Ryo Sato

Name of the Vulnerable Software and Affected Versions: Skylark App for Android versions 6.2.13 and earlier Skylark App for iOS versions 6.2.13 and earlier Description: The issue is related to improper authorization in the handler for a custom URL scheme, allowing an attacker to lead the application to access an arbitrary web site via another application installed on the user's device. Recommendations: For Skylark App for Android versions 6.2.13 and earlier, consider restricting access to custom URL schemes until a patch is available. For Skylark App for iOS versions 6.2.13 and earlier, consider restricting access to custom URL schemes until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LIQUID SPEECH BALLOON versions prior to 1.2 **Description** A cross-site request forgery (CSRF) issue allows a remote unauthenticated attacker to hijack the authentication of a user and perform unintended operations by having a user view a malicious page. **Recommendations** For versions prior to 1.2, update to version 1.2 or later to resolve the issue. As a temporary workaround, consider implementing CSRF tokens or other anti-CSRF measures to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Driver Distributor versions 2.2.3.1 and earlier **Description** The issue concerns a vulnerability where passwords are stored in a recoverable format. If an attacker obtains a configuration file of Driver Distributor, the encrypted administrator's credentials may be decrypted. **Recommendations** For Driver Distributor versions 2.2.3.1 and earlier, consider updating to a newer version that addresses the issue of storing passwords in a recoverable format. As a temporary workaround, restrict access to configuration files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lemon8 App for Android versions prior to 3.3.5 Lemon8 App for iOS versions prior to 3.3.5 **Description** The issue is related to improper authorization in the handler for a custom URL scheme, allowing a remote attacker to lead a user to access an arbitrary website via the vulnerable App. This could result in the user becoming a victim of a phishing attack. **Recommendations** For Lemon8 App for Android versions prior to 3.3.5, update to version 3.3.5 or later. For Lemon8 App for iOS versions prior to 3.3.5, update to version 3.3.5 or later.

**Name of the Vulnerable Software and Affected Versions** Hulu App for Android versions 3.0.47 through 3.1.1 **Description** The issue concerns the use of a hard-coded API key for an external service in the Hulu App for Android. This could potentially allow the API key to be obtained by analyzing the app's data, thus compromising the security of the external service. **Recommendations** For Hulu App for Android versions 3.0.47 through 3.1.1, consider updating to version 3.1.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: GroupSession Free edition versions 2.2.0 through 5.0.x GroupSession byCloud versions 3.0.3 through 5.0.x GroupSession ZION versions 3.0.3 through 5.0.x Description: A cross-site scripting issue allows a remote attacker to inject an arbitrary script by sending a specially crafted request to a specific URL. Recommendations: For GroupSession Free edition versions 2.2.0 through 5.0.x, update to version 5.1.0 or later. For GroupSession byCloud versions 3.0.3 through 5.0.x, update to version 5.1.0 or later. For GroupSession ZION versions 3.0.3 through 5.0.x, update to version 5.1.0 or later.

Name of the Vulnerable Software and Affected Versions: GroupSession Free edition versions 2.2.0 through 5.1.0 GroupSession byCloud versions 3.0.3 through 5.1.0 GroupSession ZION versions 3.0.3 through 5.1.0 Description: A server-side request forgery (SSRF) issue allows a remote authenticated attacker to conduct a port scan from the product and/or obtain information from the internal Web server. Recommendations: For GroupSession Free edition versions 2.2.0 through 5.1.0, update to version 5.1.0 or later. For GroupSession byCloud versions 3.0.3 through 5.1.0, update to version 5.1.0 or later. For GroupSession ZION versions 3.0.3 through 5.1.0, update to version 5.1.0 or later.

Name of the Vulnerable Software and Affected Versions: GroupSession Free edition versions 2.2.0 through 5.1.0 GroupSession byCloud versions 3.0.3 through 5.1.0 GroupSession ZION versions 3.0.3 through 5.1.0 Description: The issue allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack via a specially crafted URL. Recommendations: For GroupSession Free edition versions 2.2.0 through 5.1.0, update to version 5.1.0 or later. For GroupSession byCloud versions 3.0.3 through 5.1.0, update to version 5.1.0 or later. For GroupSession ZION versions 3.0.3 through 5.1.0, update to version 5.1.0 or later.

Name of the Vulnerable Software and Affected Versions: Retty App for Android versions prior to 4.8.13 Retty App for iOS versions prior to 4.11.14 Description: The issue concerns the use of a hard-coded API key for an external service in the Retty App. This could allow the API key to be obtained by analyzing data in the app, potentially leading to its exploitation. Recommendations: For Retty App for Android versions prior to 4.8.13, update to version 4.8.13 or later. For Retty App for iOS versions prior to 4.11.14, update to version 4.11.14 or later.

Name of the Vulnerable Software and Affected Versions: Retty App for Android versions prior to 4.8.13 Retty App for iOS versions prior to 4.11.14 Description: The issue is related to improper authorization in the handler for a custom URL scheme, allowing a remote attacker to lead a user to access an arbitrary website via the vulnerable App. Recommendations: For Retty App for Android versions prior to 4.8.13, update to version 4.8.13 or later. For Retty App for iOS versions prior to 4.11.14, update to version 4.11.14 or later.

Name of the Vulnerable Software and Affected Versions: Hot Pepper Gourmet App for Android versions 4.111.0 and earlier Hot Pepper Gourmet App for iOS versions 4.111.0 and earlier Description: The issue is related to improper access control, allowing a remote attacker to lead a user to access an arbitrary website via the vulnerable app. Recommendations: For Hot Pepper Gourmet App for Android versions 4.111.0 and earlier, update to a version later than 4.111.0. For Hot Pepper Gourmet App for iOS versions 4.111.0 and earlier, update to a version later than 4.111.0.

Name of the Vulnerable Software and Affected Versions: Gurunavi App for Android versions 10.0.10 and earlier Gurunavi App for iOS versions 11.1.2 and earlier Description: The issue allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. This is due to an improper access control vulnerability. Recommendations: For Gurunavi App for Android versions 10.0.10 and earlier, update to a version later than 10.0.10 to resolve the issue. For Gurunavi App for iOS versions 11.1.2 and earlier, update to a version later than 11.1.2 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: ELECOM WRC-1467GHBK-A (affected versions not specified) Description: The issue allows arbitrary scripts to be executed on the user's web browser by displaying a specially crafted SSID on the web setup page. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** desknet's NEO versions 5.5 R1.5 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary script via unspecified vectors. **Recommendations** For desknet's NEO versions 5.5 R1.5 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Studyplus App for Android versions 6.3.7 and earlier Studyplus App for iOS versions 8.29.0 and earlier **Description** The issue concerns the use of a hard-coded API key for an external service in the affected apps. This could allow the API key to be obtained by analyzing data within the app. **Recommendations** For Studyplus App for Android versions 6.3.7 and earlier, consider removing or securely storing the hard-coded API key until a patch is available. For Studyplus App for iOS versions 8.29.0 and earlier, consider removing or securely storing the hard-coded API key until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NTT 050 plus versions prior to 4.2.1 **Description** The issue allows attackers to obtain sensitive information by leveraging the ability to read system log files. **Recommendations** For versions prior to 4.2.1, update to version 4.2.1 or later to resolve the issue.