All the vulnerabilites related to Alfasado Inc. - PowerCMS
jvndb-2022-000069
Vulnerability from jvndb
Published
2022-09-02 15:49
Modified
2024-06-13 11:44
Severity ?
Summary
PowerCMS XMLRPC API vulnerable to command injection
Details
PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74).
Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.
According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.
Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000069.html",
"dc:date": "2024-06-13T11:44+09:00",
"dcterms:issued": "2022-09-02T15:49+09:00",
"dcterms:modified": "2024-06-13T11:44+09:00",
"description": "PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74).\r\nSending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.\r\nAccording to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.\r\n\r\nAlfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000069.html",
"sec:cpe": {
"#text": "cpe:/a:alfasado:powercms",
"@product": "PowerCMS",
"@vendor": "Alfasado Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "9.8",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000069",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN76024879/index.html",
"@id": "JVN#76024879",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-33941",
"@id": "CVE-2022-33941",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-33941",
"@id": "CVE-2022-33941",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "PowerCMS XMLRPC API vulnerable to command injection"
}
jvndb-2019-000066
Vulnerability from jvndb
Published
2019-10-23 16:00
Modified
2019-10-23 16:00
Severity ?
Summary
PowerCMS vulnerable to open redirect
Details
PowerCMS provided by Alfasado Inc. contains an open redirect vulnerability (CWE-601).
Hidetomo Hosono of EG Secure Solutions Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN34634458/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6020 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2019-6020 | |
| Improper Input Validation(CWE-20) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000066.html",
"dc:date": "2019-10-23T16:00+09:00",
"dcterms:issued": "2019-10-23T16:00+09:00",
"dcterms:modified": "2019-10-23T16:00+09:00",
"description": "PowerCMS provided by Alfasado Inc. contains an open redirect vulnerability (CWE-601).\r\n\r\nHidetomo Hosono of EG Secure Solutions Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000066.html",
"sec:cpe": {
"#text": "cpe:/a:alfasado:powercms",
"@product": "PowerCMS",
"@vendor": "Alfasado Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2019-000066",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN34634458/index.html",
"@id": "JVN#34634458",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6020",
"@id": "CVE-2019-6020",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6020",
"@id": "CVE-2019-6020",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "PowerCMS vulnerable to open redirect"
}
jvndb-2021-000105
Vulnerability from jvndb
Published
2021-11-24 15:47
Modified
2024-07-26 15:22
Severity ?
Summary
PowerCMS XMLRPC API vulnerable to OS command injection
Details
PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78).
Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN17645965/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20850 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2021-20850 | |
| OS Command Injection(CWE-78) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000105.html",
"dc:date": "2024-07-26T15:22+09:00",
"dcterms:issued": "2021-11-24T15:47+09:00",
"dcterms:modified": "2024-07-26T15:22+09:00",
"description": "PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78).\r\n\r\nAlfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000105.html",
"sec:cpe": {
"#text": "cpe:/a:alfasado:powercms",
"@product": "PowerCMS",
"@vendor": "Alfasado Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "9.8",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000105",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN17645965/index.html",
"@id": "JVN#17645965",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20850",
"@id": "CVE-2021-20850",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20850",
"@id": "CVE-2021-20850",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
}
],
"title": "PowerCMS XMLRPC API vulnerable to OS command injection"
}
jvndb-2023-000126
Vulnerability from jvndb
Published
2023-12-26 16:46
Modified
2024-03-18 17:58
Severity ?
Summary
Multiple vulnerabilities in PowerCMS
Details
PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.
