Masamu Asato

**Name of the Vulnerable Software and Affected Versions** TimeWorks versions 10.0 through 10.3 **Description** The issue is related to improper limitation of a pathname to a restricted directory, also known as 'Path Traversal'. This could allow a remote unauthenticated attacker to access arbitrary JSON files on the server. **Recommendations** For TimeWorks versions 10.0 through 10.3, consider restricting access to sensitive directories and files to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: BizRobo! (affected versions not specified) Description: The issue exists with the use of hard-coded cryptographic keys in BizRobo!. Credentials inside robot files may be obtained if the encryption key is available. The vendor provides workaround information and recommends applying it to the deployment environment. Recommendations: Apply the workaround provided by the vendor to the deployment environment. As a temporary workaround, consider restricting access to the robot files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: FileMegane versions 1.0.0.0 through 3.4.0.0 Description: An authentication bypass by spoofing issue exists, which may lead to user impersonation. If exploited, restricted file contents may be accessed. Recommendations: For versions 1.0.0.0 through 3.4.0.0, update to version 3.4.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive file contents until the update is applied.

Name of the Vulnerable Software and Affected Versions: FileMegane versions 3.0.0.0 through 3.4.0.0 Description: The issue exists due to a Server-Side Request Forgery (SSRF) vulnerability. This could allow executing arbitrary backend Web API requests, potentially leading to rebooting the services. Recommendations: For versions 3.0.0.0 through 3.4.0.0, update to a version 3.4.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to backend Web API requests until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00 MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00 MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00 **Description** The issue allows a remote unauthenticated attacker to execute an arbitrary OS command. **Recommendations** For MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00, update to version 1.11.00 or later.

**Name of the Vulnerable Software and Affected Versions** MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00 MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00 MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00 **Description** The issue allows a remote authenticated attacker with administrative privilege to execute an arbitrary OS command. **Recommendations** For MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00, update to version 1.11.00 or later.

**Name of the Vulnerable Software and Affected Versions** MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00 MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00 MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00 **Description** A cross-site request forgery (CSRF) issue allows a remote unauthenticated attacker to hijack user authentication and conduct unintended operations by having a user view a malicious page while logged in. **Recommendations** For MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00, update to version 1.11.00 or later.

**Name of the Vulnerable Software and Affected Versions** MAHO-PBX NetDevancer series versions prior to 1.11.00 MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00 MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00 **Description** A reflected cross-site scripting issue allows a remote unauthenticated attacker to inject an arbitrary script. **Recommendations** For MAHO-PBX NetDevancer series versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer VSG Lite/Uni versions prior to 1.11.00, update to version 1.11.00 or later. For MAHO-PBX NetDevancer MobileGate Home/Office versions prior to 1.11.00, update to version 1.11.00 or later.

**Name of the Vulnerable Software and Affected Versions** baserCMS plugin Uploader versions 3.0.10 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators. **Recommendations** For baserCMS plugin Uploader versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions 3.0.10 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions 3.0.10 and earlier **Description** A cross-site request forgery issue allows remote attackers to hijack the authentication of administrators. **Recommendations** For versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** baserCMS plugin Feed versions 3.0.10 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators. This is achieved via unspecified vectors. **Recommendations** For baserCMS plugin Feed versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** baserCMS plugin Mail versions 3.0.10 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators. **Recommendations** For versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** baserCMS plugin Blog versions 3.0.10 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators via unspecified vectors. **Recommendations** For versions 3.0.10 and earlier, update to a version later than 3.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Script* Log-Chat versions prior to 2.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 2.0, update to version 2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** JOB-CUBE -JOB WEB SYSTEM versions prior to 1.2.2 -JOB WEB SYSTEM High Income versions prior to 1.0.6 **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For JOB-CUBE -JOB WEB SYSTEM versions prior to 1.2.2, update to version 1.2.2 or later. For -JOB WEB SYSTEM High Income versions prior to 1.0.6, update to version 1.0.6 or later.