Search

Find a vulnerability

Search criteria

    30 vulnerabilities by LY Corporation

    CVE-2026-11748 (GCVE-0-2026-11748)

    Vulnerability from nvd – Published: 2026-06-22 02:37 – Updated: 2026-06-22 16:12
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-90
    • CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11748",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:11:47.695670Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-90",
                    "description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:12:07.208Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-90",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:37:35.370Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11748",
        "datePublished": "2026-06-22T02:37:35.370Z",
        "dateReserved": "2026-06-09T06:50:03.618Z",
        "dateUpdated": "2026-06-22T16:12:07.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11746 (GCVE-0-2026-11746)

    Vulnerability from nvd – Published: 2026-06-22 02:35 – Updated: 2026-06-22 16:13
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11746",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:12:56.884349Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-798",
                    "description": "CWE-798 Use of Hard-coded Credentials",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:13:00.513Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-798",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:35:51.201Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11746",
        "datePublished": "2026-06-22T02:35:51.201Z",
        "dateReserved": "2026-06-09T06:48:47.296Z",
        "dateUpdated": "2026-06-22T16:13:00.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11745 (GCVE-0-2026-11745)

    Vulnerability from nvd – Published: 2026-06-22 02:33 – Updated: 2026-06-22 16:29
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11745",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:29:39.280352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-322",
                    "description": "CWE-322 Key Exchange without Entity Authentication",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:29:43.057Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-322",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:33:08.952Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11745",
        "datePublished": "2026-06-22T02:33:08.952Z",
        "dateReserved": "2026-06-09T06:46:10.431Z",
        "dateUpdated": "2026-06-22T16:29:43.057Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11752 (GCVE-0-2026-11752)

    Vulnerability from nvd – Published: 2026-06-19 04:29 – Updated: 2026-06-22 14:57
    VLAI
    Summary
    A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Armeria Affected: 1.38.0 , < 1.40.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11752",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T14:57:29.287769Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T14:57:40.093Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Armeria",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "1.40.0",
                  "status": "affected",
                  "version": "1.38.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-73",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-19T05:48:43.989Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/armeria/security/advisories/GHSA-hgw6-8c77-v4gq"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11752",
        "datePublished": "2026-06-19T04:29:31.970Z",
        "dateReserved": "2026-06-09T06:50:06.220Z",
        "dateUpdated": "2026-06-22T14:57:40.093Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3861 (GCVE-0-2026-3861)

    Vulnerability from nvd – Published: 2026-04-16 05:54 – Updated: 2026-05-22 05:00
    VLAI
    Summary
    LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    LY Corporation LINE client for iOS Unaffected: 26.3.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3861",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T12:16:15.191045Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-451",
                    "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T12:31:11.953Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "LINE client for iOS",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "cvssV4_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-400",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T05:00:53.312Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://hackerone.com/reports/3422905"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-3861",
        "datePublished": "2026-04-16T05:54:05.194Z",
        "dateReserved": "2026-03-10T05:02:39.735Z",
        "dateUpdated": "2026-05-22T05:00:53.312Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-41408 (GCVE-0-2025-41408)

    Vulnerability from nvd – Published: 2025-09-05 05:25 – Updated: 2025-09-05 13:45
    VLAI
    Summary
    Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-939 - Improper authorization in handler for custom URL scheme
    Assigner
    References
    Impacted products
    Vendor Product Version
    LY Corporation "Yahoo! Shopping" App for Android Affected: versions prior to 14.15.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-41408",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-05T13:38:02.982750Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-05T13:45:13.400Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "\"Yahoo! Shopping\" App for Android",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 14.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper authorization in handler for custom URL scheme issue in \"Yahoo! Shopping\" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-939",
                  "description": "Improper authorization in handler for custom URL scheme",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-05T05:25:15.422Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://jvn.jp/en/jp/JVN35290164/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-41408",
        "datePublished": "2025-09-05T05:25:15.422Z",
        "dateReserved": "2025-08-29T01:43:32.740Z",
        "dateUpdated": "2025-09-05T13:45:13.400Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28895 (GCVE-0-2024-28895)

