Toshitsugu Yoneyama

Name of the Vulnerable Software and Affected Versions: Webmin versions prior to 2.003 Description: The issue is related to improper handling of insufficient permissions or privileges in the ajaxterm module of Webmin. This could allow an unauthorized user to hijack a console session, potentially leading to data referral, webpage alteration, or permanent server halt. The vulnerability may enable an attacker to escalate privileges. Recommendations: For versions prior to 2.003, update to version 2.003 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajaxterm module to minimize the risk of exploitation. Additionally, review and ensure proper configuration of permissions and privileges within Webmin to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Webmin versions prior to 2.003 **Description** A cross-site request forgery vulnerability exists in the ajaxterm module. If exploited, unintended operations may be performed when a user views a malicious page while logged in, potentially allowing data within a system to be referred, a webpage to be altered, or a server to be permanently halted. **Recommendations** For versions prior to 2.003, update to version 2.003 or later to resolve the issue. As a temporary workaround, consider disabling the ajaxterm module until a patch is available. Restrict access to the ajaxterm module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webmin versions prior to 1.910 **Description** A cross-site scripting vulnerability exists in the sysinfo.cgi of Webmin. If this issue is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. As a result, a session ID may be obtained, a webpage may be altered, or a server may be halted. **Recommendations** For Webmin versions prior to 1.910, update to version 1.910 or later to resolve the issue. As a temporary workaround, consider restricting access to the sysinfo.cgi script until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** GROWI versions prior to v6.0.0 **Description** A stored cross-site scripting issue exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page. This could allow an arbitrary script to be executed on the web browser of the user who accessed the site using the product. **Recommendations** For versions prior to v6.0.0, update to version v6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /admin/app, /admin/markdown, and /admin/customize pages until a patch is applied. Avoid using these pages in production environments until the update is installed.

**Name of the Vulnerable Software and Affected Versions** ELECOM LAN routers versions 1.05 and earlier **Description** The issue allows an attacker on the adjacent network to execute an arbitrary OS command via unspecified vectors. **Recommendations** For versions 1.05 and earlier, update the firmware to a version later than 1.05 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Cybozu Remote Service versions 3.0.0 through 3.1.9 Description: A cross-site scripting issue exists in the management screen, allowing a remote attacker to inject an arbitrary script. Recommendations: For Cybozu Remote Service versions 3.0.0 through 3.1.9, update to a version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Cybozu Remote Service version 3.1.8 Description: A directory traversal issue exists in the management screen, allowing a remote authenticated attacker to upload arbitrary files. Recommendations: For Cybozu Remote Service version 3.1.8, update to a version that addresses this issue, as no specific workaround is provided for this version.

Name of the Vulnerable Software and Affected Versions: Cybozu Garoon versions 4.0.0 through 5.0.2 Description: The issue is related to improper input validation in the Attaching Files feature, allowing a remote attacker to alter the data of Attaching Files. Recommendations: For versions 4.0.0 through 5.0.2, update to a version that includes the fix for the improper input validation vulnerability in the Attaching Files feature. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Cybozu Garoon versions 4.0.0 through 5.0.2 Description: A cross-site scripting issue in the Full Text Search function allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. Recommendations: For Cybozu Garoon versions 4.0.0 through 5.0.2, consider restricting access to the Full Text Search function until a patch is available. As a temporary workaround, avoid using the Full Text Search feature in Cybozu Garoon versions 4.0.0 through 5.0.2 to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Cybozu Garoon versions 4.0.0 through 5.0.2 Description: The issue is related to improper input validation in the E-mail component, allowing a remote attacker with administrative privileges to modify E-mail data without the necessary privileges. Recommendations: For versions 4.0.0 through 5.0.2, update to a version that includes the fix for this issue to prevent unauthorized data modification.

