Ref.
The ROBOT Attack Ref. VERT Threat Alert: Return of Bleichenbacher's Oracle Threat (ROBOT) |
| Timeline |
November 28, 2017: Hitachi receives report of "unexpected
SSL traffic stop". December 01, 2017: HIRT receives about this vulnerability from Tripwire VERT. December 01, 2017: HIRT asks for technical description about the vulnerability. December 10, 2017: HIRT receives technical details. January 09, 2018: Hitachi releases a patch. February 22, 2018: Hitachi publishes an advisory. https://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2018_1/2018_304.html May 02, 2018: HIRT notifies a status of this vulnerability. May 02, 2018: Acknowledgment publicly disclosed. |
Thanks to
Suyog Palav
for reporting this vulnerability.
| Title |
Email Flooding issue on Web newsletter sign up
application. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:N/C:N/I:N/A:P CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CWE |
CWE-399: Resource Management Errors |
| Timeline |
July 05, 2017: HIRT receives about this vulnerability. October 19, 2017: HIRT notifies a fix of this vulnerability. October 20, 2017: Acknowledgment publicly disclosed. |
Thanks to
Ketankumar Godhani
for reporting this vulnerability.
| Title | Clickjacking issue on Web login application. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:N/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
| CWE |
Ref.
OWASP Clickjacking |
| Timeline |
June 20, 2017: HIRT receives about this vulnerability. August 22, 2017: HIRT notifies a fix of this vulnerability. August 24, 2017: Acknowledgment publicly disclosed. |
Thanks to
Piotr Domirski
and Marcin Woloszyn (ING Services Polska) for reporting this vulnerability.
| Title |
Hitachi Command Suite 8 - Remote Execution of Internal
Commands via RMI w/o Authentication |
|---|---|
| CVE | CVE-2017-9294 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:C/I:C/A:C CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE |
CWE-285: Improper Authorization CWE-306: Missing Authentication for Critical Function |
| Timeline |
January 05, 2017: HIRT receives about this
vulnerability. January 05, 2017: HIRT asks for technical description about the vulnerability. January 06, 2017: HIRT receives technical details. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to
Piotr Domirski
(ING Services Polska) for reporting this vulnerability.
| Title | Hitachi Command Suite 8 - External XML Entity |
|---|---|
| CVE | CVE-2017-9295 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:S/C:P/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
| CWE |
CWE-611: Improper Restriction of XML External Entity
Reference ('XXE') Ref. OWASP: XML External Entity (XXE) Processing Ref. NIICosulting: Server side request forgery |
| Timeline |
January 05, 2017: HIRT receives about this
vulnerability. January 05, 2017: HIRT asks for technical description about the vulnerability. January 06, 2017: HIRT receives technical details. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to
Pawel Bartunek
(ING Services Polska) for reporting this vulnerability.
| Title |
Hitachi Command Suite 8 Replication Manager - XML External
Entity |
|---|---|
| CVE | CVE-2017-9295 |
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:S/C:P/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
| CWE |
CWE-611: Improper Restriction of XML External Entity
Reference ('XXE') Ref. OWASP: XML External Entity (XXE) Processing Ref. NIICosulting: Server side request forgery |
| Timeline |
January 05, 2017: HIRT receives about this
vulnerability. January 05, 2017: HIRT asks for technical description about the vulnerability. January 06, 2017: HIRT receives technical details. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to
Pawel Bartunek
(ING Services Polska) for reporting this vulnerability.
| Title |
Hitachi Command Suite 8 Device Manager, Replication
Manager - Reflected Cross-Site Scripting |
|---|---|
| CVE | CVE-2017-9298 |
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:S/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') |
| Timeline |
January 05, 2017: HIRT receives about this
vulnerability. January 05, 2017: HIRT asks for technical description about the vulnerability. January 06, 2017: HIRT receives technical details. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to
Pawel Bartunek
(ING Services Polska) for reporting this vulnerability.
| Title | Hitachi Command Suite 8 - Open Redirect |
|---|---|
| CVE | CVE-2017-9296 |
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:S/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N |
| CWE |
CWE-601: URL Redirection to Untrusted Site ('Open
Redirect') Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet |
| Timeline |
January 05, 2017: HIRT receives about this
vulnerability. January 05, 2017: HIRT asks for technical description about the vulnerability. January 06, 2017: HIRT receives technical details. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to
Pawel Gocyla
(ING Services Polska) for reporting this vulnerability.
| Title |
Hitachi Command Suite 8 Device Manager - Sensitive Data
Disclosed Via Open Redirection Vulnerability |
|---|---|
| CVE | CVE-2017-9297 |
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:N/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
| CWE |
CWE-601: URL Redirection to Untrusted Site ('Open
Redirect') Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet |
| Timeline |
January 16, 2017: HIRT receives about this
vulnerability. February 28, 2017: HIRT notifies a fix schedule of this vulnerability. April 24, 2017: HIRT notifies a fix schedule change of this vulnerability. May 26, 2017: HIRT notifies a fix of this vulnerability. May 29, 2017: HIRT send CVE ID request. May 29, 2017: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2017-114 May 29, 2017: Acknowledgment publicly disclosed. May 30, 2017: CVE ID is assigned to this vulnerability. |
Thanks to
Aidan Barrington
for reporting this vulnerability.
