Vendor CVEs
Kddi
All CVEs
24 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-27718 | Hig | 0.57 | 8.8 | 0.01 | Mar 28, 2025 | Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file upload process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be obtained… | ||
| CVE-2024-28041 | Hig | 0.57 | 8.8 | 0.01 | Mar 25, 2024 | HGW BL1500HM Ver 002.001.013 and earlier allows a network-adjacent unauthenticated attacker to execute an arbitrary command. | ||
| CVE-2017-2186 | Hig | 0.57 | 8.8 | 0.01 | Jul 7, 2017 | HOME SPOT CUBE2 firmware V101 and earlier allows an attacker to bypass authentication to load malicious firmware via WebUI. | ||
| CVE-2017-2185 | Hig | 0.57 | 8.8 | 0.01 | Jul 7, 2017 | HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attackers to execute arbitrary OS commands via WebUI. | ||
| CVE-2017-2184 | Hig | 0.57 | 8.8 | 0.01 | Jul 7, 2017 | Buffer overflow in HOME SPOT CUBE2 firmware V101 and earlier allows an attacker to execute arbitrary code via WebUI. | ||
| CVE-2025-27932 | Hig | 0.53 | 8.1 | 0.01 | Mar 28, 2025 | Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file deletion process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, an attacker may delete a file on the… | ||
| CVE-2017-2183 | Hig | 0.52 | 8.0 | 0.01 | Jul 7, 2017 | HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attackers to execute arbitrary OS commands via Clock Settings. | ||
| CVE-2017-2289 | Hig | 0.51 | 7.8 | 0.01 | Aug 18, 2017 | Untrusted search path vulnerability in Installer of Qua station connection tool for Windows version 1.00.03 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | ||
| CVE-2016-1139 | Hig | 0.49 | 7.5 | 0.01 | Jan 30, 2016 | Cross-site request forgery (CSRF) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | ||
| CVE-2016-1137 | Hig | 0.48 | 7.4 | 0.01 | Jan 30, 2016 | Open redirect vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | ||
| CVE-2025-27716 | Med | 0.42 | 6.5 | 0.01 | Mar 28, 2025 | Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file/folder listing process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be… | ||
| CVE-2024-21865 | Med | 0.42 | 6.5 | 0.00 | Mar 25, 2024 | HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may connect to the product via SSH and use a shell. | ||
| CVE-2016-1140 | Med | 0.40 | 6.1 | 0.01 | Jan 30, 2016 | KDDI HOME SPOT CUBE devices before 2 allow remote attackers to conduct clickjacking attacks via unspecified vectors. | ||
| CVE-2025-27567 | Med | 0.35 | 5.4 | 0.00 | Mar 28, 2025 | Cross-site scripting vulnerability exists in the NickName registration screen of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the configuration page or functions… | ||
| CVE-2016-1136 | Med | 0.35 | 5.4 | 0.01 | Jan 30, 2016 | Cross-site scripting (XSS) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2026-41281 | Med | 0.31 | 4.8 | 0.00 | May 14, 2026 | Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify communications transmitted in plaintext, potentially resulting in… | ||
| CVE-2016-1141 | Med | 0.31 | 4.7 | 0.01 | Jan 30, 2016 | KDDI HOME SPOT CUBE devices before 2 allow remote authenticated users to execute arbitrary OS commands via unspecified vectors. | ||
| CVE-2016-1138 | Med | 0.31 | 4.7 | 0.01 | Jan 30, 2016 | CRLF injection vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to inject arbitrary HTTP headers via unspecified vectors. | ||
| CVE-2025-27574 | Low | 0.23 | 3.6 | 0.00 | Mar 28, 2025 | Cross-site scripting vulnerability exists in the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the configuration page or functions… | ||
| CVE-2025-27726 | Low | 0.14 | 2.1 | 0.00 | Mar 28, 2025 | Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file download process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be obtained… | ||
| CVE-2022-43543 | 0.00 | — | 0.00 | Dec 21, 2022 | KDDI +Message App, NTT DOCOMO +Message App, and SoftBank +Message App contain a vulnerability caused by improper handling of Unicode control characters. +Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode… | |||
| CVE-2019-15416 | 0.00 | — | 0.00 | Nov 14, 2019 | The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03)… | |||
| CVE-2018-0691 | 0.00 | — | 0.01 | Nov 15, 2018 | Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App… | |||
| CVE-2007-3692 | 0.00 | — | 0.02 | Jul 11, 2007 | Directory traversal vulnerability in download.cgi in EZFactory KDDI Download CGI 1.x allows remote attackers to read and download arbitrary files via a .. (dot dot) in the name parameter. |
- risk 0.57cvss 8.8epss 0.01
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file upload process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be obtained…
- risk 0.57cvss 8.8epss 0.01
HGW BL1500HM Ver 002.001.013 and earlier allows a network-adjacent unauthenticated attacker to execute an arbitrary command.