Name of the Vulnerable Software and Affected Versions: Cybozu Garoon versions 4.0.0 through 5.0.2 Description: The issue is related to improper input validation in the User Profile of Cybozu Garoon, allowing a remote authenticated attacker to alter User Profile data without the appropriate privilege. Recommendations: For Cybozu Garoon versions 4.0.0 through 5.0.2, update to a version that includes the fix for this issue to prevent unauthorized alterations to User Profile data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: NEC Aterm WG1900HP2 versions 1.3.1 and earlier NEC Aterm WG1900HP versions 2.5.1 and earlier NEC Aterm WG1800HP4 versions 1.3.1 and earlier NEC Aterm WG1800HP3 versions 1.5.1 and earlier NEC Aterm WG1200HS2 versions 2.5.0 and earlier NEC Aterm WG1200HP3 versions 1.3.1 and earlier NEC Aterm WG1200HP2 versions 2.5.0 and earlier NEC Aterm W1200EX versions 1.3.1 and earlier NEC Aterm W1200EX-MS versions 1.3.1 and earlier NEC Aterm WG1200HS all versions NEC Aterm WG1200HP all versions NEC Aterm WF800HP all versions NEC Aterm WF300HP2 all versions NEC Aterm WR8165N all versions NEC Aterm W500P all versions NEC Aterm W300P all versions Description: A cross-site scripting issue in NEC Aterm devices allows remote attackers to inject arbitrary script or HTML via unspecified vectors. Recommendations: For NEC Aterm WG1900HP2 versions 1.3.1 and earlier, update to a version later than 1.3.1. For NEC Aterm WG1900HP versions 2.5.1 and earlier, update to a version later than 2.5.1. For NEC Aterm WG1800HP4 versions 1.3.1 and earlier, update to a version later than 1.3.1. For NEC Aterm WG1800HP3 versions 1.5.1 and earlier, update to a version later than 1.5.1. For NEC Aterm WG1200HS2 versions 2.5.0 and earlier, update to a version later than 2.5.0. For NEC Aterm WG1200HP3 versions 1.3.1 and earlier, update to a version later than 1.3.1. For NEC Aterm WG1200HP2 versions 2.5.0 and earlier, update to a version later than 2.5.0. For NEC Aterm W1200EX versions 1.3.1 and earlier, update to a version later than 1.3.1. For NEC Aterm W1200EX-MS versions 1.3.1 and earlier, update to a version later than 1.3.1. For NEC Aterm WG1200HS all versions, NEC Aterm WG1200HP all versions, NEC Aterm WF800HP all versions, NEC Aterm WF300HP2 all versions, NEC Aterm WR8165N all versions, NEC Aterm W500P all versions, and NEC Aterm W300P all versions, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** kintone mobile for Android versions 1.0.0 through 2.5 **Description** The issue allows an attacker to obtain credential information registered in the product via unspecified vectors. **Recommendations** For versions 1.0.0 through 2.5, update to a version that contains a fix for this issue, as the current version allows an attacker to obtain credential information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mailwise for Android versions 1.0.0 through 1.0.1 **Description** The issue allows an attacker to obtain credential information registered in the product via unspecified vectors. There is no information available about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For Mailwise for Android versions 1.0.0 through 1.0.1, update to a version that contains a fix for this issue, as no specific mitigation measures are provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cybozu Desktop for Windows versions 2.0.23 through 2.2.40 **Description** The issue allows remote code execution via unspecified vectors. **Recommendations** For versions 2.0.23 through 2.2.40, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Movable Type versions prior to 7.2.1 Movable Type Advanced versions prior to 7.2.1 Movable Type for AWS versions prior to 7.2.1 Movable Type 6.5 versions prior to 6.5.3 Movable Type Advanced 6.5 versions prior to 6.5.3 Movable Type 6.3 versions prior to 6.3.11 Movable Type Advanced 6.3 versions prior to 6.3.11 Movable Type Premium versions prior to 1.29 Movable Type Premium Advanced versions prior to 1.29 **Description** The issue allows remote attackers to inject arbitrary HTML attribute values via unspecified vectors. This can potentially lead to malicious activities. **Recommendations** For Movable Type versions prior to 7.2.1, update to version 7.2.1 or later. For Movable Type Advanced versions prior to 7.2.1, update to version 7.2.1 or later. For Movable Type for AWS versions prior to 7.2.1, update to version 7.2.1 or later. For Movable Type 6.5 versions prior to 6.5.3, update to version 6.5.3 or later. For Movable Type Advanced 6.5 versions prior to 6.5.3, update to version 6.5.3 or later. For Movable Type 6.3 versions prior to 6.3.11, update to version 6.3.11 or later. For Movable Type Advanced 6.3 versions prior to 6.3.11, update to version 6.3.11 or later. For Movable Type Premium versions prior to 1.29, update to version 1.29 or later. For Movable Type Premium Advanced versions prior to 1.29, update to version 1.29 or later.

