Softbank, NTT Docomo, KDDI Security Vulnerabilities

Roaming Mantis, part V

Kaspersky has continued to track the Roaming Mantis campaign. The group's attack methods have improved and new targets continuously added in order to steal more funds. The attackers' focus has also shifted to techniques that avoid tracking and research: whitelist for distribution, analysis...

ns2.magic-inc.com Improper Access Control vulnerability

Open Bug Bounty ID: OBB-1103928 Security Researcher error404 Helped patch 526 vulnerabilities Received 8 Coordinated Disclosure badges Received 20 recommendations , a holder of 8 badges for responsible and coordinated disclosure, found a security vulnerability affecting ns2.magic-inc.com website...

CVE-2020-5523

Android App 'MyPallete' and some of the Android banking applications based on 'MyPallete' do not verify X.509 certificates from servers, and also do not properly validate certificates with host-mismatch, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via....

JVN#28845872: Android App "MyPallete" vulnerable to improper server certificate verification

Android App "MyPallete" developed by NTT Data Corporation is used by several financial institutions as Android applications for their customers. "MyPallete" is vulnerable to improper server certificate verification (CWE-295) and to improper host-matching validation (CWE-297). ## Impact A...

familynhome.org Improper Access Control vulnerability

Open Bug Bounty ID: OBB-1070441 Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website...

satisloh.de Cross Site Scripting vulnerability

Security Researcher metamorfosec Helped patch 1908 vulnerabilities Received 9 Coordinated Disclosure badges Received 31 recommendations , a holder of 9 badges for responsible and coordinated disclosure, found a security vulnerability affecting satisloh.de website and its users. Following...

CVE-2019-15416

The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03) that allows other...

CVE-2019-15416

The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03) that allows other...

Code injection

The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03) that allows other...

CVE-2019-15416

The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03) that allows other...

CVE-2019-5986

Cross-site request forgery (CSRF) vulnerability in Hikari Denwa router/Home GateWay (Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION PR-S300NE/RT-S300NE/RV-S340NE firmware version Ver. 19.41 and earlier, PR-S300HI/RT-S300HI/RV-S340HI firmware version...

CVE-2019-6005

Smart TV Box firmware version prior to 1300 allows remote attackers to bypass access restriction to conduct arbitrary operations on the device without user's intent, such as installing arbitrary software or changing the device settings via Android Debug Bridge port...

CVE-2019-5985

Cross-site scripting vulnerability in Hikari Denwa router/Home GateWay (Hikari Denwa router/Home GateWay provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION PR-S300NE/RT-S300NE/RV-S340NE firmware version Ver. 19.41 and earlier, PR-S300HI/RT-S300HI/RV-S340HI firmware version Ver.19.01.0005.....

JVN#17127920: Smart TV Box fails to restrict access permissions

Smart TV Box provided by KDDI CORPORATION enables access to Android Debug Bridge via port 5555/TCP of LAN side interface. When a cable television provider sets up Smart TV Box at an individual residence, direct access from outside to the LAN side interface of Smart TV Box is disabled. However if...

Details of the Cloud Hopper Attacks

Reuters has a long article on the Chinese government APT attack called Cloud Hopper. It was much bigger than originally reported. The hacking campaign, known as "Cloud Hopper," was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud....

Denial Of Service (DoS)

The openstack-nova packages provide OpenStack Compute (code name Nova), which provides services for provisioning, managing, and using virtual machine instances. A flaw was found in the way the Nova VNC proxy handled console tokens. In some cases, a console token that was valid for one virtual...

Payroll Provider Gives Extortionists a Payday

Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company's customers for nearly three days. Faced with the threat of an extended outage, Apex chose to pay the ransom demand and begin the...

CVE-2019-5914

V20 PRO L-01J software version L01J20c and L01J20d has a NULL pointer exception flaw that can be used by an attacker to cause the device to crash on the same network range via a specially crafted access...

JVN#40439414: A vulnerability in V20 PRO L-01J that may cause a crash

V20 PRO L-01J provided by NTT DOCOMO, INC. is an Android smartphone. V20 PRO L-01J contains a flaw in processing connection using Wi-Fi CERTIFIED Passpoint which may result in the device to crash when Poasspoint is enabled. ## Impact If an attacker sets up a specially crafted Passpoint applied...

CVE-2018-16177

Untrusted search path vulnerability in The installer of Windows 10 Fall Creators Update Modify module for Security Measures tool allows an attacker to gain privileges via a Trojan horse DLL in an unspecified...

simonandschuster.com XSS vulnerability

Open Bug Bounty ID: OBB-702178 Description| Value ---|--- Affected Website:| simonandschuster.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

About the security content of Safari 11.1 - Apple Support

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page. For more information about security, see....