    Vulnerability from nvd – Published: 2024-04-01 00:16 – Updated: 2024-11-06 20:45
    VLAI
    Summary
    'Yahoo! JAPAN' App for Android v2.3.1 to v3.161.1 and 'Yahoo! JAPAN' App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of 'Yahoo! JAPAN' App via other app installed on the user's device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28895",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-01T20:03:28.170849Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-06T20:45:53.363Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:03:50.243Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN23528780/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "\u0027Yahoo! JAPAN\u0027 App for Android",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "v2.3.1 to v3.161.1"
                }
              ]
            },
            {
              "product": "\u0027Yahoo! JAPAN\u0027 App for iOS",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "v3.2.2 to v4.109.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "\u0027Yahoo! JAPAN\u0027 App for Android v2.3.1 to v3.161.1 and \u0027Yahoo! JAPAN\u0027 App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of \u0027Yahoo! JAPAN\u0027 App via other app installed on the user\u0027s device."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-01T00:16:08.562Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://jvn.jp/en/jp/JVN23528780/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-28895",
        "datePublished": "2024-04-01T00:16:08.562Z",
        "dateReserved": "2024-03-13T00:41:43.890Z",
        "dateUpdated": "2024-11-06T20:45:53.363Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-11748 (GCVE-0-2026-11748)

    Vulnerability from cvelistv5 – Published: 2026-06-22 02:37 – Updated: 2026-06-22 16:12
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-90
    • CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11748",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:11:47.695670Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-90",
                    "description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:12:07.208Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-90",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:37:35.370Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11748",
        "datePublished": "2026-06-22T02:37:35.370Z",
        "dateReserved": "2026-06-09T06:50:03.618Z",
        "dateUpdated": "2026-06-22T16:12:07.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11746 (GCVE-0-2026-11746)

    Vulnerability from cvelistv5 – Published: 2026-06-22 02:35 – Updated: 2026-06-22 16:13
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11746",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:12:56.884349Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-798",
                    "description": "CWE-798 Use of Hard-coded Credentials",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:13:00.513Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-798",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:35:51.201Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11746",
        "datePublished": "2026-06-22T02:35:51.201Z",
        "dateReserved": "2026-06-09T06:48:47.296Z",
        "dateUpdated": "2026-06-22T16:13:00.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11745 (GCVE-0-2026-11745)

    Vulnerability from cvelistv5 – Published: 2026-06-22 02:33 – Updated: 2026-06-22 16:29
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11745",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:29:39.280352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-322",
                    "description": "CWE-322 Key Exchange without Entity Authentication",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:29:43.057Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-322",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:33:08.952Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11745",
        "datePublished": "2026-06-22T02:33:08.952Z",
        "dateReserved": "2026-06-09T06:46:10.431Z",
        "dateUpdated": "2026-06-22T16:29:43.057Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11752 (GCVE-0-2026-11752)

    Vulnerability from cvelistv5 – Published: 2026-06-19 04:29 – Updated: 2026-06-22 14:57
    VLAI
    Summary
    A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Armeria Affected: 1.38.0 , < 1.40.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11752",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T14:57:29.287769Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T14:57:40.093Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Armeria",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "1.40.0",
                  "status": "affected",
                  "version": "1.38.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-73",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-19T05:48:43.989Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/armeria/security/advisories/GHSA-hgw6-8c77-v4gq"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11752",
        "datePublished": "2026-06-19T04:29:31.970Z",
        "dateReserved": "2026-06-09T06:50:06.220Z",
        "dateUpdated": "2026-06-22T14:57:40.093Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3861 (GCVE-0-2026-3861)