**Name of the Vulnerable Software and Affected Versions** Movable Type versions prior to 7.2.1 Movable Type Advanced versions prior to 7.2.1 Movable Type for AWS versions prior to 7.2.1 Movable Type 6.5 versions prior to 6.5.3 Movable Type Advanced 6.5 versions prior to 6.5.3 Movable Type 6.3 versions prior to 6.3.11 Movable Type Advanced 6.3 versions prior to 6.3.11 Movable Type Premium versions prior to 1.29 Movable Type Premium Advanced versions prior to 1.29 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators via unspecified vectors. **Recommendations** For Movable Type versions prior to 7.2.1, update to version 7.2.1 or later. For Movable Type Advanced versions prior to 7.2.1, update to version 7.2.1 or later. For Movable Type for AWS versions prior to 7.2.1, update to version 7.2.1 or later. For Movable Type 6.5 versions prior to 6.5.3, update to version 6.5.3 or later. For Movable Type Advanced 6.5 versions prior to 6.5.3, update to version 6.5.3 or later. For Movable Type 6.3 versions prior to 6.3.11, update to version 6.3.11 or later. For Movable Type Advanced 6.3 versions prior to 6.3.11, update to version 6.3.11 or later. For Movable Type Premium versions prior to 1.29, update to version 1.29 or later. For Movable Type Premium Advanced versions prior to 1.29, update to version 1.29 or later.

**Name of the Vulnerable Software and Affected Versions** Movable Type versions prior to 7.2.1 Movable Type Advanced versions prior to 7.2.1 Movable Type for AWS versions prior to 7.2.1 Movable Type 6.5 versions prior to 6.5.3 Movable Type Advanced 6.5 versions prior to 6.5.3 Movable Type 6.3 versions prior to 6.3.11 Movable Type Advanced 6.3 versions prior to 6.3.11 Movable Type Premium versions prior to 1.29 Movable Type Premium Advanced versions prior to 1.29 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary script or HTML via unspecified vectors. **Recommendations** For Movable Type versions prior to 7.2.1, update to version 7.2.1 or later. For Movable Type Advanced versions prior to 7.2.1, update to version 7.2.1 or later. For Movable Type for AWS versions prior to 7.2.1, update to version 7.2.1 or later. For Movable Type 6.5 versions prior to 6.5.3, update to version 6.5.3 or later. For Movable Type Advanced 6.5 versions prior to 6.5.3, update to version 6.5.3 or later. For Movable Type 6.3 versions prior to 6.3.11, update to version 6.3.11 or later. For Movable Type Advanced 6.3 versions prior to 6.3.11, update to version 6.3.11 or later. For Movable Type Premium versions prior to 1.29, update to version 1.29 or later. For Movable Type Premium Advanced versions prior to 1.29, update to version 1.29 or later.

