Search
Find a vulnerability
Search criteria
30 vulnerabilities by LY Corporation
CVE-2026-11748 (GCVE-0-2026-11748)
Vulnerability from nvd – Published: 2026-06-22 02:37 – Updated: 2026-06-22 16:12
VLAI
EPSS
VEX
Summary
A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | Central Dogma |
Unaffected:
0.84.0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11748",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:11:47.695670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:12:07.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Central Dogma",
"vendor": "LY Corporation",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0.84.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-90",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T02:37:35.370Z",
"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"shortName": "LY-Corporation"
},
"references": [
{
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"assignerShortName": "LY-Corporation",
"cveId": "CVE-2026-11748",
"datePublished": "2026-06-22T02:37:35.370Z",
"dateReserved": "2026-06-09T06:50:03.618Z",
"dateUpdated": "2026-06-22T16:12:07.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11746 (GCVE-0-2026-11746)
Vulnerability from nvd – Published: 2026-06-22 02:35 – Updated: 2026-06-22 16:13
VLAI
EPSS
VEX
Summary
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | Central Dogma |
Unaffected:
0.84.0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11746",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:12:56.884349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:13:00.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Central Dogma",
"vendor": "LY Corporation",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0.84.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-798",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T02:35:51.201Z",
"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"shortName": "LY-Corporation"
},
"references": [
{
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"assignerShortName": "LY-Corporation",
"cveId": "CVE-2026-11746",
"datePublished": "2026-06-22T02:35:51.201Z",
"dateReserved": "2026-06-09T06:48:47.296Z",
"dateUpdated": "2026-06-22T16:13:00.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11745 (GCVE-0-2026-11745)
Vulnerability from nvd – Published: 2026-06-22 02:33 – Updated: 2026-06-22 16:29
VLAI
EPSS
VEX
Summary
A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | Central Dogma |
Unaffected:
0.84.0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:29:39.280352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-322",
"description": "CWE-322 Key Exchange without Entity Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:29:43.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Central Dogma",
"vendor": "LY Corporation",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0.84.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-322",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T02:33:08.952Z",
"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"shortName": "LY-Corporation"
},
"references": [
{
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"assignerShortName": "LY-Corporation",
"cveId": "CVE-2026-11745",
"datePublished": "2026-06-22T02:33:08.952Z",
"dateReserved": "2026-06-09T06:46:10.431Z",
"dateUpdated": "2026-06-22T16:29:43.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11752 (GCVE-0-2026-11752)
Vulnerability from nvd – Published: 2026-06-19 04:29 – Updated: 2026-06-22 14:57
VLAI
EPSS
VEX
Summary
A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | Armeria |
Affected:
1.38.0 , < 1.40.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T14:57:29.287769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T14:57:40.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Armeria",
"vendor": "LY Corporation",
"versions": [
{
"lessThan": "1.40.0",
"status": "affected",
"version": "1.38.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-73",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T05:48:43.989Z",
"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"shortName": "LY-Corporation"
},
"references": [
{
"url": "https://github.com/line/armeria/security/advisories/GHSA-hgw6-8c77-v4gq"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"assignerShortName": "LY-Corporation",
"cveId": "CVE-2026-11752",
"datePublished": "2026-06-19T04:29:31.970Z",
"dateReserved": "2026-06-09T06:50:06.220Z",
"dateUpdated": "2026-06-22T14:57:40.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3861 (GCVE-0-2026-3861)
Vulnerability from nvd – Published: 2026-04-16 05:54 – Updated: 2026-05-22 05:00
VLAI
EPSS
VEX
Summary
LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | LINE client for iOS |
Unaffected:
26.3.0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T12:16:15.191045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T12:31:11.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "LINE client for iOS",
"vendor": "LY Corporation",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.3.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"cvssV4_0": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T05:00:53.312Z",
"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"shortName": "LY-Corporation"