<ul><li>Stored cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2023-49117</li><li>Open redirect vulnerability in the members' site (CWE-601) - CVE-2023-50297</li></ul>
Alfasado Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000126.html",
"dc:date": "2024-03-18T17:58+09:00",
"dcterms:issued": "2023-12-26T16:46+09:00",
"dcterms:modified": "2024-03-18T17:58+09:00",
"description": "PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2023-49117\u003c/li\u003e\u003cli\u003eOpen redirect vulnerability in the members\u0027 site (CWE-601) - CVE-2023-50297\u003c/li\u003e\u003c/ul\u003e\r\n\r\nAlfasado Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000126.html",
"sec:cpe": {
"#text": "cpe:/a:alfasado:powercms",
"@product": "PowerCMS",
"@vendor": "Alfasado Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "3.5",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000126",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN32646742/index.html",
"@id": "JVN#32646742",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49117",
"@id": "CVE-2023-49117",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-50297",
"@id": "CVE-2023-50297",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-49117",
"@id": "CVE-2023-49117",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-50297",
"@id": "CVE-2023-50297",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in PowerCMS"
}
jvndb-2025-010408
Vulnerability from jvndb
Published
2025-08-01 12:05
Modified
2025-08-01 12:05
Severity ?
Summary
Multiple vulnerabilities in PowerCMS
Details
PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.
* Reflected cross-site scripting (CWE-79) - CVE-2025-36563
* Stored cross-site scripting (CWE-79) - CVE-2025-41391
* Path traversal in file uploading (CWE-22) - CVE-2025-41396
* Path traversal in backup restore (CWE-22) - CVE-2025-46359
* Improper neutralization of formula elements in a CSV file (CWE-1236) - CVE-2025-54752
* Unrestricted upload of file with dangerous type (CWE-434) - CVE-2025-54757
The following people of VCSLab - Viettel Cyber Security reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
thanhtt74 (Tran Thi Thanh)
namdi (Do Ich Nam)
quanlna2 (Le Nguyen Anh Quan)
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/vu/JVNVU93412964/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-36563 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-41391 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-41396 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-46359 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-54752 | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-54757 | |
| Improper Neutralization of Formula Elements in a CSV File(CWE-1236) | https://cwe.mitre.org/data/definitions/1236.html | |
| Path Traversal(CWE-22) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html | |
| Unrestricted Upload of File with Dangerous Type(CWE-434) | https://cwe.mitre.org/data/definitions/434.html | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-010408.html",
"dc:date": "2025-08-01T12:05+09:00",
"dcterms:issued": "2025-08-01T12:05+09:00",
"dcterms:modified": "2025-08-01T12:05+09:00",
"description": "PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.\r\n\r\n * Reflected cross-site scripting (CWE-79) - CVE-2025-36563\r\n * Stored cross-site scripting (CWE-79) - CVE-2025-41391\r\n * Path traversal in file uploading (CWE-22) - CVE-2025-41396\r\n * Path traversal in backup restore (CWE-22) - CVE-2025-46359\r\n * Improper neutralization of formula elements in a CSV file (CWE-1236) - CVE-2025-54752\r\n * Unrestricted upload of file with dangerous type (CWE-434) - CVE-2025-54757\r\n\r\nThe following people of VCSLab - Viettel Cyber Security reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.\r\n\r\nthanhtt74 (Tran Thi Thanh)\r\nnamdi (Do Ich Nam)\r\nquanlna2 (Le Nguyen Anh Quan)",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-010408.html",
"sec:cpe": {
"#text": "cpe:/a:alfasado:powercms",
"@product": "PowerCMS",
"@vendor": "Alfasado Inc.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "7.2",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-010408",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU93412964/index.html",
"@id": "JVNVU#93412964",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-36563",
"@id": "CVE-2025-36563",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-41391",
"@id": "CVE-2025-41391",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-41396",
"@id": "CVE-2025-41396",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-46359",
"@id": "CVE-2025-46359",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-54752",
"@id": "CVE-2025-54752",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-54757",
"@id": "CVE-2025-54757",
"@source": "CVE"
},
{
"#text": "https://cwe.mitre.org/data/definitions/1236.html",
"@id": "CWE-1236",
"@title": "Improper Neutralization of Formula Elements in a CSV File(CWE-1236)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://cwe.mitre.org/data/definitions/434.html",
"@id": "CWE-434",
"@title": "Unrestricted Upload of File with Dangerous Type(CWE-434)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in PowerCMS"
}
jvndb-2025-000021
Vulnerability from jvndb
Published
2025-03-26 18:13
Modified
2025-03-26 18:13
Severity ?
