Shiga Takuma

**Name of the Vulnerable Software and Affected Versions** Yahoo! Shopping App for Android versions prior to 14.15.0 **Description** Improper authorization in the handler for a custom URL scheme in the Yahoo! Shopping App for Android may allow a remote, unauthenticated attacker to redirect a user to an arbitrary website. This could result in a phishing attack. **Recommendations** Update the Yahoo! Shopping App for Android to version 14.15.0 or later.

**Name of the Vulnerable Software and Affected Versions** Rakuten Ichiba App for Android versions 12.4.0 and earlier Rakuten Ichiba App for iOS versions 11.7.0 and earlier **Description** The issue concerns improper authorization in the handler for the custom URL scheme, allowing an arbitrary site to be displayed on the WebView of the product via Intent from another application installed on the user's device. This could result in the user being redirected to an unauthorized site, potentially leading to a phishing attack. **Recommendations** For Rakuten Ichiba App for Android versions 12.4.0 and earlier, update to a version later than 12.4.0 to resolve the issue. For Rakuten Ichiba App for iOS versions 11.7.0 and earlier, update to a version later than 11.7.0 to resolve the issue. As a temporary workaround, consider restricting the use of custom URL schemes in the app to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Yahoo! JAPAN App for Android versions 2.3.1 through 3.161.1 Yahoo! JAPAN App for iOS versions 3.2.2 through 4.109.0 **Description** The issue is related to a cross-site scripting vulnerability. If exploited, an arbitrary script may be executed on the WebView of the Yahoo! JAPAN App via another app installed on the user's device. **Recommendations** For Yahoo! JAPAN App for Android versions 2.3.1 through 3.161.1, update to a version outside of this range to resolve the issue. For Yahoo! JAPAN App for iOS versions 3.2.2 through 4.109.0, update to a version outside of this range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ABEMA App for Android versions prior to 10.65.0 **Description** The issue exists due to the improper export of Android application components, allowing another app installed on the user's device to access an arbitrary URL on the ABEMA App for Android via Intent. If exploited, an arbitrary website may be displayed on the app, potentially leading to phishing attacks. **Recommendations** For versions prior to 10.65.0, update to version 10.65.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of Intents to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mercari App for Android versions prior to 5.78.0 **Description** The issue is related to improper authorization in the handler for a custom URL scheme, allowing a remote attacker to lead a user to access an arbitrary website via the vulnerable App, potentially resulting in a phishing attack. **Recommendations** For Mercari App for Android versions prior to 5.78.0, update to version 5.78.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of custom URL schemes within the App to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Drupal (affected versions not specified) **Description** The issue is related to improper handling of structural elements, which can lead to a denial-of-service (DoS) condition if exploited by an attacker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.0 **Description** A stored cross-site scripting issue exists in the event handlers of the `pre` tags. If exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. **Recommendations** For GROWI versions prior to v6.0.0, update to version v6.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the event handlers of the `pre` tags until a patch is available. Restrict access to the `pre` tags to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions 4.6.0 through 4.7.6 **Description** The issue is related to a Code Injection vulnerability in the mail form of baserCMS, a website development framework. This vulnerability allows malicious code to be executed in the Mail Form Feature. **Recommendations** For versions 4.6.0 through 4.7.6, update to the latest version of baserCMS to resolve the issue. As a temporary workaround, consider restricting access to the mail form feature in baserCMS until a patch is available.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions prior to 4.8.0 **Description** The issue is related to a cross-site scripting vulnerability in the file upload feature of baserCMS. This vulnerability may allow malicious code to be executed. The management system is affected when used by an unspecified number of users. **Recommendations** For versions prior to 4.8.0, update to version 4.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the file upload feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions prior to 4.8.0 **Description** The issue concerns a Directory Traversal Vulnerability in the form submission data management feature of baserCMS. This vulnerability could allow a logged-in user to obtain information on the server. The estimated number of potentially affected devices is not specified, and there is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 4.8.0, update to version 4.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the form submission data management feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions prior to 4.8.0 **Description** The issue is related to a cross-site request forgery vulnerability in the content preview feature of baserCMS. This vulnerability may allow malicious code to be executed. The vulnerability is particularly relevant when the management system is used by multiple users. **Recommendations** Update to version 4.8.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the content preview feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** pgAdmin 4 versions prior to v6.14 **Description** The issue allows a remote unauthenticated attacker to redirect a user to an arbitrary web site, potentially conducting a phishing attack by having the user access a specially crafted URL. **Recommendations** For versions prior to v6.14, update to version v6.14 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Movable Type versions 7 r.5301 and earlier Movable Type Advanced versions 7 r.5301 and earlier Movable Type versions 6.8.7 and earlier Movable Type Advanced versions 6.8.7 and earlier Movable Type Premium version 1.53 and earlier Movable Type Premium Advanced version 1.53 and earlier **Description** A cross-site scripting issue allows a remote unauthenticated attacker to inject an arbitrary script. **Recommendations** For Movable Type versions 7 r.5301 and earlier, update to a version later than 7 r.5301. For Movable Type Advanced versions 7 r.5301 and earlier, update to a version later than 7 r.5301. For Movable Type versions 6.8.7 and earlier, update to a version later than 6.8.7. For Movable Type Advanced versions 6.8.7 and earlier, update to a version later than 6.8.7. For Movable Type Premium version 1.53 and earlier, update to a version later than 1.53. For Movable Type Premium Advanced version 1.53 and earlier, update to a version later than 1.53.

**Name of the Vulnerable Software and Affected Versions** Movable Type versions 7 r.5301 and earlier Movable Type Advanced versions 7 r.5301 and earlier Movable Type versions 6.8.7 and earlier Movable Type Advanced versions 6.8.7 and earlier Movable Type Premium versions 1.53 and earlier Movable Type Premium Advanced versions 1.53 and earlier **Description** The issue is related to improper validation of syntactic correctness of input, which can be exploited by a remote unauthenticated attacker. By having a user access a specially crafted URL, an attacker may set a specially crafted URL to the Reset Password page, allowing them to conduct a phishing attack. **Recommendations** For Movable Type versions 7 r.5301 and earlier, update to a version later than r.5301. For Movable Type Advanced versions 7 r.5301 and earlier, update to a version later than r.5301. For Movable Type versions 6.8.7 and earlier, update to a version later than 6.8.7. For Movable Type Advanced versions 6.8.7 and earlier, update to a version later than 6.8.7. For Movable Type Premium versions 1.53 and earlier, update to a version later than 1.53. For Movable Type Premium Advanced versions 1.53 and earlier, update to a version later than 1.53.

**Name of the Vulnerable Software and Affected Versions** SHIRASAGI versions 1.14.4 through 1.15.0 **Description** The issue allows a remote unauthenticated attacker to redirect users to an arbitrary web site, potentially conducting a phishing attack. **Recommendations** For SHIRASAGI versions 1.14.4 through 1.15.0, consider restricting access to sensitive features until a patch is available. As a temporary workaround, avoid using links from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SHIRASAGI versions prior to v1.16.2 **Description** A stored cross-site scripting issue allows a remote authenticated attacker with administrative privileges to inject an arbitrary script. **Recommendations** For versions prior to v1.16.2, update to version v1.16.2 or later to resolve the issue.