    Vulnerability from cvelistv5 – Published: 2026-04-16 05:54 – Updated: 2026-05-22 05:00
    VLAI
    Summary
    LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    LY Corporation LINE client for iOS Unaffected: 26.3.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3861",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-16T12:16:15.191045Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-451",
                    "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-16T12:31:11.953Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "LINE client for iOS",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "26.3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "cvssV4_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-400",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T05:00:53.312Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://hackerone.com/reports/3422905"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-3861",
        "datePublished": "2026-04-16T05:54:05.194Z",
        "dateReserved": "2026-03-10T05:02:39.735Z",
        "dateUpdated": "2026-05-22T05:00:53.312Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-41408 (GCVE-0-2025-41408)

    Vulnerability from cvelistv5 – Published: 2025-09-05 05:25 – Updated: 2025-09-05 13:45
    VLAI
    Summary
    Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-939 - Improper authorization in handler for custom URL scheme
    Assigner
    References
    Impacted products
    Vendor Product Version
    LY Corporation "Yahoo! Shopping" App for Android Affected: versions prior to 14.15.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-41408",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-05T13:38:02.982750Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-05T13:45:13.400Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "\"Yahoo! Shopping\" App for Android",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 14.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper authorization in handler for custom URL scheme issue in \"Yahoo! Shopping\" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-939",
                  "description": "Improper authorization in handler for custom URL scheme",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-05T05:25:15.422Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://jvn.jp/en/jp/JVN35290164/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-41408",
        "datePublished": "2025-09-05T05:25:15.422Z",
        "dateReserved": "2025-08-29T01:43:32.740Z",
        "dateUpdated": "2025-09-05T13:45:13.400Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-28895 (GCVE-0-2024-28895)

    Vulnerability from cvelistv5 – Published: 2024-04-01 00:16 – Updated: 2024-11-06 20:45
    VLAI
    Summary
    'Yahoo! JAPAN' App for Android v2.3.1 to v3.161.1 and 'Yahoo! JAPAN' App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of 'Yahoo! JAPAN' App via other app installed on the user's device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28895",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-01T20:03:28.170849Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-06T20:45:53.363Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:03:50.243Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN23528780/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "\u0027Yahoo! JAPAN\u0027 App for Android",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "v2.3.1 to v3.161.1"
                }
              ]
            },
            {
              "product": "\u0027Yahoo! JAPAN\u0027 App for iOS",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "v3.2.2 to v4.109.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "\u0027Yahoo! JAPAN\u0027 App for Android v2.3.1 to v3.161.1 and \u0027Yahoo! JAPAN\u0027 App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of \u0027Yahoo! JAPAN\u0027 App via other app installed on the user\u0027s device."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-01T00:16:08.562Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://jvn.jp/en/jp/JVN23528780/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-28895",
        "datePublished": "2024-04-01T00:16:08.562Z",
        "dateReserved": "2024-03-13T00:41:43.890Z",
        "dateUpdated": "2024-11-06T20:45:53.363Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    JVNDB-2025-000071

    Vulnerability from jvndb - Published: 2025-09-05 15:12 - Updated:2025-09-05 15:12
    Severity
    Summary
    "Yahoo! Shopping" App for Android fails to restrict custom URL schemes properly
    Details
    "Yahoo! Shopping" App for Android provided by LY Corporation contains the following vulnerability.
    • Improper authorization in handler for custom URL scheme (CWE-939) - CVE-2025-41408
    Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000071.html",
      "dc:date": "2025-09-05T15:12+09:00",
      "dcterms:issued": "2025-09-05T15:12+09:00",
      "dcterms:modified": "2025-09-05T15:12+09:00",
      "description": "\"Yahoo! Shopping\" App for Android provided by LY Corporation contains the following vulnerability.\u003cul\u003e\u003cli\u003eImproper authorization in handler for custom URL scheme (CWE-939) - CVE-2025-41408\u003c/li\u003e\u003c/ul\u003eShiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000071.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:yahooshopappforandroid",
        "@product": "\"Yahoo! Shopping\" App for Android",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "4.3",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2025-000071",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN35290164/index.html",
          "@id": "JVN#35290164",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-41408",
          "@id": "CVE-2025-41408",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "\"Yahoo! Shopping\" App for Android fails to restrict custom URL schemes properly"
    }