Summary
Multiple vulnerabilities in PowerCMS
Details
PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.
<ul>
<li>Injection (CWE-74) - CVE-2025-29993</li>
<li>Dependency on vulnerable third-party component (CWE-1395) - CVE-2021-21252</li>
</ul>
Alfasado Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN39026557/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2025-29993 | |
| No Mapping(CWE-Other) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000021.html",
"dc:date": "2025-03-26T18:13+09:00",
"dcterms:issued": "2025-03-26T18:13+09:00",
"dcterms:modified": "2025-03-26T18:13+09:00",
"description": "PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\r\n\u003cli\u003eInjection (CWE-74) - CVE-2025-29993\u003c/li\u003e\r\n\u003cli\u003eDependency on vulnerable third-party component (CWE-1395) - CVE-2021-21252\u003c/li\u003e\r\n\u003c/ul\u003e\r\nAlfasado Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000021.html",
"sec:cpe": {
"#text": "cpe:/a:alfasado:powercms",
"@product": "PowerCMS",
"@vendor": "Alfasado Inc.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000021",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN39026557/index.html",
"@id": "JVN#39026557",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-29993",
"@id": "CVE-2025-29993",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in PowerCMS"
}
cve-2025-46359
Vulnerability from cvelistv5
Published
2025-07-31 07:22
Modified
2025-07-31 15:28
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS score ?
Summary
A path traversal issue exists in backup and restore feature of multiple versions of PowerCMS. A product administrator may execute arbitrary code by restoring a crafted backup file.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T15:24:33.388992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T15:28:30.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "6.7 and earlier (PowerCMS 6.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "5.3 and earlier (PowerCMS 5.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "4.6 and earlier (PowerCMS 4.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal issue exists in backup and restore feature of multiple versions of PowerCMS. A product administrator may execute arbitrary code by restoring a crafted backup file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T07:22:46.914Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.powercms.jp/news/release-powercms-671-531-461.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU93412964/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-46359",
"datePublished": "2025-07-31T07:22:46.914Z",
"dateReserved": "2025-07-30T05:36:45.484Z",
"dateUpdated": "2025-07-31T15:28:30.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-36563
Vulnerability from cvelistv5
Published
2025-07-31 07:25
Modified
2025-07-31 13:24
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
EPSS score ?
Summary
Reflected cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product administrator accesses a crafted URL, an arbitrary script may be executed on the browser.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:24:02.701345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T13:24:12.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "6.7 and earlier (PowerCMS 6.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "5.3 and earlier (PowerCMS 5.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "4.6 and earlier (PowerCMS 4.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product administrator accesses a crafted URL, an arbitrary script may be executed on the browser."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T07:25:44.979Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.powercms.jp/news/release-powercms-671-531-461.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU93412964/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-36563",
"datePublished": "2025-07-31T07:25:44.979Z",
"dateReserved": "2025-07-30T05:36:42.404Z",
"dateUpdated": "2025-07-31T13:24:12.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-41391
Vulnerability from cvelistv5
Published
2025-07-31 07:25
Modified
2025-07-31 14:23
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
EPSS score ?
Summary
Stored cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product user accesses a malicious page, an arbitrary script may be executed on the browser.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41391",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T14:23:21.361216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T14:23:47.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "6.7 and earlier (PowerCMS 6.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "5.3 and earlier (PowerCMS 5.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "4.6 and earlier (PowerCMS 4.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product user accesses a malicious page, an arbitrary script may be executed on the browser."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T07:25:10.798Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.powercms.jp/news/release-powercms-671-531-461.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU93412964/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-41391",
"datePublished": "2025-07-31T07:25:10.798Z",
"dateReserved": "2025-07-30T05:36:41.529Z",
"dateUpdated": "2025-07-31T14:23:47.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-54757
Vulnerability from cvelistv5
Published
2025-07-31 07:20
Modified
2025-07-31 17:28
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
EPSS score ?