**Name of the Vulnerable Software and Affected Versions** Junos OS versions 12.3 prior to 12.3R12-S13 Junos OS versions 12.3X48 prior to 12.3X48-D85 Junos OS versions 14.1X53 prior to 14.1X53-D51 Junos OS versions 15.1F6 prior to 15.1F6-S13 Junos OS versions 15.1 prior to 15.1R7-S5 Junos OS versions 15.1X49 prior to 15.1X49-D180 Junos OS versions 15.1X53 prior to 15.1X53-D238 Junos OS versions 16.1 prior to 16.1R4-S13, 16.1R7-S5 Junos OS versions 16.2 prior to 16.2R2-S10 Junos OS versions 17.1 prior to 17.1R3-S1 Junos OS versions 17.2 prior to 17.2R1-S9, 17.2R3-S2 Junos OS versions 17.3 prior to 17.3R2-S5, 17.3R3-S5 Junos OS versions 17.4 prior to 17.4R2-S9, 17.4R3 Junos OS versions 18.1 prior to 18.1R3-S8 Junos OS versions 18.2 prior to 18.2R3 Junos OS versions 18.3 prior to 18.3R2-S3, 18.3R3 Junos OS versions 18.4 prior to 18.4R2 Junos OS versions 19.1 prior to 19.1R1-S4, 19.1R2 **Description** A path traversal issue exists in Junos OS due to incorrect restriction of directory path names with limited access. This may allow a remote attacker to read files with 'world' readable permission or delete files with 'world' writeable permission. The issue does not affect system files accessible only by the root user. **Recommendations** For Junos OS versions 12.3 prior to 12.3R12-S13, update to version 12.3R12-S13 or later. For Junos OS versions 12.3X48 prior to 12.3X48-D85, update to version 12.3X48-D85 or later. For Junos OS versions 14.1X53 prior to 14.1X53-D51, update to version 14.1X53-D51 or later. For Junos OS versions 15.1F6 prior to 15.1F6-S13, update to version 15.1F6-S13 or later. For Junos OS versions 15.1 prior to 15.1R7-S5, update to version 15.1R7-S5 or later. For Junos OS versions 15.1X49 prior to 15.1X49-D180, update to version 15.1X49-D180 or later. For Junos OS versions 15.1X53 prior to 15.1X53-D238, update to version 15.1X53-D238 or later. For Junos OS versions 16.1 prior to 16.1R4-S13, 16.1R7-S5, update to version 16.1R4-S13, 16.1R7-S5 or later. For Junos OS versions 16.2 prior to 16.2R2-S10, update to version 16.2R2-S10 or later. For Junos OS versions 17.1 prior to 17.1R3-S1, update to version 17.1R3-S1 or later. For Junos OS versions 17.2 prior to 17.2R1-S9, 17.2R3-S2, update to version 17.2R1-S9, 17.2R3-S2 or later. For Junos OS versions 17.3 prior to 17.3R2-S5, 17.3R3-S5, update to version 17.3R2-S5, 17.3R3-S5 or later. For Junos OS versions 17.4 prior to 17.4R2-S9, 17.4R3, update to version 17.4R2-S9, 17.4R3 or later. For Junos OS versions 18.1 prior to 18.1R3-S8, update to version 18.1R3-S8 or later. For Junos OS versions 18.2 prior to 18.2R3, update to version 18.2R3 or later. For Junos OS versions 18.3 prior to 18.3R2-S3, 18.3R3, update to version 18.3R2-S3, 18.3R3 or later. For Junos OS versions 18.4 prior to 18.4R2, update to version 18.4R2 or later. For Junos OS versions 19.1 prior to 19.1R1-S4, 19.1R2, update to version 19.1R1-S4, 19.1R2 or later.

