Search

Find a vulnerability

Search criteria

    6 vulnerabilities by National Tax Agency JAPAN

    JVNDB-2024-000103

    Vulnerability from jvndb - Published: 2024-09-24 16:12 - Updated:2024-09-24 16:12
    Severity
    Summary
    The installer of e-Tax software(common program) vulnerable to privilege escalation
    Details
    The installer of e-Tax software(common program) provided by National Tax Agency contains a vulnerability which allows uploading a malicious DLL to be executed with higher privileges than that of an general user by altering registry (CWE-268). Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000103.html",
      "dc:date": "2024-09-24T16:12+09:00",
      "dcterms:issued": "2024-09-24T16:12+09:00",
      "dcterms:modified": "2024-09-24T16:12+09:00",
      "description": "The installer of e-Tax software(common program) provided by National Tax Agency contains a vulnerability which allows uploading a malicious DLL to be executed with higher privileges than that of an general user by altering registry (CWE-268).\r\n\r\nTakashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000103.html",
      "sec:cpe": {
        "#text": "cpe:/a:nta:e-tax",
        "@product": "e-Tax Software",
        "@vendor": "National Tax Agency JAPAN",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "7.8",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2024-000103",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN57749899/index.html",
          "@id": "JVN#57749899",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-47045",
          "@id": "CVE-2024-47045",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "The installer of e-Tax software(common program) vulnerable to privilege escalation"
    }

    JVNDB-2023-000110

    Vulnerability from jvndb - Published: 2023-11-02 13:38 - Updated:2024-05-01 18:41
    Severity
    Summary
    Improper restriction of XML external entity references (XXE) in e-Tax software
    Details
    e-Tax software provided by National Tax Agency improperly restricts XML external entity references (XXE) (CWE-611) due to the configuration of the embedded XML parser. Toyama Taku of NEC Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000110.html",
      "dc:date": "2024-05-01T18:41+09:00",
      "dcterms:issued": "2023-11-02T13:38+09:00",
      "dcterms:modified": "2024-05-01T18:41+09:00",
      "description": "e-Tax software provided by National Tax Agency improperly restricts XML external entity references (XXE) (CWE-611) due to the configuration of the embedded XML parser.\r\n\r\nToyama Taku of NEC Corporation reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000110.html",
      "sec:cpe": {
        "#text": "cpe:/a:nta:e-tax",
        "@product": "e-Tax Software",
        "@vendor": "National Tax Agency JAPAN",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "1.2",
          "@severity": "Low",
          "@type": "Base",
          "@vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
          "@version": "2.0"
        },
        {
          "@score": "2.5",
          "@severity": "Low",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2023-000110",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN14762986/index.html",
          "@id": "JVN#14762986",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-46802",
          "@id": "CVE-2023-46802",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-46802",
          "@id": "CVE-2023-46802",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "Improper restriction of XML external entity references (XXE) in e-Tax software"
    }

    JVNDB-2020-000040

    Vulnerability from jvndb - Published: 2020-06-24 14:25 - Updated:2020-06-24 14:25
    Severity
    Summary
    Chrome Extension for e-Tax Reception System vulnerable to arbitrary command execution
    Details
    Chrome Extension for e-Tax Reception System provided by National Tax Agency is an extension to use the e-Tax Reception System on Google Chrome and/or Chromium-based versions of Microsoft Edge. When a user runs a Chrome Extension for e-Tax Reception System, a specially crafted parameter by an attacker is fed to the Chrome Extension for e-Tax Reception and COM objects are manipulated, which may result in arbitrary command execution. ucq of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000040.html",
      "dc:date": "2020-06-24T14:25+09:00",
      "dcterms:issued": "2020-06-24T14:25+09:00",
      "dcterms:modified": "2020-06-24T14:25+09:00",
      "description": "Chrome Extension for e-Tax Reception System provided by National Tax Agency is an extension to use the e-Tax Reception System on Google Chrome and/or Chromium-based versions of Microsoft Edge. When a user runs a Chrome Extension for e-Tax Reception System, a specially crafted parameter by an attacker is fed to the Chrome Extension for e-Tax Reception and COM objects are manipulated, which may result in arbitrary command execution.\r\n\r\nucq of Cyber Defense Institute, Inc. reported this vulnerability to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000040.html",
      "sec:cpe": {
        "#text": "cpe:/a:nta:e-tax_reception_system",
        "@product": "Chrome Extension e-Tax Reception System AP",
        "@vendor": "National Tax Agency JAPAN",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "5.1",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "@version": "2.0"
        },
        {
          "@score": "5.0",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2020-000040",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN40039627/index.html",
          "@id": "JVN#40039627",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5601",
          "@id": "CVE-2020-5601",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5601",
          "@id": "CVE-2020-5601",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-264",
          "@title": "Permissions(CWE-264)"
        }
      ],
      "title": "Chrome Extension for e-Tax Reception System vulnerable to arbitrary command execution"
    }