    JVNDB-2024-003699

    Vulnerability from jvndb - Published: 2024-06-24 11:05 - Updated:2024-06-24 11:05
    Severity
    Summary
    LINE client for iOS vulnerable to universal cross-site scripting
    Details
    The in-app browser of LINE client for iOS provided by LY Corporation contains a universal cross-site scripting vulnerability (CWE-79, CVE-2024-5739). LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003699.html",
      "dc:date": "2024-06-24T11:05+09:00",
      "dcterms:issued": "2024-06-24T11:05+09:00",
      "dcterms:modified": "2024-06-24T11:05+09:00",
      "description": "The in-app browser of LINE client for iOS provided by LY Corporation contains a universal cross-site scripting vulnerability (CWE-79, CVE-2024-5739).\r\n\r\nLY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
      "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003699.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:line",
        "@product": "LINE",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "6.1",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2024-003699",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU91384468/index.html",
          "@id": "JVNVU#91384468",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-5739",
          "@id": "CVE-2024-5739",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "LINE client for iOS vulnerable to universal cross-site scripting"
    }

    JVNDB-2024-002342

    Vulnerability from jvndb - Published: 2024-05-13 17:27 - Updated:2024-05-13 17:27
    Severity
    Summary
    Central Dogma vulnerable to cross-site scripting
    Details
    Central Dogma provided by LY Corporation contains a cross-site scripting vulnerability (CWE-79, CVE-2024-1143) because RelayState data is not properly treated when Central Dogma processes SAML messages. LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-002342.html",
      "dc:date": "2024-05-13T17:27+09:00",
      "dcterms:issued": "2024-05-13T17:27+09:00",
      "dcterms:modified": "2024-05-13T17:27+09:00",
      "description": "Central Dogma provided by LY Corporation contains a cross-site scripting vulnerability (CWE-79, CVE-2024-1143) because RelayState data is not properly treated when Central Dogma processes SAML messages.\r\n\r\nLY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
      "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-002342.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:central_dogma",
        "@product": "Central Dogma",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "9.3",
        "@severity": "Critical",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2024-002342",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU99669446/index.html",
          "@id": "JVNVU#99669446",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-1143",
          "@id": "CVE-2024-1143",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2024-1143",
          "@id": "CVE-2024-1143",
          "@source": "NVD"
        },
        {
          "#text": "https://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html#__RefHeading__8196_1983180497",
          "@id": "SAML v2.0 Errata 05, E90: RelayState sanitization",
          "@source": "Related document"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "Central Dogma vulnerable to cross-site scripting"
    }

    JVNDB-2024-003108

    Vulnerability from jvndb - Published: 2024-04-22 17:28 - Updated:2024-04-22 17:28
    Severity
    Summary
    Armeria-saml improperly handles SAML messages
    Details
    Armeria-saml provided by LY Corporation contains an issue in handling SAML messages (CWE-304, CVE-2024-1735). LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003108.html",
      "dc:date": "2024-04-22T17:28+09:00",
      "dcterms:issued": "2024-04-22T17:28+09:00",
      "dcterms:modified": "2024-04-22T17:28+09:00",
      "description": "Armeria-saml provided by LY Corporation contains an issue in handling SAML messages (CWE-304, CVE-2024-1735).\r\n\r\nLY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
      "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003108.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:armeria-saml",
        "@product": "Armeria-saml",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "9.1",
        "@severity": "Critical",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2024-003108",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU91216202/index.html",
          "@id": "JVNVU#91216202",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-1735",
          "@id": "CVE-2024-1735",
          "@source": "CVE"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/304.html",
          "@id": "CWE-304",
          "@title": "Missing Critical Step in Authentication(CWE-304)"
        }
      ],
      "title": "Armeria-saml improperly handles SAML messages"
    }

