Hirotaka Katagiri

**Name of the Vulnerable Software and Affected Versions** Buffalo WHR, WZR2, WZR, WER, and BBR series routers versions 1.x Buffalo BHR-4RV and FS-G54 routers versions 2.x Buffalo AS-100 routers (affected versions not specified) **Description** The issue allows remote attackers to hijack the authentication of administrators for requests that modify settings, such as changing the login password, due to multiple cross-site request forgery (CSRF) vulnerabilities in the management screen. **Recommendations** For Buffalo WHR, WZR2, WZR, WER, and BBR series routers with firmware 1.x: update the firmware to a version that addresses the CSRF vulnerabilities. For Buffalo BHR-4RV and FS-G54 routers with firmware 2.x: update the firmware to a version that addresses the CSRF vulnerabilities. For Buffalo AS-100 routers: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AttacheCase versions prior to 2.70 **Description** The issue allows local users to gain privileges via a Trojan horse executable file in the current working directory due to an untrusted search path vulnerability. **Recommendations** For versions prior to 2.70, update to version 2.70 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Century Systems routers including XR-410 versions prior to 1.6.9 Century Systems routers including XR-510 versions prior to 3.5.3 Century Systems routers including XR-440 versions prior to 1.7.8 Century Systems routers including XR series routers from XR-510 to XR-730 (affected versions not specified) Description: A cross-site request forgery (CSRF) issue allows remote attackers to modify the configuration of the router as the administrator. The exact vectors used for the attack are not specified. Recommendations: For XR-410 versions prior to 1.6.9, update to version 1.6.9 or later. For XR-510 versions prior to 3.5.3, update to version 3.5.3 or later. For XR-440 versions prior to 1.7.8, update to version 1.7.8 or later. For XR series routers from XR-510 to XR-730, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** System Consultants La!Cooda WIZ versions 1.4.0 and earlier SpaceTag LacoodaST versions 2.1.3 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP scripts, and enables them to delete files, read files, possibly having other unknown impacts. **Recommendations** For System Consultants La!Cooda WIZ versions 1.4.0 and earlier, update to a version later than 1.4.0 to resolve the issue. For SpaceTag LacoodaST versions 2.1.3 and earlier, update to a version later than 2.1.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SpaceTag LacoodaST versions 2.1.3 and earlier **Description** A session fixation issue allows remote attackers to hijack web sessions. The exact vectors used for the attack are not specified. **Recommendations** For versions 2.1.3 and earlier, update to a version later than 2.1.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** System Consultants La!Cooda WIZ versions 1.4.0 and earlier SpaceTag LacoodaST versions 2.1.3 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving the upload of files containing XSS sequences. **Recommendations** For System Consultants La!Cooda WIZ versions 1.4.0 and earlier, update to a version later than 1.4.0 to resolve the issue. For SpaceTag LacoodaST versions 2.1.3 and earlier, update to a version later than 2.1.3 to resolve the issue.