CVE-2018-0691

Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App for Android prior to....

CVE-2018-0691

Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App for Android prior to....

Code injection

Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App for Android prior to....

CVE-2018-0691

Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App for Android prior to....

Google's G Suite, Search and Analytics Taken Down in Hijacking

Google said key business services were knocked offline Monday when web traffic to a portion of its cloud platform was hijacked and routed through Chinese, Nigerian and Russian ISPs. The incident lasted for 74 minutes in what is called a Border Gateway Protocol (BGP) hijacking. BGP is a protocol...

paperrebel.com XSS vulnerability

Open Bug Bounty ID: OBB-683564 Description| Value ---|--- Affected Website:| paperrebel.com Open Bug Bounty Program:| View Open Bug Bounty Program Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

otelo.be XSS vulnerability

Open Bug Bounty ID: OBB-682393 Description| Value ---|--- Affected Website:| otelo.be Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

otelo.fr XSS vulnerability

Open Bug Bounty ID: OBB-682392 Description| Value ---|--- Affected Website:| otelo.fr Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

otelo.ch XSS vulnerability

Open Bug Bounty ID: OBB-682389 Description| Value ---|--- Affected Website:| otelo.ch Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

foschini.co.za XSS vulnerability

Open Bug Bounty ID: OBB-681408 Description| Value ---|--- Affected Website:| foschini.co.za Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

totalsports.co.za XSS vulnerability

Open Bug Bounty ID: OBB-681366 Description| Value ---|--- Affected Website:| totalsports.co.za Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

yachtworld.fi Open Redirect vulnerability

Open Bug Bounty ID: OBB-681063 Description| Value ---|--- Affected Website:| yachtworld.fi Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

yachtworld.dk Open Redirect vulnerability

Open Bug Bounty ID: OBB-681062 Description| Value ---|--- Affected Website:| yachtworld.dk Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

yachtworld.com Open Redirect vulnerability

Open Bug Bounty ID: OBB-681060 Description| Value ---|--- Affected Website:| yachtworld.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

yachtworld.de Open Redirect vulnerability

Open Bug Bounty ID: OBB-681061 Description| Value ---|--- Affected Website:| yachtworld.de Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

yachtworld.fr Open Redirect vulnerability

Open Bug Bounty ID: OBB-681058 Description| Value ---|--- Affected Website:| yachtworld.fr Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

yachtworld.es Open Redirect vulnerability

Open Bug Bounty ID: OBB-681059 Description| Value ---|--- Affected Website:| yachtworld.es Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

yachtworld.it Open Redirect vulnerability

Open Bug Bounty ID: OBB-681057 Description| Value ---|--- Affected Website:| yachtworld.it Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

no.yachtworld.com Open Redirect vulnerability

Open Bug Bounty ID: OBB-681054 Description| Value ---|--- Affected Website:| no.yachtworld.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

nl.yachtworld.com Open Redirect vulnerability

Open Bug Bounty ID: OBB-681055 Description| Value ---|--- Affected Website:| nl.yachtworld.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

ru.yachtworld.com Open Redirect vulnerability

Open Bug Bounty ID: OBB-681053 Description| Value ---|--- Affected Website:| ru.yachtworld.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

se.yachtworld.com Open Redirect vulnerability

Open Bug Bounty ID: OBB-681052 Description| Value ---|--- Affected Website:| se.yachtworld.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

yachtworld.co.uk Open Redirect vulnerability

Open Bug Bounty ID: OBB-681051 Description| Value ---|--- Affected Website:| yachtworld.co.uk Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

au.yachtworld.com Open Redirect vulnerability

Open Bug Bounty ID: OBB-681050 Description| Value ---|--- Affected Website:| au.yachtworld.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| Open Redirect / CWE-601 CVSSv3 Score:| 3.4...

JVN#37288228: +Message App fails to verify SSL server certificates

+Message App fails to verify SSL server certificates. ## Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. ## Solution Update the Application Update to the latest version according to the information provided by the developer. ## Products Affected.....

americangreetings.com XSS vulnerability

Open Bug Bounty ID: OBB-679799 Description| Value ---|--- Affected Website:| americangreetings.com Open Bug Bounty Program:| View Open Bug Bounty Program Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

kennametal.com XSS vulnerability

Open Bug Bounty ID: OBB-676061 Description| Value ---|--- Affected Website:| kennametal.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

americangreetings.com XSS vulnerability

Open Bug Bounty ID: OBB-662673 Description| Value ---|--- Affected Website:| americangreetings.com Open Bug Bounty Program:| View Open Bug Bounty Program Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...