| Title |
FTP server has writable folders and files for firmware
update. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:S/C:N/I:P/A:N CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| CWE |
CWE-276: Incorrect Default Permissions |
| Timeline |
April 25, 2016: HIRT receives about this vulnerability. April 26, 2016: HIRT asks for technical description about the vulnerability. May 06, 2016: HIRT receives technical details. June 08, 2016: HIRT notifies a fix of this vulnerability. October 09, 2016: HIRT completed additional investigation of FTP server and related products. October 11, 2016: HIRT notifies. October 14, 2016: Acknowledgment publicly disclosed. |
Thanks to tah0zoo (Independent Security Researcher) for
reporting this vulnerability.
| Title | Cross-site Scripting on Web application |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:N/C:P/I:P/A:N CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) |
| Timeline |
January 08, 2016: HIRT receives about this
vulnerability. August 18, 2016: HIRT notifies a fix of this vulnerability. August 22, 2016: Acknowledgment publicly disclosed. |
Thanks to
Anand Tendolkar
for reporting this vulnerability.
| Title |
Information Exposure Through Directory Listing on Web
site. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CWE |
CWE-548: Information Exposure Through Directory
Listing Ref. OWASP: Top 10 2013-A5-Security Misconfiguration Ref. OWASP: Top 10 2013-A6-Sensitive Data Exposure |
| Timeline |
June 03, 2016: HIRT receives about this vulnerability. August 18, 2016: HIRT notifies a fix of this vulnerability. August 22, 2016: Acknowledgment publicly disclosed. |
Thanks to James Schwinabart (Qualcomm's Information Security and Risk Management team) for reporting this vulnerability.
| Title |
Apache Commons Collections Java library insecurely
deserializes data |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| CWE |
CWE-502: Deserialization of Untrusted Data |
| Timeline |
November 13, 2015: Vulnerability Note
VU#576313
published. March 23, 2016: HIRT receives about this vulnerability. March 28, 2016: Hitachi publishes an advisory and announces a patch. https://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2016/0328_acc.html March 29, 2016: HIRT notifies a fix of this vulnerability. March 31, 2016: Acknowledgment publicly disclosed. |
Thanks to
BALAJI P R
(Independent Security Researcher) for reporting this
vulnerability.
| Title |
Cross-site Scripting on Web portal application. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:N |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) |
| Timeline |
February 21, 2015: HIRT receives about this
vulnerability. October 30, 2015: HIRT notifies a fix of this vulnerability. November 04, 2015: Acknowledgment publicly disclosed. |
Thanks to
BALAJI P R
(Independent Security Researcher) for reporting this
vulnerability.
| Title |
Cross-site Scripting on Web search application. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:P/I:P/A:N |
| CWE |
CWE-79: Improper Neutralization of Input During Web
Page Generation ('Cross-site Scripting') Ref. OWASP: Cross-site Scripting (XSS) |
| Timeline |
February 21, 2015: HIRT receives about this
vulnerability. October 30, 2015: HIRT notifies a fix of this vulnerability. November 04, 2015: Acknowledgment publicly disclosed. |
Thanks to Taizo Tsukamoto (of GLOBAL SECURITY EXPERTS Inc.) for
reporting this vulnerability. HIRT promoted to fix this
vulnerability in line with
"Information Security Early Warning Partnership
Guidelines".
| Title |
Privilege escalation vulnerabilities in JP1/IT Desktop
Management - Manager and Hitachi IT Operations Director |
|---|---|
| CVE | CVE-2013-4697 |
| CVSS |
CVSS:2.0
AV:N/AC:M/Au:S/C:N/I:P/A:N |
| CWE |
CWE-264: Permissions, Privileges, and Access
Controls |
| Timeline |
May 22, 2013: HIRT receives about this vulnerability from
"Information Security Early Warning Partnership". May 23, 2013: HIRT receives technical details. May 23, 2013: HIRT confirms the existence of the flaw. July 26, 2013: Hitachi publishes an advisory and announces a patch. https://www.hitachi.com/products/it/software/security/info/vuls/HS13-017 July 29, 2013: JVN publishes a vulnerability note. https://jvn.jp/en/jp/JVN00065218/ July 29, 2013: Acknowledgment publicly disclosed. |
Thanks to
Muhammad Haroon
for reporting this vulnerability.
| Title | Local File Download from Web application. |
|---|---|
| CVSS |
CVSS:2.0
AV:N/AC:L/Au:N/C:C/I:N/A:N |
| CWE |
CWE-22: Improper Limitation of a Pathname to a
Restricted Directory ('Path Traversal') |
| Timeline |
March 14, 2012: Hitachi receives about this
vulnerability. March 16, 2012: HIRT receives about this vulnerability. March 17, 2012: HIRT asks for technical description about the flaw. March 17, 2012: HIRT receives technical details. April 21, 2012: HIRT notifies a fix of this vulnerability. April 24, 2012: Acknowledgment publicly disclosed. |