},
"references": [
{
"url": "https://hackerone.com/reports/3422905"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"assignerShortName": "LY-Corporation",
"cveId": "CVE-2026-3861",
"datePublished": "2026-04-16T05:54:05.194Z",
"dateReserved": "2026-03-10T05:02:39.735Z",
"dateUpdated": "2026-05-22T05:00:53.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41408 (GCVE-0-2025-41408)
Vulnerability from nvd – Published: 2025-09-05 05:25 – Updated: 2025-09-05 13:45
VLAI
EPSS
VEX
Summary
Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-939 - Improper authorization in handler for custom URL scheme
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jvn.jp/en/jp/JVN35290164/ |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | "Yahoo! Shopping" App for Android |
Affected:
versions prior to 14.15.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T13:38:02.982750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:45:13.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "\"Yahoo! Shopping\" App for Android",
"vendor": "LY Corporation",
"versions": [
{
"status": "affected",
"version": "versions prior to 14.15.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization in handler for custom URL scheme issue in \"Yahoo! Shopping\" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-939",
"description": "Improper authorization in handler for custom URL scheme",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T05:25:15.422Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/jp/JVN35290164/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-41408",
"datePublished": "2025-09-05T05:25:15.422Z",
"dateReserved": "2025-08-29T01:43:32.740Z",
"dateUpdated": "2025-09-05T13:45:13.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28895 (GCVE-0-2024-28895)
Vulnerability from nvd – Published: 2024-04-01 00:16 – Updated: 2024-11-06 20:45
VLAI
EPSS
VEX
Summary
'Yahoo! JAPAN' App for Android v2.3.1 to v3.161.1 and 'Yahoo! JAPAN' App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of 'Yahoo! JAPAN' App via other app installed on the user's device.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Cross-site scripting (XSS)
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jvn.jp/en/jp/JVN23528780/ |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | 'Yahoo! JAPAN' App for Android |
Affected:
v2.3.1 to v3.161.1
|
|
| LY Corporation | 'Yahoo! JAPAN' App for iOS |
Affected:
v3.2.2 to v4.109.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-01T20:03:28.170849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T20:45:53.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:50.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN23528780/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "\u0027Yahoo! JAPAN\u0027 App for Android",
"vendor": "LY Corporation",
"versions": [
{
"status": "affected",
"version": "v2.3.1 to v3.161.1"
}
]
},
{
"product": "\u0027Yahoo! JAPAN\u0027 App for iOS",
"vendor": "LY Corporation",
"versions": [
{
"status": "affected",
"version": "v3.2.2 to v4.109.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "\u0027Yahoo! JAPAN\u0027 App for Android v2.3.1 to v3.161.1 and \u0027Yahoo! JAPAN\u0027 App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of \u0027Yahoo! JAPAN\u0027 App via other app installed on the user\u0027s device."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T00:16:08.562Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/jp/JVN23528780/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-28895",
"datePublished": "2024-04-01T00:16:08.562Z",
"dateReserved": "2024-03-13T00:41:43.890Z",
"dateUpdated": "2024-11-06T20:45:53.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-11748 (GCVE-0-2026-11748)
Vulnerability from cvelistv5 – Published: 2026-06-22 02:37 – Updated: 2026-06-22 16:12
VLAI
EPSS
VEX
Summary
A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | Central Dogma |
Unaffected:
0.84.0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11748",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:11:47.695670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:12:07.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Central Dogma",
"vendor": "LY Corporation",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0.84.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-90",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T02:37:35.370Z",
"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"shortName": "LY-Corporation"
},
"references": [
{
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"assignerShortName": "LY-Corporation",
"cveId": "CVE-2026-11748",
"datePublished": "2026-06-22T02:37:35.370Z",
"dateReserved": "2026-06-09T06:50:03.618Z",
"dateUpdated": "2026-06-22T16:12:07.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11746 (GCVE-0-2026-11746)
Vulnerability from cvelistv5 – Published: 2026-06-22 02:35 – Updated: 2026-06-22 16:13
VLAI
EPSS
VEX
Summary
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | Central Dogma |
Unaffected:
0.84.0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11746",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:12:56.884349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:13:00.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Central Dogma",
