Refine your search
9 vulnerabilities found for Pleasanter by Implem Inc.
CVE-2025-61931 (GCVE-0-2025-61931)
Vulnerability from nvd
Published
2025-10-24 05:17
Modified
2025-10-24 12:31
Severity ?
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site scripting (XSS)
Summary
Pleasanter contains a stored cross-site scripting vulnerability in Body, Description and Comments, which allows an attacker to execute an arbitrary script in a logged-in user's web browser.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Implem Inc. | Pleasanter |
Version: 1.4.20.0 and earlier versions |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61931",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T12:10:58.352740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:31:22.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pleasanter",
"vendor": "Implem Inc.",
"versions": [
{
"status": "affected",
"version": "1.4.20.0 and earlier versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pleasanter contains a stored cross-site scripting vulnerability in Body, Description and Comments, which allows an attacker to execute an arbitrary script in a logged-in user\u0027s web browser."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T05:17:30.940Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://pleasanter.org/archives/vulnerability-update-20251024"
},
{
"url": "https://jvn.jp/en/jp/JVN20611740/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-61931",
"datePublished": "2025-10-24T05:17:30.940Z",
"dateReserved": "2025-10-20T00:08:20.153Z",
"dateUpdated": "2025-10-24T12:31:22.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58070 (GCVE-0-2025-58070)
Vulnerability from nvd
Published
2025-10-24 05:17
Modified
2025-10-24 12:31
Severity ?
6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site scripting (XSS)
Summary
Pleasanter contains a stored cross-site scripting vulnerability in Preview for Attachments, which allows an attacker to execute an arbitrary script in a logged-in user's web browser.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Implem Inc. | Pleasanter |
Version: 1.4.20.0 and earlier versions |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T12:10:59.789763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:31:28.420Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pleasanter",
"vendor": "Implem Inc.",
"versions": [
{
"status": "affected",
"version": "1.4.20.0 and earlier versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pleasanter contains a stored cross-site scripting vulnerability in Preview for Attachments, which allows an attacker to execute an arbitrary script in a logged-in user\u0027s web browser."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T05:17:23.369Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://pleasanter.org/archives/vulnerability-update-20251024"
},
{
"url": "https://jvn.jp/en/jp/JVN20611740/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-58070",
"datePublished": "2025-10-24T05:17:23.369Z",
"dateReserved": "2025-10-20T00:08:22.870Z",
"dateUpdated": "2025-10-24T12:31:28.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
jvndb-2025-000093
Vulnerability from jvndb
Published
2025-10-24 15:11
Modified
2025-10-24 15:11
Severity ?
Summary
Multiple stored cross-site scripting vulnerabilities in Pleasanter
Details
Pleasanter provided by Implem Inc. contains multiple stored cross-site scripting vulnerabilities listed below.
<ul>
<li>Stored cross-site scripting vulnerability in Preview for Attachments (CWE-79) - CVE-2025-58070</li>
<li>Stored cross-site scripting vulnerability in Body, Description and Comments (CWE-79) - CVE-2025-61931</li>
</ul>
The following people reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2025-58070
Reporter: Tomoya Shirahashi of X-Force Red, IBM Japan, Ltd.
CVE-2025-61931
Reporter: Kohei Yagyu of Mitsui Bussan Secure Directions, Inc.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000093.html",
"dc:date": "2025-10-24T15:11+09:00",
"dcterms:issued": "2025-10-24T15:11+09:00",
"dcterms:modified": "2025-10-24T15:11+09:00",
"description": "Pleasanter provided by Implem Inc. contains multiple stored cross-site scripting vulnerabilities listed below.\r\n\u003cul\u003e\r\n\u003cli\u003eStored cross-site scripting vulnerability in Preview for Attachments (CWE-79) - CVE-2025-58070\u003c/li\u003e\r\n\u003cli\u003eStored cross-site scripting vulnerability in Body, Description and Comments (CWE-79) - CVE-2025-61931\u003c/li\u003e\r\n\u003c/ul\u003e\r\nThe following people reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2025-58070\r\nReporter: Tomoya Shirahashi of X-Force Red, IBM Japan, Ltd.\r\n\r\nCVE-2025-61931\r\nReporter: Kohei Yagyu of Mitsui Bussan Secure Directions, Inc.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000093.html",
"sec:cpe": {
"#text": "cpe:/a:pleasanter:pleasanter",
"@product": "Pleasanter",
"@vendor": "Implem Inc.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000093",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN20611740/index.html",
"@id": "JVN#20611740",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-58070",
"@id": "CVE-2025-58070",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2025-61931",
"@id": "CVE-2025-61931",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple stored cross-site scripting vulnerabilities in Pleasanter"
}
jvndb-2024-000003
Vulnerability from jvndb
Published
2024-01-15 15:59
Modified
2024-01-15 15:59
Severity ?
Summary
Pleasanter vulnerable to cross-site scripting
Details
Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability (CWE-79).