    JVNDB-2023-014491

    Vulnerability from jvndb - Published: 2024-04-22 15:27 - Updated:2024-04-22 15:27
    Severity
    Summary
    LINE client for iOS vulnerable to improper server certificate verification
    Details
    The financial module within LINE client for iOS lacks server certificate verification in log transmission (CWE-295, CVE-2023-5554). LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-014491.html",
      "dc:date": "2024-04-22T15:27+09:00",
      "dcterms:issued": "2024-04-22T15:27+09:00",
      "dcterms:modified": "2024-04-22T15:27+09:00",
      "description": "The financial module within LINE client for iOS lacks server certificate verification in log transmission (CWE-295, CVE-2023-5554).\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
      "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-014491.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:line",
        "@product": "LINE",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "4.8",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2023-014491",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU91696361/index.html",
          "@id": "JVNVU#91696361",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-5554",
          "@id": "CVE-2023-5554",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-5554",
          "@id": "CVE-2023-5554",
          "@source": "NVD"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/295.html",
          "@id": "CWE-295",
          "@title": "Improper Certificate Validation(CWE-295)"
        }
      ],
      "title": "LINE client for iOS vulnerable to improper server certificate verification"
    }

    JVNDB-2024-000036

    Vulnerability from jvndb - Published: 2024-03-29 13:28 - Updated:2024-03-29 13:28
    Severity
    Summary
    "Yahoo! JAPAN" App vulnerable to cross-site scripting
    Details
    "Yahoo! JAPAN" App provided by LY Corporation contains a cross-site scripting vulnerability (CWE-79). Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000036.html",
      "dc:date": "2024-03-29T13:28+09:00",
      "dcterms:issued": "2024-03-29T13:28+09:00",
      "dcterms:modified": "2024-03-29T13:28+09:00",
      "description": "\"Yahoo! JAPAN\" App provided by LY Corporation contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nShiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000036.html",
      "sec:cpe": [
        {
          "#text": "cpe:/a:linecorp:yahoo%21_japan",
          "@product": "Yahoo! JAPAN",
          "@vendor": "LY Corporation",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/a:linecorp:yahoo%21_japan",
          "@product": "Yahoo! JAPAN",
          "@vendor": "LY Corporation",
          "@version": "2.2"
        }
      ],
      "sec:cvss": [
        {
          "@score": "4.3",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "5.0",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2024-000036",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN23528780/index.html",
          "@id": "JVN#23528780",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-28895",
          "@id": "CVE-2024-28895",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "\"Yahoo! JAPAN\" App vulnerable to cross-site scripting"
    }

    JVNDB-2019-000060

    Vulnerability from jvndb - Published: 2019-09-19 17:59 - Updated:2019-10-18 15:17
    Severity
    Summary
    Multiple integer overflow vulnerabilities in LINE(Android)
    Details
    LINE(Android) provided by LINE Corporation contains multiple integer overflow vulnerabilities (CWE-190) listed below. * Integer overflow vulnerability in processing images using apng-drawable - CVE-2019-6007 * Integer overflow vulnerability in processing images - CVE-2019-6010 LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000060.html",
      "dc:date": "2019-10-18T15:17+09:00",
      "dcterms:issued": "2019-09-19T17:59+09:00",
      "dcterms:modified": "2019-10-18T15:17+09:00",
      "description": "LINE(Android) provided by LINE Corporation contains multiple integer overflow vulnerabilities (CWE-190) listed below.\r\n* Integer overflow vulnerability in processing images using apng-drawable - CVE-2019-6007 \r\n* Integer overflow vulnerability in processing images - CVE-2019-6010\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000060.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:line",
        "@product": "LINE",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "6.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "@version": "2.0"
        },
        {
          "@score": "6.3",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2019-000060",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN97845465/index.html",
          "@id": "JVN#97845465",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6007",
          "@id": "CVE-2019-6007",
          "@source": "CVE"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6010",
          "@id": "CVE-2019-6010",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6007",
          "@id": "CVE-2019-6007",
          "@source": "NVD"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6010",
          "@id": "CVE-2019-6010",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-189",
          "@title": "Numeric Errors(CWE-189)"
        }
      ],
      "title": "Multiple integer overflow vulnerabilities in LINE(Android)"
    }