"vendor": "LY Corporation",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0.84.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-798",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T02:35:51.201Z",
"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"shortName": "LY-Corporation"
},
"references": [
{
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"assignerShortName": "LY-Corporation",
"cveId": "CVE-2026-11746",
"datePublished": "2026-06-22T02:35:51.201Z",
"dateReserved": "2026-06-09T06:48:47.296Z",
"dateUpdated": "2026-06-22T16:13:00.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11745 (GCVE-0-2026-11745)
Vulnerability from cvelistv5 – Published: 2026-06-22 02:33 – Updated: 2026-06-22 16:29
VLAI
EPSS
VEX
Summary
A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | Central Dogma |
Unaffected:
0.84.0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:29:39.280352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-322",
"description": "CWE-322 Key Exchange without Entity Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:29:43.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Central Dogma",
"vendor": "LY Corporation",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0.84.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-322",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T02:33:08.952Z",
"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"shortName": "LY-Corporation"
},
"references": [
{
"url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"assignerShortName": "LY-Corporation",
"cveId": "CVE-2026-11745",
"datePublished": "2026-06-22T02:33:08.952Z",
"dateReserved": "2026-06-09T06:46:10.431Z",
"dateUpdated": "2026-06-22T16:29:43.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11752 (GCVE-0-2026-11752)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:29 – Updated: 2026-06-22 14:57
VLAI
EPSS
VEX
Summary
A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | Armeria |
Affected:
1.38.0 , < 1.40.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T14:57:29.287769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T14:57:40.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Armeria",
"vendor": "LY Corporation",
"versions": [
{
"lessThan": "1.40.0",
"status": "affected",
"version": "1.38.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-73",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T05:48:43.989Z",
"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"shortName": "LY-Corporation"
},
"references": [
{
"url": "https://github.com/line/armeria/security/advisories/GHSA-hgw6-8c77-v4gq"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"assignerShortName": "LY-Corporation",
"cveId": "CVE-2026-11752",
"datePublished": "2026-06-19T04:29:31.970Z",
"dateReserved": "2026-06-09T06:50:06.220Z",
"dateUpdated": "2026-06-22T14:57:40.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3861 (GCVE-0-2026-3861)
Vulnerability from cvelistv5 – Published: 2026-04-16 05:54 – Updated: 2026-05-22 05:00
VLAI
EPSS
VEX
Summary
LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | LINE client for iOS |
Unaffected:
26.3.0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T12:16:15.191045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T12:31:11.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "LINE client for iOS",
"vendor": "LY Corporation",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.3.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"cvssV4_0": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T05:00:53.312Z",
"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"shortName": "LY-Corporation"
},
"references": [
{
"url": "https://hackerone.com/reports/3422905"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
"assignerShortName": "LY-Corporation",
"cveId": "CVE-2026-3861",
"datePublished": "2026-04-16T05:54:05.194Z",
"dateReserved": "2026-03-10T05:02:39.735Z",
"dateUpdated": "2026-05-22T05:00:53.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41408 (GCVE-0-2025-41408)
Vulnerability from cvelistv5 – Published: 2025-09-05 05:25 – Updated: 2025-09-05 13:45
VLAI
EPSS
VEX
Summary
Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-939 - Improper authorization in handler for custom URL scheme
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jvn.jp/en/jp/JVN35290164/ |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | "Yahoo! Shopping" App for Android |
Affected:
versions prior to 14.15.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T13:38:02.982750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:45:13.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "\"Yahoo! Shopping\" App for Android",
"vendor": "LY Corporation",
"versions": [
{
"status": "affected",
"version": "versions prior to 14.15.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization in handler for custom URL scheme issue in \"Yahoo! Shopping\" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-939",
"description": "Improper authorization in handler for custom URL scheme",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T05:25:15.422Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/jp/JVN35290164/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-41408",
