Search
Find a vulnerability
Search criteria
6 vulnerabilities by National Tax Agency JAPAN
JVNDB-2024-000103
Vulnerability from jvndb - Published: 2024-09-24 16:12 - Updated:2024-09-24 16:12
Severity
Summary
The installer of e-Tax software(common program) vulnerable to privilege escalation
Details
The installer of e-Tax software(common program) provided by National Tax Agency contains a vulnerability which allows uploading a malicious DLL to be executed with higher privileges than that of an general user by altering registry (CWE-268).
Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000103.html",
"dc:date": "2024-09-24T16:12+09:00",
"dcterms:issued": "2024-09-24T16:12+09:00",
"dcterms:modified": "2024-09-24T16:12+09:00",
"description": "The installer of e-Tax software(common program) provided by National Tax Agency contains a vulnerability which allows uploading a malicious DLL to be executed with higher privileges than that of an general user by altering registry (CWE-268).\r\n\r\nTakashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000103.html",
"sec:cpe": {
"#text": "cpe:/a:nta:e-tax",
"@product": "e-Tax Software",
"@vendor": "National Tax Agency JAPAN",
"@version": "2.2"
},
"sec:cvss": {
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-000103",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN57749899/index.html",
"@id": "JVN#57749899",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-47045",
"@id": "CVE-2024-47045",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "The installer of e-Tax software(common program) vulnerable to privilege escalation"
}
JVNDB-2023-000110
Vulnerability from jvndb - Published: 2023-11-02 13:38 - Updated:2024-05-01 18:41
Severity
Summary
Improper restriction of XML external entity references (XXE) in e-Tax software
Details
e-Tax software provided by National Tax Agency improperly restricts XML external entity references (XXE) (CWE-611) due to the configuration of the embedded XML parser.
Toyama Taku of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000110.html",
"dc:date": "2024-05-01T18:41+09:00",
"dcterms:issued": "2023-11-02T13:38+09:00",
"dcterms:modified": "2024-05-01T18:41+09:00",
"description": "e-Tax software provided by National Tax Agency improperly restricts XML external entity references (XXE) (CWE-611) due to the configuration of the embedded XML parser.\r\n\r\nToyama Taku of NEC Corporation reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000110.html",
"sec:cpe": {
"#text": "cpe:/a:nta:e-tax",
"@product": "e-Tax Software",
"@vendor": "National Tax Agency JAPAN",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "1.2",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "2.5",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000110",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN14762986/index.html",
"@id": "JVN#14762986",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-46802",
"@id": "CVE-2023-46802",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-46802",
"@id": "CVE-2023-46802",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Improper restriction of XML external entity references (XXE) in e-Tax software"
}
JVNDB-2020-000040
Vulnerability from jvndb - Published: 2020-06-24 14:25 - Updated:2020-06-24 14:25
Severity
Summary
Chrome Extension for e-Tax Reception System vulnerable to arbitrary command execution
Details
Chrome Extension for e-Tax Reception System provided by National Tax Agency is an extension to use the e-Tax Reception System on Google Chrome and/or Chromium-based versions of Microsoft Edge. When a user runs a Chrome Extension for e-Tax Reception System, a specially crafted parameter by an attacker is fed to the Chrome Extension for e-Tax Reception and COM objects are manipulated, which may result in arbitrary command execution.
ucq of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000040.html",
"dc:date": "2020-06-24T14:25+09:00",
"dcterms:issued": "2020-06-24T14:25+09:00",
"dcterms:modified": "2020-06-24T14:25+09:00",
"description": "Chrome Extension for e-Tax Reception System provided by National Tax Agency is an extension to use the e-Tax Reception System on Google Chrome and/or Chromium-based versions of Microsoft Edge. When a user runs a Chrome Extension for e-Tax Reception System, a specially crafted parameter by an attacker is fed to the Chrome Extension for e-Tax Reception and COM objects are manipulated, which may result in arbitrary command execution.\r\n\r\nucq of Cyber Defense Institute, Inc. reported this vulnerability to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000040.html",
"sec:cpe": {
"#text": "cpe:/a:nta:e-tax_reception_system",
"@product": "Chrome Extension e-Tax Reception System AP",
"@vendor": "National Tax Agency JAPAN",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2020-000040",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN40039627/index.html",
"@id": "JVN#40039627",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5601",
"@id": "CVE-2020-5601",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5601",
"@id": "CVE-2020-5601",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "Chrome Extension for e-Tax Reception System vulnerable to arbitrary command execution"
}
JVNDB-2017-000145
Vulnerability from jvndb - Published: 2017-06-28 16:40 - Updated:2018-02-07 13:40
Severity
Summary
Installer of Setup file of advance preparation for e-Tax software (WEB version) may insecurely load Dynamic Link Libraries
Details
Installer of Setup file of advance preparation for e-Tax software (WEB version) provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.