Masamitsu Kushi of Operation Group, Communication Technology Department, Digital Innovation HQ at Mitsubishi Heavy Industries, Ltd. reported this vulnerability to Implem Inc. and coordinated. After the coordination was completed, Implem Inc. reported the case to IPA under the Information Security Early Warning Partnership to notify users of the solution through JVN.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000003.html",
"dc:date": "2024-01-15T15:59+09:00",
"dcterms:issued": "2024-01-15T15:59+09:00",
"dcterms:modified": "2024-01-15T15:59+09:00",
"description": "Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nMasamitsu Kushi of Operation Group, Communication Technology Department, Digital Innovation HQ at Mitsubishi Heavy Industries, Ltd. reported this vulnerability to Implem Inc. and coordinated. After the coordination was completed, Implem Inc. reported the case to IPA under the Information Security Early Warning Partnership to notify users of the solution through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000003.html",
"sec:cpe": {
"#text": "cpe:/a:pleasanter:pleasanter",
"@product": "Pleasanter",
"@vendor": "Implem Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2024-000003",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN51135247/index.html",
"@id": "JVN#51135247",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-21584",
"@id": "CVE-2024-21584",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Pleasanter vulnerable to cross-site scripting"
}
jvndb-2023-000112
Vulnerability from jvndb
Published
2023-11-13 15:57
Modified
2024-04-22 17:56
Severity ?
Summary
Multiple vulnerabilities in Pleasanter
Details
Pleasanter provided by Implem Inc. contains multiple vulnerabilities listed below.
<ul><li>Stored cross-site scripting vulnerability (CWE-79) - CVE-2023-34439</li><li>Improper access control vulnerability (CWE-284) - CVE-2023-45210</li><li>Open redirect vulnerability (CWE-601) - CVE-2023-46688</li><li>Authentication bypass vulnerability by SAML (CWE-289) - CVE-2023-41890</li></ul>
CVE-2023-41890
This issue is caused by a vulnerability in Sustainsys.Saml2 library used in the product.
CVE-2023-34439,CVE-2023-45210
Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-46688
Yoichi Tsuzuki of FFRI Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Implem Inc. reported to IPA that CVE-2023-41890 vulnerability still exists in the product. JPCERT/CC coordinated with the developer.
References
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000112.html",
"dc:date": "2024-04-22T17:56+09:00",
"dcterms:issued": "2023-11-13T15:57+09:00",
"dcterms:modified": "2024-04-22T17:56+09:00",
"description": "Pleasanter provided by Implem Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\u003cli\u003eStored cross-site scripting vulnerability (CWE-79) - CVE-2023-34439\u003c/li\u003e\u003cli\u003eImproper access control vulnerability (CWE-284) - CVE-2023-45210\u003c/li\u003e\u003cli\u003eOpen redirect vulnerability (CWE-601) - CVE-2023-46688\u003c/li\u003e\u003cli\u003eAuthentication bypass vulnerability by SAML (CWE-289) - CVE-2023-41890\u003c/li\u003e\u003c/ul\u003e\r\nCVE-2023-41890\r\nThis issue is caused by a vulnerability in Sustainsys.Saml2 library used in the product.\r\n\r\nCVE-2023-34439,CVE-2023-45210\r\nSato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2023-46688\r\nYoichi Tsuzuki of FFRI Security, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nImplem Inc. reported to IPA that CVE-2023-41890 vulnerability still exists in the product. JPCERT/CC coordinated with the developer.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000112.html",
"sec:cpe": {
"#text": "cpe:/a:pleasanter:pleasanter",
"@product": "Pleasanter",
"@vendor": "Implem Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.9",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000112",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN96209256/index.html",
"@id": "JVN#96209256",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-34439",
"@id": "CVE-2023-34439",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-45210",
"@id": "CVE-2023-45210",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-46688",
"@id": "CVE-2023-46688",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-41890",
"@id": "CVE-2023-41890",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-34439",
"@id": "CVE-2023-34439",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-41890",
"@id": "CVE-2023-41890",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-45210",
"@id": "CVE-2023-45210",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-46688",
"@id": "CVE-2023-46688",
"@source": "NVD"
},
{
"#text": "https://github.com/Sustainsys/Saml2/security/advisories/GHSA-fv2h-753j-9g39",
"@id": "Insufficient Identity Provider Issuer Validation",
"@source": "Related Information"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in Pleasanter"
}
jvndb-2023-000060
Vulnerability from jvndb
Published
2023-06-22 15:49
Modified
2024-05-07 14:10
Severity ?
Summary
Multiple vulnerabilities in Pleasanter
Details
Pleasanter provided by Implem Inc. contains multiple vulnerabilities listed below.
* Stored cross-site scripting vulnerability (CWE-79) - CVE-2023-32607
* Directory traversal vulnerability (CWE-22) - CVE-2023-32608
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to Implem Inc. and Implem Inc. reported them to IPA.