    JVNDB-2019-000059

    Vulnerability from jvndb - Published: 2019-09-12 13:55 - Updated:2019-10-18 15:23
    Severity
    Summary
    apng-drawable vulnerable to integer overflow
    Details
    apng-drawable provided by LINE Corporation contains an integer overflow vulnerability (CWE-190). LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000059.html",
      "dc:date": "2019-10-18T15:23+09:00",
      "dcterms:issued": "2019-09-12T13:55+09:00",
      "dcterms:modified": "2019-10-18T15:23+09:00",
      "description": "apng-drawable provided by LINE Corporation contains an integer overflow vulnerability (CWE-190).\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000059.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:apng-drawable",
        "@product": "apng-drawable",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "6.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "@version": "2.0"
        },
        {
          "@score": "5.3",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2019-000059",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN39383894/index.html",
          "@id": "JVN#39383894",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6007",
          "@id": "CVE-2019-6007",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6007",
          "@id": "CVE-2019-6007",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-189",
          "@title": "Numeric Errors(CWE-189)"
        }
      ],
      "title": "apng-drawable vulnerable to integer overflow"
    }

    JVNDB-2019-000050

    Vulnerability from jvndb - Published: 2019-07-31 15:29 - Updated:2019-10-04 16:37
    Severity
    Summary
    Central Dogma vulnerable to cross-site scripting
    Details
    Central Dogma provided by LINE Corporation contains a cross-site scripting vulnerability (CWE-79). LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000050.html",
      "dc:date": "2019-10-04T16:37+09:00",
      "dcterms:issued": "2019-07-31T15:29+09:00",
      "dcterms:modified": "2019-10-04T16:37+09:00",
      "description": "Central Dogma provided by LINE Corporation contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000050.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:central_dogma",
        "@product": "Central Dogma",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "4.3",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "6.1",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2019-000050",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN94889214/index.html",
          "@id": "JVN#94889214",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6002",
          "@id": "CVE-2019-6002",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6002",
          "@id": "CVE-2019-6002",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "Central Dogma vulnerable to cross-site scripting"
    }

    JVNDB-2018-000063

    Vulnerability from jvndb - Published: 2018-06-12 14:44 - Updated:2018-06-12 14:44
    Severity
    Summary
    LINE for Windows may insecurely load Dynamic Link Libraries
    Details
    LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software. If a user launches LINE for Windows by clicking the specially crafted link prepared by a remote attacker, it may result in insecurely loading Dynamic Link Libraries (CWE-427). LINE Corporation reported this vulnerability to JPCERT/CC to notify users of respective solutions through JVN.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000063.html",
      "dc:date": "2018-06-12T14:44+09:00",
      "dcterms:issued": "2018-06-12T14:44+09:00",
      "dcterms:modified": "2018-06-12T14:44+09:00",
      "description": "LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software.\r\n If a user launches LINE for Windows by clicking the specially crafted link prepared by a remote attacker, it may result in insecurely loading Dynamic Link Libraries (CWE-427).\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of respective solutions through JVN.",
      "link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000063.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:line",
        "@product": "LINE",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "6.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "@version": "2.0"
        },
        {
          "@score": "7.8",
          "@severity": "High",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2018-000063",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN92265618/index.html",
          "@id": "JVN#92265618",
          "@source": "JVN"
        },
        {
          "#text": "https://jvn.jp/en/ta/JVNTA91240916/",
          "@id": "JVNTA#91240916",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0609",
          "@id": "CVE-2018-0609",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0609",
          "@id": "CVE-2018-0609",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "LINE for Windows may insecurely load Dynamic Link Libraries"
    }