BlackWingCat of Pink Flying Whale reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000145.html",
"dc:date": "2018-02-07T13:40+09:00",
"dcterms:issued": "2017-06-28T16:40+09:00",
"dcterms:modified": "2018-02-07T13:40+09:00",
"description": "Installer of Setup file of advance preparation for e-Tax software (WEB version) provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.\r\n\r\nBlackWingCat of Pink Flying Whale reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000145.html",
"sec:cpe": {
"#text": "cpe:/a:nta:e-tax",
"@product": "e-Tax Software",
"@vendor": "National Tax Agency JAPAN",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2017-000145",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN79451345/index.html",
"@id": "JVN#79451345",
"@source": "JVN"
},
{
"#text": "https://jvn.jp/en/ta/JVNTA91240916/",
"@id": "JVNTA#91240916",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2226",
"@id": "CVE-2017-2226",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2226",
"@id": "CVE-2017-2226",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Installer of Setup file of advance preparation for e-Tax software (WEB version) may insecurely load Dynamic Link Libraries"
}
JVNDB-2017-000129
Vulnerability from jvndb - Published: 2017-06-09 15:59 - Updated:2018-02-14 13:55
Severity
Summary
Installer of "Setup file of advance preparation" may insecurely load Dinamic Link Libraries
Details
"Setup file of advance preparation" provided by National Tax Agency is software to setup the environment which is required to use "filing assistance on the NTA website".
"Setup file of advance preparation"contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.
Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000129.html",
"dc:date": "2018-02-14T13:55+09:00",
"dcterms:issued": "2017-06-09T15:59+09:00",
"dcterms:modified": "2018-02-14T13:55+09:00",
"description": "\"Setup file of advance preparation\" provided by National Tax Agency is software to setup the environment which is required to use \"filing assistance on the NTA website\".\r\n\"Setup file of advance preparation\"contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.\r\n\r\nTakashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000129.html",
"sec:cpe": {
"#text": "cpe:/a:nta:nta_advance_preparation_setup_file",
"@product": "Setup file of advance preparation",
"@vendor": "National Tax Agency JAPAN",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2017-000129",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN34508179/index.html",
"@id": "JVN#34508179",
"@source": "JVN"
},
{
"#text": "https://jvn.jp/en/ta/JVNTA91240916/index.html",
"@id": "JVNTA#91240916",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2215",
"@id": "CVE-2017-2215",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2215",
"@id": "CVE-2017-2215",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Installer of \"Setup file of advance preparation\" may insecurely load Dinamic Link Libraries"
}
JVNDB-2016-000207
Vulnerability from jvndb - Published: 2016-10-19 12:29 - Updated:2018-01-17 11:48
Severity
Summary
The installer of e-Tax Software may insecurely load Dynamic Link Libraries
Details
The installer of e-Tax Software provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.
Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000207.html",
"dc:date": "2018-01-17T11:48+09:00",
"dcterms:issued": "2016-10-19T12:29+09:00",
"dcterms:modified": "2018-01-17T11:48+09:00",
"description": "The installer of e-Tax Software provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.\r\n\r\nYuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000207.html",
"sec:cpe": {
"#text": "cpe:/a:nta:e-tax",
"@product": "e-Tax Software",
"@vendor": "National Tax Agency JAPAN",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2016-000207",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN63012325/index.html",
"@id": "JVN#63012325",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4901",
"@id": "CVE-2016-4901",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2016-4901",
"@id": "CVE-2016-4901",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "The installer of e-Tax Software may insecurely load Dynamic Link Libraries"
}