JPCERT/CC and Implem Inc. coordinated under the Information Security Early Warning Partnership.
References
| Type | URL | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000060.html",
"dc:date": "2024-05-07T14:10+09:00",
"dcterms:issued": "2023-06-22T15:49+09:00",
"dcterms:modified": "2024-05-07T14:10+09:00",
"description": "Pleasanter provided by Implem Inc. contains multiple vulnerabilities listed below.\r\n\r\n * Stored cross-site scripting vulnerability (CWE-79) - CVE-2023-32607\r\n\r\n * Directory traversal vulnerability (CWE-22) - CVE-2023-32608\r\n\r\nKentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to Implem Inc. and Implem Inc. reported them to IPA.\r\nJPCERT/CC and Implem Inc. coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000060.html",
"sec:cpe": {
"#text": "cpe:/a:pleasanter:pleasanter",
"@product": "Pleasanter",
"@vendor": "Implem Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000060",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN97818024/",
"@id": "JVN#97818024",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32607",
"@id": "CVE-2023-32607",
"@source": "CVE"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32608",
"@id": "CVE-2023-32608",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-32607",
"@id": "CVE-2023-32607",
"@source": "NVD"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-32608",
"@id": "CVE-2023-32608",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Multiple vulnerabilities in Pleasanter"
}
jvndb-2023-000058
Vulnerability from jvndb
Published
2023-05-31 15:34
Modified
2024-03-19 18:17
Severity ?
Summary
Pleasanter vulnerable to cross-site scripting
Details
Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability (CWE-79).
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Implem Inc. and Implem Inc. reported it to IPA.
JPCERT/CC and Implem Inc. coordinated under the Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000058.html",
"dc:date": "2024-03-19T18:17+09:00",
"dcterms:issued": "2023-05-31T15:34+09:00",
"dcterms:modified": "2024-03-19T18:17+09:00",
"description": "Pleasanter provided by Implem Inc. contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nKentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Implem Inc. and Implem Inc. reported it to IPA.\r\nJPCERT/CC and Implem Inc. coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000058.html",
"sec:cpe": {
"#text": "cpe:/a:pleasanter:pleasanter",
"@product": "Pleasanter",
"@vendor": "Implem Inc.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "3.5",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "5.4",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-000058",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN62111727/index.html",
"@id": "JVN#62111727",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-30758",
"@id": "CVE-2023-30758",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-30758",
"@id": "CVE-2023-30758",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Pleasanter vulnerable to cross-site scripting"
}
CVE-2025-61931 (GCVE-0-2025-61931)
Vulnerability from cvelistv5
Published
2025-10-24 05:17
Modified
2025-10-24 12:31
Severity ?
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site scripting (XSS)
Summary
Pleasanter contains a stored cross-site scripting vulnerability in Body, Description and Comments, which allows an attacker to execute an arbitrary script in a logged-in user's web browser.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Implem Inc. | Pleasanter |
Version: 1.4.20.0 and earlier versions |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61931",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T12:10:58.352740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:31:22.740Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pleasanter",
"vendor": "Implem Inc.",
"versions": [
{
"status": "affected",
"version": "1.4.20.0 and earlier versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pleasanter contains a stored cross-site scripting vulnerability in Body, Description and Comments, which allows an attacker to execute an arbitrary script in a logged-in user\u0027s web browser."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T05:17:30.940Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://pleasanter.org/archives/vulnerability-update-20251024"
},
{
"url": "https://jvn.jp/en/jp/JVN20611740/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-61931",
"datePublished": "2025-10-24T05:17:30.940Z",
"dateReserved": "2025-10-20T00:08:20.153Z",
"dateUpdated": "2025-10-24T12:31:22.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58070 (GCVE-0-2025-58070)
Vulnerability from cvelistv5
Published
2025-10-24 05:17
Modified
2025-10-24 12:31
Severity ?
6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site scripting (XSS)
Summary
Pleasanter contains a stored cross-site scripting vulnerability in Preview for Attachments, which allows an attacker to execute an arbitrary script in a logged-in user's web browser.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Implem Inc. | Pleasanter |
Version: 1.4.20.0 and earlier versions |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T12:10:59.789763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:31:28.420Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pleasanter",
"vendor": "Implem Inc.",
"versions": [
{
"status": "affected",
"version": "1.4.20.0 and earlier versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pleasanter contains a stored cross-site scripting vulnerability in Preview for Attachments, which allows an attacker to execute an arbitrary script in a logged-in user\u0027s web browser."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T05:17:23.369Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://pleasanter.org/archives/vulnerability-update-20251024"
},
{
"url": "https://jvn.jp/en/jp/JVN20611740/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-58070",
"datePublished": "2025-10-24T05:17:23.369Z",
"dateReserved": "2025-10-20T00:08:22.870Z",
"dateUpdated": "2025-10-24T12:31:28.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}