"datePublished": "2025-09-05T05:25:15.422Z",
"dateReserved": "2025-08-29T01:43:32.740Z",
"dateUpdated": "2025-09-05T13:45:13.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28895 (GCVE-0-2024-28895)
Vulnerability from cvelistv5 – Published: 2024-04-01 00:16 – Updated: 2024-11-06 20:45
VLAI
EPSS
VEX
Summary
'Yahoo! JAPAN' App for Android v2.3.1 to v3.161.1 and 'Yahoo! JAPAN' App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of 'Yahoo! JAPAN' App via other app installed on the user's device.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Cross-site scripting (XSS)
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://jvn.jp/en/jp/JVN23528780/ |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LY Corporation | 'Yahoo! JAPAN' App for Android |
Affected:
v2.3.1 to v3.161.1
|
|
| LY Corporation | 'Yahoo! JAPAN' App for iOS |
Affected:
v3.2.2 to v4.109.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-01T20:03:28.170849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T20:45:53.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:50.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN23528780/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "\u0027Yahoo! JAPAN\u0027 App for Android",
"vendor": "LY Corporation",
"versions": [
{
"status": "affected",
"version": "v2.3.1 to v3.161.1"
}
]
},
{
"product": "\u0027Yahoo! JAPAN\u0027 App for iOS",
"vendor": "LY Corporation",
"versions": [
{
"status": "affected",
"version": "v3.2.2 to v4.109.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "\u0027Yahoo! JAPAN\u0027 App for Android v2.3.1 to v3.161.1 and \u0027Yahoo! JAPAN\u0027 App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of \u0027Yahoo! JAPAN\u0027 App via other app installed on the user\u0027s device."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T00:16:08.562Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/jp/JVN23528780/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-28895",
"datePublished": "2024-04-01T00:16:08.562Z",
"dateReserved": "2024-03-13T00:41:43.890Z",
"dateUpdated": "2024-11-06T20:45:53.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2025-000071
Vulnerability from jvndb - Published: 2025-09-05 15:12 - Updated:2025-09-05 15:12
Severity
Summary
"Yahoo! Shopping" App for Android fails to restrict custom URL schemes properly
Details
"Yahoo! Shopping" App for Android provided by LY Corporation contains the following vulnerability.
- Improper authorization in handler for custom URL scheme (CWE-939) - CVE-2025-41408
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000071.html",
"dc:date": "2025-09-05T15:12+09:00",
"dcterms:issued": "2025-09-05T15:12+09:00",
"dcterms:modified": "2025-09-05T15:12+09:00",
"description": "\"Yahoo! Shopping\" App for Android provided by LY Corporation contains the following vulnerability.\u003cul\u003e\u003cli\u003eImproper authorization in handler for custom URL scheme (CWE-939) - CVE-2025-41408\u003c/li\u003e\u003c/ul\u003eShiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000071.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:yahooshopappforandroid",
"@product": "\"Yahoo! Shopping\" App for Android",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000071",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN35290164/index.html",
"@id": "JVN#35290164",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-41408",
"@id": "CVE-2025-41408",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "\"Yahoo! Shopping\" App for Android fails to restrict custom URL schemes properly"
}
JVNDB-2024-003699
Vulnerability from jvndb - Published: 2024-06-24 11:05 - Updated:2024-06-24 11:05
Severity
Summary
LINE client for iOS vulnerable to universal cross-site scripting
Details
The in-app browser of LINE client for iOS provided by LY Corporation contains a universal cross-site scripting vulnerability (CWE-79, CVE-2024-5739).
LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003699.html",
"dc:date": "2024-06-24T11:05+09:00",
"dcterms:issued": "2024-06-24T11:05+09:00",
"dcterms:modified": "2024-06-24T11:05+09:00",
"description": "The in-app browser of LINE client for iOS provided by LY Corporation contains a universal cross-site scripting vulnerability (CWE-79, CVE-2024-5739).\r\n\r\nLY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003699.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:line",
"@product": "LINE",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-003699",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU91384468/index.html",
"@id": "JVNVU#91384468",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-5739",
"@id": "CVE-2024-5739",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "LINE client for iOS vulnerable to universal cross-site scripting"
}
JVNDB-2024-002342
Vulnerability from jvndb - Published: 2024-05-13 17:27 - Updated:2024-05-13 17:27
Severity
Summary
Central Dogma vulnerable to cross-site scripting
Details
Central Dogma provided by LY Corporation contains a cross-site scripting vulnerability (CWE-79, CVE-2024-1143) because RelayState data is not properly treated when Central Dogma processes SAML messages.
LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-002342.html",
"dc:date": "2024-05-13T17:27+09:00",
"dcterms:issued": "2024-05-13T17:27+09:00",
"dcterms:modified": "2024-05-13T17:27+09:00",
"description": "Central Dogma provided by LY Corporation contains a cross-site scripting vulnerability (CWE-79, CVE-2024-1143) because RelayState data is not properly treated when Central Dogma processes SAML messages.\r\n\r\nLY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-002342.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:central_dogma",
"@product": "Central Dogma",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "9.3",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-002342",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU99669446/index.html",
"@id": "JVNVU#99669446",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-1143",
"@id": "CVE-2024-1143",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2024-1143",
"@id": "CVE-2024-1143",
"@source": "NVD"
},
{
"#text": "https://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html#__RefHeading__8196_1983180497",
"@id": "SAML v2.0 Errata 05, E90: RelayState sanitization",
"@source": "Related document"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Central Dogma vulnerable to cross-site scripting"
}
JVNDB-2024-003108
Vulnerability from jvndb - Published: 2024-04-22 17:28 - Updated:2024-04-22 17:28
Severity
Summary
Armeria-saml improperly handles SAML messages
Details
Armeria-saml provided by LY Corporation contains an issue in handling SAML messages (CWE-304, CVE-2024-1735).
LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003108.html",
"dc:date": "2024-04-22T17:28+09:00",
"dcterms:issued": "2024-04-22T17:28+09:00",
"dcterms:modified": "2024-04-22T17:28+09:00",
"description": "Armeria-saml provided by LY Corporation contains an issue in handling SAML messages (CWE-304, CVE-2024-1735).\r\n\r\nLY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-003108.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:armeria-saml",
"@product": "Armeria-saml",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "9.1",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2024-003108",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU91216202/index.html",
"@id": "JVNVU#91216202",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-1735",
"@id": "CVE-2024-1735",
"@source": "CVE"
},
{
"#text": "https://cwe.mitre.org/data/definitions/304.html",
"@id": "CWE-304",
"@title": "Missing Critical Step in Authentication(CWE-304)"
}
],
"title": "Armeria-saml improperly handles SAML messages"
}
JVNDB-2023-014491
Vulnerability from jvndb - Published: 2024-04-22 15:27 - Updated:2024-04-22 15:27
Severity
Summary
LINE client for iOS vulnerable to improper server certificate verification
Details
The financial module within LINE client for iOS lacks server certificate verification in log transmission (CWE-295, CVE-2023-5554).
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
References
| Type | URL | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-014491.html",
"dc:date": "2024-04-22T15:27+09:00",
"dcterms:issued": "2024-04-22T15:27+09:00",
"dcterms:modified": "2024-04-22T15:27+09:00",
"description": "The financial module within LINE client for iOS lacks server certificate verification in log transmission (CWE-295, CVE-2023-5554).\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-014491.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:line",
"@product": "LINE",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2023-014491",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU91696361/index.html",
"@id": "JVNVU#91696361",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-5554",
"@id": "CVE-2023-5554",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-5554",
"@id": "CVE-2023-5554",
"@source": "NVD"
},
{
"#text": "https://cwe.mitre.org/data/definitions/295.html",
"@id": "CWE-295",
"@title": "Improper Certificate Validation(CWE-295)"
}
],
"title": "LINE client for iOS vulnerable to improper server certificate verification"
}
JVNDB-2024-000036
Vulnerability from jvndb - Published: 2024-03-29 13:28 - Updated:2024-03-29 13:28
Severity
Summary
"Yahoo! JAPAN" App vulnerable to cross-site scripting
Details
"Yahoo! JAPAN" App provided by LY Corporation contains a cross-site scripting vulnerability (CWE-79).
Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000036.html",
"dc:date": "2024-03-29T13:28+09:00",
"dcterms:issued": "2024-03-29T13:28+09:00",
"dcterms:modified": "2024-03-29T13:28+09:00",
"description": "\"Yahoo! JAPAN\" App provided by LY Corporation contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nShiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000036.html",
"sec:cpe": [
{
"#text": "cpe:/a:linecorp:yahoo%21_japan",
"@product": "Yahoo! JAPAN",
"@vendor": "LY Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:linecorp:yahoo%21_japan",
"@product": "Yahoo! JAPAN",
"@vendor": "LY Corporation",
"@version": "2.2"
}
],
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2024-000036",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN23528780/index.html",
"@id": "JVN#23528780",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-28895",
"@id": "CVE-2024-28895",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "\"Yahoo! JAPAN\" App vulnerable to cross-site scripting"
}
JVNDB-2019-000060
Vulnerability from jvndb - Published: 2019-09-19 17:59 - Updated:2019-10-18 15:17
Severity
Summary
Multiple integer overflow vulnerabilities in LINE(Android)
Details
LINE(Android) provided by LINE Corporation contains multiple integer overflow vulnerabilities (CWE-190) listed below.
* Integer overflow vulnerability in processing images using apng-drawable - CVE-2019-6007
* Integer overflow vulnerability in processing images - CVE-2019-6010
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
References
| Type | URL | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000060.html",
"dc:date": "2019-10-18T15:17+09:00",
"dcterms:issued": "2019-09-19T17:59+09:00",
"dcterms:modified": "2019-10-18T15:17+09:00",
"description": "LINE(Android) provided by LINE Corporation contains multiple integer overflow vulnerabilities (CWE-190) listed below.\r\n* Integer overflow vulnerability in processing images using apng-drawable - CVE-2019-6007 \r\n* Integer overflow vulnerability in processing images - CVE-2019-6010\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000060.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:line",
"@product": "LINE",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "6.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2019-000060",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN97845465/index.html",
"@id": "JVN#97845465",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6007",
"@id": "CVE-2019-6007",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6010",
"@id": "CVE-2019-6010",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6007",
"@id": "CVE-2019-6007",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6010",
"@id": "CVE-2019-6010",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-189",
"@title": "Numeric Errors(CWE-189)"
}
],
"title": "Multiple integer overflow vulnerabilities in LINE(Android)"
}
JVNDB-2019-000059
Vulnerability from jvndb - Published: 2019-09-12 13:55 - Updated:2019-10-18 15:23
Severity
Summary
apng-drawable vulnerable to integer overflow
Details
apng-drawable provided by LINE Corporation contains an integer overflow vulnerability (CWE-190).
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000059.html",
"dc:date": "2019-10-18T15:23+09:00",
"dcterms:issued": "2019-09-12T13:55+09:00",
"dcterms:modified": "2019-10-18T15:23+09:00",
"description": "apng-drawable provided by LINE Corporation contains an integer overflow vulnerability (CWE-190).\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000059.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:apng-drawable",
"@product": "apng-drawable",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2019-000059",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN39383894/index.html",
"@id": "JVN#39383894",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6007",
"@id": "CVE-2019-6007",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6007",
"@id": "CVE-2019-6007",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-189",
"@title": "Numeric Errors(CWE-189)"
}
],
"title": "apng-drawable vulnerable to integer overflow"
}
JVNDB-2019-000050
Vulnerability from jvndb - Published: 2019-07-31 15:29 - Updated:2019-10-04 16:37
Severity
Summary
Central Dogma vulnerable to cross-site scripting
Details
Central Dogma provided by LINE Corporation contains a cross-site scripting vulnerability (CWE-79).
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000050.html",
"dc:date": "2019-10-04T16:37+09:00",
"dcterms:issued": "2019-07-31T15:29+09:00",
"dcterms:modified": "2019-10-04T16:37+09:00",
"description": "Central Dogma provided by LINE Corporation contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000050.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:central_dogma",
"@product": "Central Dogma",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2019-000050",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN94889214/index.html",
"@id": "JVN#94889214",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6002",
"@id": "CVE-2019-6002",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6002",
"@id": "CVE-2019-6002",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Central Dogma vulnerable to cross-site scripting"
}
JVNDB-2018-000063
Vulnerability from jvndb - Published: 2018-06-12 14:44 - Updated:2018-06-12 14:44
Severity
Summary
LINE for Windows may insecurely load Dynamic Link Libraries
Details
LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software.