**Name of the Vulnerable Software and Affected Versions** Junos OS versions prior to 12.3R12-S15 Junos OS 12.3X48 versions prior to 12.3X48-D86, 12.3X48-D90 Junos OS 14.1X53 versions prior to 14.1X53-D51 Junos OS 15.1F6 versions prior to 15.1F6-S13 Junos OS 15.1 versions prior to 15.1R7-S5 Junos OS 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190 Junos OS 15.1X53 versions prior to 15.1X53-D238 Junos OS 15.1X53 versions prior to 15.1X53-D592 Junos OS 16.1 versions prior to 16.1R4-S13, 16.1R7-S5 Junos OS 16.2 versions prior to 16.2R2-S10 Junos OS 17.1 versions prior to 17.1R2-S11, 17.1R3-S1 Junos OS 17.2 versions prior to 17.2R1-S9, 17.2R3-S2 Junos OS 17.3 versions prior to 17.3R2-S5, 17.3R3-S5 Junos OS 17.4 versions prior to 17.4R2-S6, 17.4R3 Junos OS 18.1 versions prior to 18.1R3-S7 Junos OS 18.2 versions prior to 18.2R2-S5, 18.2R3 Junos OS 18.3 versions prior to 18.3R1-S6, 18.3R2-S1, 18.3R3 Junos OS 18.4 versions prior to 18.4R1-S5, 18.4R2 Junos OS 19.1 versions prior to 19.1R1-S2, 19.1R2 **Description** The issue is related to insufficient protection against Cross-Site Scripting (XSS) attacks in the J-Web interface of Junos OS. This may allow a remote attacker to inject web script or HTML, hijack the target user's J-Web session, and perform administrative actions on the Junos device as the targeted user. **Recommendations** For Junos OS versions prior to 12.3R12-S15, update to 12.3R12-S15 or later. For Junos OS 12.3X48 versions prior to 12.3X48-D86, 12.3X48-D90, update to 12.3X48-D86, 12.3X48-D90 or later. For Junos OS 14.1X53 versions prior to 14.1X53-D51, update to 14.1X53-D51 or later. For Junos OS 15.1F6 versions prior to 15.1F6-S13, update to 15.1F6-S13 or later. For Junos OS 15.1 versions prior to 15.1R7-S5, update to 15.1R7-S5 or later. For Junos OS 15.1X49 versions prior to 15.1X49-D181, 15.1X49-D190, update to 15.1X49-D181, 15.1X49-D190 or later. For Junos OS 15.1X53 versions prior to 15.1X53-D238, update to 15.1X53-D238 or later. For Junos OS 15.1X53 versions prior to 15.1X53-D592, update to 15.1X53-D592 or later. For Junos OS 16.1 versions prior to 16.1R4-S13, 16.1R7-S5, update to 16.1R4-S13, 16.1R7-S5 or later. For Junos OS 16.2 versions prior to 16.2R2-S10, update to 16.2R2-S10 or later. For Junos OS 17.1 versions prior to 17.1R2-S11, 17.1R3-S1, update to 17.1R2-S11, 17.1R3-S1 or later. For Junos OS 17.2 versions prior to 17.2R1-S9, 17.2R3-S2, update to 17.2R1-S9, 17.2R3-S2 or later. For Junos OS 17.3 versions prior to 17.3R2-S5, 17.3R3-S5, update to 17.3R2-S5, 17.3R3-S5 or later. For Junos OS 17.4 versions prior to 17.4R2-S6, 17.4R3, update to 17.4R2-S6, 17.4R3 or later. For Junos OS 18.1 versions prior to 18.1R3-S7, update to 18.1R3-S7 or later. For Junos OS 18.2 versions prior to 18.2R2-S5, 18.2R3, update to 18.2R2-S5, 18.2R3 or later. For Junos OS 18.3 versions prior to 18.3R1-S6, 18.3R2-S1, 18.3R3, update to 18.3R1-S6, 18.3R2-S1, 18.3R3 or later. For Junos OS 18.4 versions prior to 18.4R1-S5, 18.4R2, update to 18.4R1-S5, 18.4R2 or later. For Junos OS 19.1 versions prior to 19.1R1-S2, 19.1R2, update to 19.1R1-S2, 19.1R2 or later.