cvelistv5 - cve-2025-8153

cve-2025-8153

Vulnerability from cvelistv5

Published

2025-09-17 02:10

Modified

2025-09-17 13:45

Severity ?

5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Summary

Cross-site Scripting vulnerability in NEC Corporation UNIVERGE IX from Ver.9.5 to Ver.10.7, from Ver.10.8.21 to Ver.10.8.36, from Ver.10.9.11 to Ver.10.9.24, from Ver.10.10.21 to Ver.10.10.31, Ver.10.11.6 and UNIVERGE IX-R/IX-V Ver1.3.16, Ver1.3.21 allows a attacker to inject an arbitrary scripts may be executed on the user's browser.

References

▼	URL	Tags
	psirt-info@cyber.jp.nec.com	https://jpn.nec.com/security-info/secinfo/nv25-005_en.html

Impacted products

▼	Vendor	Product
	NEC Corporation	UNIVERGE IX
	NEC Corporation	UNIVERGE IX
	NEC Corporation	UNIVERGE IX
	NEC Corporation	UNIVERGE IX
	NEC Corporation	UNIVERGE IX-R/IX-V

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-8153",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-17T13:44:45.472287Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-17T13:45:14.075Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "UNIVERGE IX",
          "vendor": "NEC Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "from Ver.9.5 to Ver.10.7"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "UNIVERGE IX",
          "vendor": "NEC Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "from Ver.10.8.21 to Ver.10.8.36"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "UNIVERGE IX",
          "vendor": "NEC Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "from Ver.10.9.11 to Ver.10.9.24"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "UNIVERGE IX",
          "vendor": "NEC Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "from Ver.10.10.21 to Ver.10.10.31, Ver.10.11.6"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "UNIVERGE IX-R/IX-V",
          "vendor": "NEC Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "Ver1.3.16, Ver1.3.21"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "RyotaK of GMO Flatt Security Inc."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cross-site Scripting vulnerability in NEC Corporation UNIVERGE IX from Ver.9.5 to Ver.10.7, from Ver.10.8.21 to Ver.10.8.36, from Ver.10.9.11 to Ver.10.9.24, from Ver.10.10.21 to Ver.10.10.31, Ver.10.11.6 and UNIVERGE IX-R/IX-V Ver1.3.16, Ver1.3.21 allows a attacker to inject an arbitrary scripts may be executed on the user\u0027s browser."
            }
          ],
          "value": "Cross-site Scripting vulnerability in NEC Corporation UNIVERGE IX from Ver.9.5 to Ver.10.7, from Ver.10.8.21 to Ver.10.8.36, from Ver.10.9.11 to Ver.10.9.24, from Ver.10.10.21 to Ver.10.10.31, Ver.10.11.6 and UNIVERGE IX-R/IX-V Ver1.3.16, Ver1.3.21 allows a attacker to inject an arbitrary scripts may be executed on the user\u0027s browser."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-17T02:10:50.272Z",
        "orgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282",
        "shortName": "NEC"
      },
      "references": [
        {
          "url": "https://jpn.nec.com/security-info/secinfo/nv25-005_en.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f2760a35-e0d8-4637-ac4c-cc1a2de3e282",
    "assignerShortName": "NEC",
    "cveId": "CVE-2025-8153",
    "datePublished": "2025-09-17T02:10:09.645Z",
    "dateReserved": "2025-07-25T01:38:55.766Z",
    "dateUpdated": "2025-09-17T13:45:14.075Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-8153\",\"sourceIdentifier\":\"psirt-info@cyber.jp.nec.com\",\"published\":\"2025-09-17T02:15:33.310\",\"lastModified\":\"2025-09-17T14:18:55.093\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site Scripting vulnerability in NEC Corporation UNIVERGE IX from Ver.9.5 to Ver.10.7, from Ver.10.8.21 to Ver.10.8.36, from Ver.10.9.11 to Ver.10.9.24, from Ver.10.10.21 to Ver.10.10.31, Ver.10.11.6 and UNIVERGE IX-R/IX-V Ver1.3.16, Ver1.3.21 allows a attacker to inject an arbitrary scripts may be executed on the user\u0027s browser.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"psirt-info@cyber.jp.nec.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"psirt-info@cyber.jp.nec.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://jpn.nec.com/security-info/secinfo/nv25-005_en.html\",\"source\":\"psirt-info@cyber.jp.nec.com\"}]}}"
  }
}

cve-2025-8153

Vulnerability from jvndb

Published

2025-09-18 17:43

Modified

2025-09-18 17:43

Severity ?

6.1 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation vulnerable to cross-site scripting

Details

UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contains the following vulnerability. <ul><li>Cross-site scripting (CWE-79) - CVE-2025-8153</li></ul> RyotaK of GMO Flatt Security Inc. reported this vulnerability to NEC Corporation and coordinated. After the coordination was completed, NEC Corporation reported the case to IPA to notify users of the solution through JVN.

References

▼	Type	URL
	JVN	https://jvn.jp/en/jp/JVN95938761/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2025-8153
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

▼	Vendor	Product
	NEC Corporation	UNIVERGE

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000079.html",
  "dc:date": "2025-09-18T17:43+09:00",
  "dcterms:issued": "2025-09-18T17:43+09:00",
  "dcterms:modified": "2025-09-18T17:43+09:00",
  "description": "UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contains the following vulnerability.\r\n\u003cul\u003e\u003cli\u003eCross-site scripting (CWE-79) - CVE-2025-8153\u003c/li\u003e\u003c/ul\u003e\r\nRyotaK of GMO Flatt Security Inc. reported this vulnerability to NEC Corporation and coordinated.\r\nAfter the coordination was completed, NEC Corporation reported the case to IPA to notify users of the solution through JVN.",
  "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000079.html",
  "sec:cpe": {
    "#text": "cpe:/o:nec:univerge",
    "@product": "UNIVERGE",
    "@vendor": "NEC Corporation",
    "@version": "2.2"
  },
  "sec:cvss": {
    "@score": "6.1",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2025-000079",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN95938761/index.html",
      "@id": "JVN#95938761",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-8153",
      "@id": "CVE-2025-8153",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation vulnerable to cross-site scripting"
}

ghsa-4f4p-9vfr-w7m4

Vulnerability from github

Published

2025-09-17 03:30

Modified

2025-09-17 03:30

Severity ?

5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-8153"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T02:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site Scripting vulnerability in NEC Corporation UNIVERGE IX from Ver.9.5 to Ver.10.7, from Ver.10.8.21 to Ver.10.8.36, from Ver.10.9.11 to Ver.10.9.24, from Ver.10.10.21 to Ver.10.10.31, Ver.10.11.6 and UNIVERGE IX-R/IX-V Ver1.3.16, Ver1.3.21 allows a attacker to inject an arbitrary scripts may be executed on the user\u0027s browser.",
  "id": "GHSA-4f4p-9vfr-w7m4",
  "modified": "2025-09-17T03:30:23Z",
  "published": "2025-09-17T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8153"
    },
    {
      "type": "WEB",
      "url": "https://jpn.nec.com/security-info/secinfo/nv25-005_en.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Action not permitted

cve-2025-8153

Vulnerability from cvelistv5

cve-2025-8153

Vulnerability from jvndb

ghsa-4f4p-9vfr-w7m4

Vulnerability from github

Tags