Summary
Multiple versions of PowerCMS allow unrestricted upload of dangerous files. If a product administrator accesses a malicious file uploaded by a product user, an arbitrary script may be executed on the browser.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54757",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T17:27:47.515677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:28:13.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "6.7 and earlier (PowerCMS 6.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "5.3 and earlier (PowerCMS 5.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "4.6 and earlier (PowerCMS 4.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple versions of PowerCMS allow unrestricted upload of dangerous files. If a product administrator accesses a malicious file uploaded by a product user, an arbitrary script may be executed on the browser."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted upload of file with dangerous type",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T07:20:30.689Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.powercms.jp/news/release-powercms-671-531-461.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU93412964/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-54757",
"datePublished": "2025-07-31T07:20:30.689Z",
"dateReserved": "2025-07-30T05:36:43.437Z",
"dateUpdated": "2025-07-31T17:28:13.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-6020
Vulnerability from cvelistv5
Published
2019-12-26 15:16
Modified
2024-08-04 20:16
Severity ?
EPSS score ?
Summary
Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.powercms.jp/news/release-powercms-201910.html | x_refsource_MISC | |
| http://jvn.jp/en/jp/JVN34634458/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:16:23.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.powercms.jp/news/release-powercms-201910.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN34634458/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-26T15:16:50",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.powercms.jp/news/release-powercms-201910.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jvn.jp/en/jp/JVN34634458/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2019-6020",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PowerCMS",
"version": {
"version_data": [
{
"version_value": "5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x)"
}
]
}
}
]
},
"vendor_name": "Alfasado Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open Redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.powercms.jp/news/release-powercms-201910.html",
"refsource": "MISC",
"url": "https://www.powercms.jp/news/release-powercms-201910.html"
},
{
"name": "http://jvn.jp/en/jp/JVN34634458/index.html",
"refsource": "MISC",
"url": "http://jvn.jp/en/jp/JVN34634458/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2019-6020",
"datePublished": "2019-12-26T15:16:50",
"dateReserved": "2019-01-10T00:00:00",
"dateUpdated": "2024-08-04T20:16:23.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-54752
Vulnerability from cvelistv5
Published
2025-07-31 07:21
Modified
2025-07-31 15:44
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
EPSS score ?
Summary
Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user's environment, the embedded code may be executed.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T15:39:04.065052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T15:44:45.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "6.7 and earlier (PowerCMS 6.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "5.3 and earlier (PowerCMS 5.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "4.6 and earlier (PowerCMS 4.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user\u0027s environment, the embedded code may be executed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "Improper neutralization of formula elements in a CSV file",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T07:21:57.639Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.powercms.jp/news/release-powercms-671-531-461.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU93412964/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-54752",
"datePublished": "2025-07-31T07:21:57.639Z",
"dateReserved": "2025-07-30T05:36:44.305Z",
"dateUpdated": "2025-07-31T15:44:45.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-41396
Vulnerability from cvelistv5
Published
2025-07-31 07:24
Modified
2025-07-31 15:14
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
EPSS score ?
Summary
A path traversal issue exists in file uploading feature of multiple versions of PowerCMS. Arbitrary files may be overwritten by a product user.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS | |
| Alfasado Inc. | PowerCMS |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T15:08:24.252684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T15:14:06.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "6.7 and earlier (PowerCMS 6.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "5.3 and earlier (PowerCMS 5.x series)"
}
]
},
{
"product": "PowerCMS",
"vendor": "Alfasado Inc.",
"versions": [
{
"status": "affected",
"version": "4.6 and earlier (PowerCMS 4.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal issue exists in file uploading feature of multiple versions of PowerCMS. Arbitrary files may be overwritten by a product user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T07:24:20.561Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.powercms.jp/news/release-powercms-671-531-461.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU93412964/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-41396",
"datePublished": "2025-07-31T07:24:20.561Z",
"dateReserved": "2025-07-30T05:36:38.599Z",
"dateUpdated": "2025-07-31T15:14:06.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}