Hiroshi Kumagai

Name of the Vulnerable Software and Affected Versions: SumaHo application versions 3.0.0 and earlier SumaHo "driving capability" diagnosis result transmission application versions 1.2.2 and earlier Description: The issue allows man-in-the-middle attackers to spoof servers and obtain sensitive information by leveraging failure to verify SSL/TLS server certificates. Recommendations: For SumaHo application versions 3.0.0 and earlier, update the application to verify SSL/TLS server certificates. For SumaHo "driving capability" diagnosis result transmission application versions 1.2.2 and earlier, update the application to verify SSL/TLS server certificates.

**Name of the Vulnerable Software and Affected Versions** Smartphone Passbook version 1.0.0 **Description** The issue allows man-in-the-middle attackers to obtain sensitive information from encrypted communications by using a crafted certificate, as Smartphone Passbook does not verify X.509 certificates from SSL servers. **Recommendations** For Smartphone Passbook version 1.0.0, consider implementing certificate verification to prevent man-in-the-middle attacks. As a temporary workaround, restrict access to sensitive information until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ogaki Kyoritsu Bank Smartphone Passbook application version 1.0.0 **Description** The issue allows attackers to obtain sensitive information by reading a log file that contains input data from the user. This is because the application creates a log file with user input, which can be accessed by attackers. **Recommendations** For Ogaki Kyoritsu Bank Smartphone Passbook application version 1.0.0, consider restricting access to the log file to minimize the risk of sensitive information disclosure until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NEC AtermWR9500N, AtermWR8600N, AtermWR8370N, AtermWR8160N, AtermWM3600R, and AtermWM3450RN routers (affected versions not specified) **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the web-based management utility of the affected routers. These vulnerabilities allow remote attackers to hijack the authentication of administrators for requests, including initializing settings or rebooting the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.