    JVNDB-2017-000145

    Vulnerability from jvndb - Published: 2017-06-28 16:40 - Updated:2018-02-07 13:40
    Severity
    Summary
    Installer of Setup file of advance preparation for e-Tax software (WEB version) may insecurely load Dynamic Link Libraries
    Details
    Installer of Setup file of advance preparation for e-Tax software (WEB version) provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. BlackWingCat of Pink Flying Whale reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000145.html",
      "dc:date": "2018-02-07T13:40+09:00",
      "dcterms:issued": "2017-06-28T16:40+09:00",
      "dcterms:modified": "2018-02-07T13:40+09:00",
      "description": "Installer of Setup file of advance preparation for e-Tax software (WEB version) provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.\r\n\r\nBlackWingCat of Pink Flying Whale reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000145.html",
      "sec:cpe": {
        "#text": "cpe:/a:nta:e-tax",
        "@product": "e-Tax Software",
        "@vendor": "National Tax Agency JAPAN",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "6.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "@version": "2.0"
        },
        {
          "@score": "7.8",
          "@severity": "High",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2017-000145",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN79451345/index.html",
          "@id": "JVN#79451345",
          "@source": "JVN"
        },
        {
          "#text": "https://jvn.jp/en/ta/JVNTA91240916/",
          "@id": "JVNTA#91240916",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2226",
          "@id": "CVE-2017-2226",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2226",
          "@id": "CVE-2017-2226",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "Installer of Setup file of advance preparation for e-Tax software (WEB version) may insecurely load Dynamic Link Libraries"
    }

    JVNDB-2017-000129

    Vulnerability from jvndb - Published: 2017-06-09 15:59 - Updated:2018-02-14 13:55
    Severity
    Summary
    Installer of "Setup file of advance preparation" may insecurely load Dinamic Link Libraries
    Details
    "Setup file of advance preparation" provided by National Tax Agency is software to setup the environment which is required to use "filing assistance on the NTA website". "Setup file of advance preparation"contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000129.html",
      "dc:date": "2018-02-14T13:55+09:00",
      "dcterms:issued": "2017-06-09T15:59+09:00",
      "dcterms:modified": "2018-02-14T13:55+09:00",
      "description": "\"Setup file of advance preparation\" provided by National Tax Agency is software to setup the environment which is required to use \"filing assistance on the NTA website\".\r\n\"Setup file of advance preparation\"contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.\r\n\r\nTakashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000129.html",
      "sec:cpe": {
        "#text": "cpe:/a:nta:nta_advance_preparation_setup_file",
        "@product": "Setup file of advance preparation",
        "@vendor": "National Tax Agency JAPAN",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "6.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "@version": "2.0"
        },
        {
          "@score": "7.8",
          "@severity": "High",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2017-000129",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN34508179/index.html",
          "@id": "JVN#34508179",
          "@source": "JVN"
        },
        {
          "#text": "https://jvn.jp/en/ta/JVNTA91240916/index.html",
          "@id": "JVNTA#91240916",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2215",
          "@id": "CVE-2017-2215",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2215",
          "@id": "CVE-2017-2215",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "Installer of \"Setup file of advance preparation\" may insecurely load Dinamic Link Libraries"
    }

    JVNDB-2016-000207

    Vulnerability from jvndb - Published: 2016-10-19 12:29 - Updated:2018-01-17 11:48
    Severity
    Summary
    The installer of e-Tax Software may insecurely load Dynamic Link Libraries
    Details
    The installer of e-Tax Software provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Yuji Tounai of NTT Communications Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000207.html",
      "dc:date": "2018-01-17T11:48+09:00",
      "dcterms:issued": "2016-10-19T12:29+09:00",
      "dcterms:modified": "2018-01-17T11:48+09:00",
      "description": "The installer of e-Tax Software provided by National Tax Agency contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.\r\n\r\nYuji Tounai of NTT Communications Corporation reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000207.html",
      "sec:cpe": {
        "#text": "cpe:/a:nta:e-tax",
        "@product": "e-Tax Software",
        "@vendor": "National Tax Agency JAPAN",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "6.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "@version": "2.0"
        },
        {
          "@score": "7.8",
          "@severity": "High",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2016-000207",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN63012325/index.html",
          "@id": "JVN#63012325",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4901",
          "@id": "CVE-2016-4901",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2016-4901",
          "@id": "CVE-2016-4901",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "The installer of e-Tax Software may insecurely load Dynamic Link Libraries"
    }