CVE-2015-5630

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Japan Connected-free Wi-Fi application provided by NTT Broadband Platform, Inc. The application fails to properly sanitize SSID strings before displaying them. Affected versions include Android 1.6.0 and earlier, and iOS 1.0.2 and earlier [1][2]. The flaw is categorized as an Improper Input Validation issue (CWE-20) [2].

Exploitation

An attacker must set up a wireless access point with a crafted SSID containing malicious script. When a device running a vulnerable version of the app connects to that access point, the app displays the SSID, causing the embedded script to execute in the context of the application [1][2]. No authentication or user interaction beyond connecting to the Wi-Fi network is required.

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML within the app's display context. This can lead to information disclosure, session hijacking, or other client-side attacks depending on the capabilities available to the app's web view [1][2].

Mitigation

Users should update the application to the latest version provided by the developer for both Android (via Google Play) and iOS (via the App Store) [1][2]. The vendor announced the fix on September 11, 2015 [1][2]. The CVSS v2 base score is 5.4 (Medium) with adjacent network access vector [2].