KDDI HOME SPOT CUBE devices before 2 allow remote attackers to conduct clickjacking attacks via unspecified vectors.

The GREE application before 1.4.0, GREE Tanken Dorirando application before 1.0.7, GREE Tsurisuta application before 1.5.0, GREE Monpura application before 1.1.1, GREE Kaizokuoukoku Columbus application before 1.3.5, GREE haconiwa application before 1.1.0, GREE Seisen Cerberus application before 1.1.0, and KDDI&GREE GREE Market application before 2.1.2 for Android do not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted application.

Directory traversal vulnerability in download.cgi in EZFactory KDDI Download CGI 1.x allows remote attackers to read and download arbitrary files via a .. (dot dot) in the name parameter.