If a user launches LINE for Windows by clicking the specially crafted link prepared by a remote attacker, it may result in insecurely loading Dynamic Link Libraries (CWE-427).
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of respective solutions through JVN.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000063.html",
"dc:date": "2018-06-12T14:44+09:00",
"dcterms:issued": "2018-06-12T14:44+09:00",
"dcterms:modified": "2018-06-12T14:44+09:00",
"description": "LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software.\r\n If a user launches LINE for Windows by clicking the specially crafted link prepared by a remote attacker, it may result in insecurely loading Dynamic Link Libraries (CWE-427).\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of respective solutions through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000063.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:line",
"@product": "LINE",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2018-000063",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN92265618/index.html",
"@id": "JVN#92265618",
"@source": "JVN"
},
{
"#text": "https://jvn.jp/en/ta/JVNTA91240916/",
"@id": "JVNTA#91240916",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0609",
"@id": "CVE-2018-0609",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0609",
"@id": "CVE-2018-0609",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "LINE for Windows may insecurely load Dynamic Link Libraries"
}
JVNDB-2018-000016
Vulnerability from jvndb - Published: 2018-02-22 15:29 - Updated:2018-06-14 12:23
Severity
Summary
LINE for iOS fails to verify SSL server certificates
Details
LINE for iOS provided by LINE Corporation fails to verify SSL server certificates due to the vulnerability existed in the Third Party SDK which is incorporated in the application.
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000016.html",
"dc:date": "2018-06-14T12:23+09:00",
"dcterms:issued": "2018-02-22T15:29+09:00",
"dcterms:modified": "2018-06-14T12:23+09:00",
"description": "LINE for iOS provided by LINE Corporation fails to verify SSL server certificates due to the vulnerability existed in the Third Party SDK which is incorporated in the application.\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000016.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:line",
"@product": "LINE",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2018-000016",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN75453852/index.html",
"@id": "JVN#75453852",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0518",
"@id": "CVE-2018-0518",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0518",
"@id": "CVE-2018-0518",
"@source": "NVD"
}
],
"title": "LINE for iOS fails to verify SSL server certificates"
}
JVNDB-2016-000153
Vulnerability from jvndb - Published: 2016-08-25 14:26 - Updated:2017-05-23 14:28
Severity
Summary
LINE for Windows fails to properly verify downloaded files
Details
The auto update function in LINE for Windows provided by LINE Corporation contains a vulnerability where downloaded files are not properly verified.
LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000153.html",
"dc:date": "2017-05-23T14:28+09:00",
"dcterms:issued": "2016-08-25T14:26+09:00",
"dcterms:modified": "2017-05-23T14:28+09:00",
"description": "The auto update function in LINE for Windows provided by LINE Corporation contains a vulnerability where downloaded files are not properly verified.\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000153.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:line",
"@product": "LINE",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "8.1",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2016-000153",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN05924524/index.html",
"@id": "JVN#05924524",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4850",
"@id": "CVE-2016-4850",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2016-4850",
"@id": "CVE-2016-4850",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-noinfo",
"@title": "No Mapping(CWE-noinfo)"
}
],
"title": "LINE for Windows fails to properly verify downloaded files"
}
JVNDB-2016-000123
Vulnerability from jvndb - Published: 2016-07-08 14:29 - Updated:2016-08-19 17:44
Severity
Summary
LINE for Windows may insecurely load Dynamic Link Libraries
Details
LINE for Windows provided by LINE Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.
Takashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000123.html",
"dc:date": "2016-08-19T17:44+09:00",
"dcterms:issued": "2016-07-08T14:29+09:00",
"dcterms:modified": "2016-08-19T17:44+09:00",
"description": "LINE for Windows provided by LINE Corporation contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.\r\n\r\nTakashi Yoshikawa of Mitsui Bussan Secure Directions reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000123.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:line",
"@product": "LINE",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "6.8",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "7.8",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2016-000123",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN51565015/index.html",
"@id": "JVN#51565015",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4831",
"@id": "CVE-2016-4831",
"@source": "CVE"
},
{
"#text": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4831",
"@id": "CVE-2016-4831",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "LINE for Windows may insecurely load Dynamic Link Libraries"
}
JVNDB-2016-000029
Vulnerability from jvndb - Published: 2016-02-19 14:43 - Updated:2016-03-10 17:39
Severity
Summary
LINE for Windows and LINE for Mac OS vulnerable to denial-of-service (DoS)
Details
LINE for Windows and LINE for Mac OS contain a denial-of-service (DoS) vulnerability due to an issue in displaying the Timeline.
Jun Kokatsu of KDDI Singapore Dubai Branch reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000029.html",
"dc:date": "2016-03-10T17:39+09:00",
"dcterms:issued": "2016-02-19T14:43+09:00",
"dcterms:modified": "2016-03-10T17:39+09:00",
"description": "LINE for Windows and LINE for Mac OS contain a denial-of-service (DoS) vulnerability due to an issue in displaying the Timeline.\r\n\r\nJun Kokatsu of KDDI Singapore Dubai Branch reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000029.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:line",
"@product": "LINE",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"@version": "2.0"
},
{
"@score": "3.5",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2016-000029",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN46044093/index.html",
"@id": "JVN#46044093",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1156",
"@id": "CVE-2016-1156",
"@source": "CVE"
},
{
"#text": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1156",
"@id": "CVE-2016-1156",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-noinfo",
"@title": "No Mapping(CWE-noinfo)"
}
],
"title": "LINE for Windows and LINE for Mac OS vulnerable to denial-of-service (DoS)"
}
JVNDB-2015-000095
Vulnerability from jvndb - Published: 2015-07-10 14:50 - Updated:2024-05-09 18:05Summary
LINE@ vulnerable to script injection
Details
LINE@ provided by LINE Corporation is an application used to communicate with others. LINE@ is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
Kenta Suefusa, Nobuaki Nakazawa, Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000095.html",
"dc:date": "2024-05-09T18:05+09:00",
"dcterms:issued": "2015-07-10T14:50+09:00",
"dcterms:modified": "2024-05-09T18:05+09:00",
"description": "LINE@ provided by LINE Corporation is an application used to communicate with others. LINE@ is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.\r\n\r\nKenta Suefusa, Nobuaki Nakazawa, Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000095.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:line%40",
"@product": "LINE@",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2015-000095",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN22546110/index.html",
"@id": "JVN#22546110",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2968",
"@id": "CVE-2015-2968",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2015-2968",
"@id": "CVE-2015-2968",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-DesignError",
"@title": "No Mapping(CWE-DesignError)"
}
],
"title": "LINE@ vulnerable to script injection"
}
JVNDB-2015-000040
Vulnerability from jvndb - Published: 2015-03-20 16:16 - Updated:2024-05-09 18:15Summary
LINE vulnerable to script injection
Details
LINE provided by LINE Corporation is an application used to communicate with others. LINE is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
Kenta Suefusa, Nobuaki Nakazawa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000040.html",
"dc:date": "2024-05-09T18:15+09:00",
"dcterms:issued": "2015-03-20T16:16+09:00",
"dcterms:modified": "2024-05-09T18:15+09:00",
"description": "LINE provided by LINE Corporation is an application used to communicate with others. LINE is vulnerable to MITM (man-in-the-middle) attacks since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.\r\n\r\nKenta Suefusa, Nobuaki Nakazawa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000040.html",
"sec:cpe": {
"#text": "cpe:/a:linecorp:line",
"@product": "LINE",
"@vendor": "LY Corporation",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2015-000040",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN41281927/index.html",
"@id": "JVN#41281927",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0897",
"@id": "CVE-2015-0897",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2015-0897",
"@id": "CVE-2015-0897",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-DesignError",
"@title": "No Mapping(CWE-DesignError)"
}
],
"title": "LINE vulnerable to script injection"
}