    JVNDB-2018-000016

    Vulnerability from jvndb - Published: 2018-02-22 15:29 - Updated:2018-06-14 12:23
    Severity
    Summary
    LINE for iOS fails to verify SSL server certificates
    Details
    LINE for iOS provided by LINE Corporation fails to verify SSL server certificates due to the vulnerability existed in the Third Party SDK which is incorporated in the application. LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000016.html",
      "dc:date": "2018-06-14T12:23+09:00",
      "dcterms:issued": "2018-02-22T15:29+09:00",
      "dcterms:modified": "2018-06-14T12:23+09:00",
      "description": "LINE for iOS provided by LINE Corporation fails to verify SSL server certificates due to the vulnerability existed in the Third Party SDK which is incorporated in the application.\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000016.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:line",
        "@product": "LINE",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "4.0",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "4.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2018-000016",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN75453852/index.html",
          "@id": "JVN#75453852",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0518",
          "@id": "CVE-2018-0518",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0518",
          "@id": "CVE-2018-0518",
          "@source": "NVD"
        }
      ],
      "title": "LINE for iOS fails to verify SSL server certificates"
    }

    JVNDB-2016-000153

    Vulnerability from jvndb - Published: 2016-08-25 14:26 - Updated:2017-05-23 14:28
    Severity
    Summary
    LINE for Windows fails to properly verify downloaded files
    Details
    The auto update function in LINE for Windows provided by LINE Corporation contains a vulnerability where downloaded files are not properly verified. LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000153.html",
      "dc:date": "2017-05-23T14:28+09:00",
      "dcterms:issued": "2016-08-25T14:26+09:00",
      "dcterms:modified": "2017-05-23T14:28+09:00",
      "description": "The auto update function in LINE for Windows provided by LINE Corporation contains a vulnerability where downloaded files are not properly verified.\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000153.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:line",
        "@product": "LINE",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "5.1",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "@version": "2.0"
        },
        {
          "@score": "8.1",
          "@severity": "High",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2016-000153",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN05924524/index.html",
          "@id": "JVN#05924524",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4850",
          "@id": "CVE-2016-4850",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2016-4850",
          "@id": "CVE-2016-4850",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-noinfo",
          "@title": "No Mapping(CWE-noinfo)"
        }
      ],
      "title": "LINE for Windows fails to properly verify downloaded files"
    }

    JVNDB-2016-000123

    Vulnerability from jvndb - Published: 2016-07-08 14:29 - Updated:2016-08-19 17:44
    Severity
    Summary
    LINE for Windows may insecurely load Dynamic Link Libraries
    Details
    LINE for Windows provided by LINE Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000123.html",
      "dc:date": "2016-08-19T17:44+09:00",
      "dcterms:issued": "2016-07-08T14:29+09:00",
      "dcterms:modified": "2016-08-19T17:44+09:00",
      "description": "LINE for Windows provided by LINE Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.\r\n\r\nTakashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000123.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:line",
        "@product": "LINE",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "6.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "@version": "2.0"
        },
        {
          "@score": "7.8",
          "@severity": "High",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2016-000123",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN51565015/index.html",
          "@id": "JVN#51565015",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4831",
          "@id": "CVE-2016-4831",
          "@source": "CVE"
        },
        {
          "#text": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4831",
          "@id": "CVE-2016-4831",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "LINE for Windows may insecurely load Dynamic Link Libraries"
    }