- risk 0.57cvss 8.8epss 0.01
HOME SPOT CUBE2 firmware V101 and earlier allows an attacker to bypass authentication to load malicious firmware via WebUI.
- risk 0.57cvss 8.8epss 0.01
HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attackers to execute arbitrary OS commands via WebUI.
- risk 0.57cvss 8.8epss 0.01
Buffer overflow in HOME SPOT CUBE2 firmware V101 and earlier allows an attacker to execute arbitrary code via WebUI.
- risk 0.53cvss 8.1epss 0.01
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file deletion process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, an attacker may delete a file on the…
- risk 0.52cvss 8.0epss 0.01
HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attackers to execute arbitrary OS commands via Clock Settings.
- risk 0.51cvss 7.8epss 0.01
Untrusted search path vulnerability in Installer of Qua station connection tool for Windows version 1.00.03 allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
- risk 0.49cvss 7.5epss 0.01
Cross-site request forgery (CSRF) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
- risk 0.48cvss 7.4epss 0.01
Open redirect vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- risk 0.42cvss 6.5epss 0.01
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file/folder listing process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be…
- risk 0.42cvss 6.5epss 0.00
HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may connect to the product via SSH and use a shell.
- risk 0.40cvss 6.1epss 0.01
KDDI HOME SPOT CUBE devices before 2 allow remote attackers to conduct clickjacking attacks via unspecified vectors.
- risk 0.35cvss 5.4epss 0.00
Cross-site scripting vulnerability exists in the NickName registration screen of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the configuration page or functions…
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.31cvss 4.8epss 0.00
Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify communications transmitted in plaintext, potentially resulting in…
- risk 0.31cvss 4.7epss 0.01
KDDI HOME SPOT CUBE devices before 2 allow remote authenticated users to execute arbitrary OS commands via unspecified vectors.
- risk 0.31cvss 4.7epss 0.01
CRLF injection vulnerability on KDDI HOME SPOT CUBE devices before 2 allows remote attackers to inject arbitrary HTTP headers via unspecified vectors.
- risk 0.23cvss 3.6epss 0.00
Cross-site scripting vulnerability exists in the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the configuration page or functions…
- risk 0.14cvss 2.1epss 0.00
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file download process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be obtained…
- CVE-2022-43543Dec 21, 2022risk 0.00cvss —epss 0.00
KDDI +Message App, NTT DOCOMO +Message App, and SoftBank +Message App contain a vulnerability caused by improper handling of Unicode control characters. +Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode…
- CVE-2019-15416Nov 14, 2019risk 0.00cvss —epss 0.00
The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03)…
- CVE-2018-0691Nov 15, 2018risk 0.00cvss —epss 0.01
Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App…
- CVE-2007-3692Jul 11, 2007risk 0.00cvss —epss 0.02
Directory traversal vulnerability in download.cgi in EZFactory KDDI Download CGI 1.x allows remote attackers to read and download arbitrary files via a .. (dot dot) in the name parameter.