    JVNDB-2016-000029

    Vulnerability from jvndb - Published: 2016-02-19 14:43 - Updated:2016-03-10 17:39
    Severity
    Summary
    LINE for Windows and LINE for Mac OS vulnerable to denial-of-service (DoS)
    Details
    LINE for Windows and LINE for Mac OS contain a denial-of-service (DoS) vulnerability due to an issue in displaying the Timeline. Jun Kokatsu of KDDI Singapore Dubai Branch reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000029.html",
      "dc:date": "2016-03-10T17:39+09:00",
      "dcterms:issued": "2016-02-19T14:43+09:00",
      "dcterms:modified": "2016-03-10T17:39+09:00",
      "description": "LINE for Windows and LINE for Mac OS contain a denial-of-service (DoS) vulnerability due to an issue in displaying the Timeline.\r\n\r\nJun Kokatsu of KDDI Singapore Dubai Branch reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000029.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:line",
        "@product": "LINE",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "4.0",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
          "@version": "2.0"
        },
        {
          "@score": "3.5",
          "@severity": "Low",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2016-000029",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN46044093/index.html",
          "@id": "JVN#46044093",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1156",
          "@id": "CVE-2016-1156",
          "@source": "CVE"
        },
        {
          "#text": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1156",
          "@id": "CVE-2016-1156",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-noinfo",
          "@title": "No Mapping(CWE-noinfo)"
        }
      ],
      "title": "LINE for Windows and LINE for Mac OS vulnerable to denial-of-service (DoS)"
    }

    JVNDB-2015-000095

    Vulnerability from jvndb - Published: 2015-07-10 14:50 - Updated:2024-05-09 18:05
    Severity
    N/A (UNKNOWN) - -
    Summary
    LINE@ vulnerable to script injection
    Details
    LINE@ provided by LINE Corporation is an application used to communicate with others. LINE@ is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker. Kenta Suefusa, Nobuaki Nakazawa, Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000095.html",
      "dc:date": "2024-05-09T18:05+09:00",
      "dcterms:issued": "2015-07-10T14:50+09:00",
      "dcterms:modified": "2024-05-09T18:05+09:00",
      "description": "LINE@ provided by LINE Corporation is an application used to communicate with others. LINE@ is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.\r\n\r\nKenta Suefusa, Nobuaki Nakazawa, Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000095.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:line%40",
        "@product": "LINE@",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "5.1",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
        "@version": "2.0"
      },
      "sec:identifier": "JVNDB-2015-000095",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN22546110/index.html",
          "@id": "JVN#22546110",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2968",
          "@id": "CVE-2015-2968",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2015-2968",
          "@id": "CVE-2015-2968",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-DesignError",
          "@title": "No Mapping(CWE-DesignError)"
        }
      ],
      "title": "LINE@ vulnerable to script injection"
    }

    JVNDB-2015-000040

    Vulnerability from jvndb - Published: 2015-03-20 16:16 - Updated:2024-05-09 18:15
    Severity
    N/A (UNKNOWN) - -
    Summary
    LINE vulnerable to script injection
    Details
    LINE provided by LINE Corporation is an application used to communicate with others. LINE is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker. Kenta Suefusa, Nobuaki Nakazawa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000040.html",
      "dc:date": "2024-05-09T18:15+09:00",
      "dcterms:issued": "2015-03-20T16:16+09:00",
      "dcterms:modified": "2024-05-09T18:15+09:00",
      "description": "LINE provided by LINE Corporation is an application used to communicate with others. LINE is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.\r\n\r\nKenta Suefusa, Nobuaki Nakazawa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000040.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:line",
        "@product": "LINE",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "5.1",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
        "@version": "2.0"
      },
      "sec:identifier": "JVNDB-2015-000040",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN41281927/index.html",
          "@id": "JVN#41281927",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0897",
          "@id": "CVE-2015-0897",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2015-0897",
          "@id": "CVE-2015-0897",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-DesignError",
          "@title": "No Mapping(CWE-DesignError)"
        }
      ],
      "title": "LINE vulnerable to script injection"
    }