Refine your search

4 vulnerabilities found for PowerCMS by Alfasado Inc.

jvndb-2025-010408
Vulnerability from jvndb
Published
2025-08-01 12:05
Modified
2025-08-01 12:05
Severity ?
7.2 (High) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Multiple vulnerabilities in PowerCMS
Details
PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. * Reflected cross-site scripting (CWE-79) - CVE-2025-36563 * Stored cross-site scripting (CWE-79) - CVE-2025-41391 * Path traversal in file uploading (CWE-22) - CVE-2025-41396 * Path traversal in backup restore (CWE-22) - CVE-2025-46359 * Improper neutralization of formula elements in a CSV file (CWE-1236) - CVE-2025-54752 * Unrestricted upload of file with dangerous type (CWE-434) - CVE-2025-54757 The following people of VCSLab - Viettel Cyber Security reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer. thanhtt74 (Tran Thi Thanh) namdi (Do Ich Nam) quanlna2 (Le Nguyen Anh Quan)
References
Impacted products
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-010408.html",
  "dc:date": "2025-08-01T12:05+09:00",
  "dcterms:issued": "2025-08-01T12:05+09:00",
  "dcterms:modified": "2025-08-01T12:05+09:00",
  "description": "PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.\r\n\r\n  * Reflected cross-site scripting (CWE-79) - CVE-2025-36563\r\n  * Stored cross-site scripting (CWE-79) - CVE-2025-41391\r\n  * Path traversal in file uploading (CWE-22) - CVE-2025-41396\r\n  * Path traversal in backup restore (CWE-22) - CVE-2025-46359\r\n  * Improper neutralization of formula elements in a CSV file (CWE-1236) - CVE-2025-54752\r\n  * Unrestricted upload of file with dangerous type (CWE-434) - CVE-2025-54757\r\n\r\nThe following people of VCSLab - Viettel Cyber Security reported these vulnerabilities to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer.\r\n\r\nthanhtt74 (Tran Thi Thanh)\r\nnamdi (Do Ich Nam)\r\nquanlna2 (Le Nguyen Anh Quan)",
  "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-010408.html",
  "sec:cpe": {
    "#text": "cpe:/a:alfasado:powercms",
    "@product": "PowerCMS",
    "@vendor": "Alfasado Inc.",
    "@version": "2.2"
  },
  "sec:cvss": {
    "@score": "7.2",
    "@severity": "High",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2025-010408",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/vu/JVNVU93412964/index.html",
      "@id": "JVNVU#93412964",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-36563",
      "@id": "CVE-2025-36563",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-41391",
      "@id": "CVE-2025-41391",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-41396",
      "@id": "CVE-2025-41396",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-46359",
      "@id": "CVE-2025-46359",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-54752",
      "@id": "CVE-2025-54752",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-54757",
      "@id": "CVE-2025-54757",
      "@source": "CVE"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/1236.html",
      "@id": "CWE-1236",
      "@title": "Improper Neutralization of Formula Elements in a CSV File(CWE-1236)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-22",
      "@title": "Path Traversal(CWE-22)"
    },
    {
      "#text": "https://cwe.mitre.org/data/definitions/434.html",
      "@id": "CWE-434",
      "@title": "Unrestricted Upload of File with Dangerous Type(CWE-434)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "Multiple vulnerabilities in PowerCMS"
}

jvndb-2025-000021
Vulnerability from jvndb
Published
2025-03-26 18:13
Modified
2025-03-26 18:13
Severity ?
5.3 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Multiple vulnerabilities in PowerCMS
Details
PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below. <ul> <li>Injection (CWE-74) - CVE-2025-29993</li> <li>Dependency on vulnerable third-party component (CWE-1395) - CVE-2021-21252</li> </ul> Alfasado Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
References
Impacted products
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000021.html",
  "dc:date": "2025-03-26T18:13+09:00",
  "dcterms:issued": "2025-03-26T18:13+09:00",
  "dcterms:modified": "2025-03-26T18:13+09:00",
  "description": "PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\r\n\u003cli\u003eInjection (CWE-74) - CVE-2025-29993\u003c/li\u003e\r\n\u003cli\u003eDependency on vulnerable third-party component (CWE-1395) - CVE-2021-21252\u003c/li\u003e\r\n\u003c/ul\u003e\r\nAlfasado Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000021.html",
  "sec:cpe": {
    "#text": "cpe:/a:alfasado:powercms",
    "@product": "PowerCMS",
    "@vendor": "Alfasado Inc.",
    "@version": "2.2"
  },
  "sec:cvss": {
    "@score": "5.3",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2025-000021",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN39026557/index.html",
      "@id": "JVN#39026557",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-29993",
      "@id": "CVE-2025-29993",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "Multiple vulnerabilities in PowerCMS"
}

jvndb-2022-000069
Vulnerability from jvndb
Published
2022-09-02 15:49
Modified
2024-06-13 11:44
Severity ?
9.8 (Critical) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
PowerCMS XMLRPC API vulnerable to command injection
Details
PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74). Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. According to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited. Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
References
Impacted products
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000069.html",
  "dc:date": "2024-06-13T11:44+09:00",
  "dcterms:issued": "2022-09-02T15:49+09:00",
  "dcterms:modified": "2024-06-13T11:44+09:00",
  "description": "PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability (CWE-74).\r\nSending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it.\r\nAccording to the developer, it is unable to execute a command with an arbitrary value added to its argument, even if the vulnerability is exploited.\r\n\r\nAlfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000069.html",
  "sec:cpe": {
    "#text": "cpe:/a:alfasado:powercms",
    "@product": "PowerCMS",
    "@vendor": "Alfasado Inc.",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "7.5",
      "@severity": "High",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "9.8",
      "@severity": "Critical",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2022-000069",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN76024879/index.html",
      "@id": "JVN#76024879",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2022-33941",
      "@id": "CVE-2022-33941",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-33941",
      "@id": "CVE-2022-33941",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "PowerCMS XMLRPC API vulnerable to command injection"
}

jvndb-2021-000105
Vulnerability from jvndb
Published
2021-11-24 15:47
Modified
2024-07-26 15:22
Severity ?
9.8 (Critical) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
PowerCMS XMLRPC API vulnerable to OS command injection
Details
PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78). Alfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
References
Impacted products
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000105.html",
  "dc:date": "2024-07-26T15:22+09:00",
  "dcterms:issued": "2021-11-24T15:47+09:00",
  "dcterms:modified": "2024-07-26T15:22+09:00",
  "description": "PowerCMS XMLRPC API provided by Alfasado Inc. contains an OS command injection vulnerability (CWE-78).\r\n\r\nAlfasado Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000105.html",
  "sec:cpe": {
    "#text": "cpe:/a:alfasado:powercms",
    "@product": "PowerCMS",
    "@vendor": "Alfasado Inc.",
    "@version": "2.2"
  },
  "sec:cvss": [
    {
      "@score": "7.5",
      "@severity": "High",
      "@type": "Base",
      "@vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "9.8",
      "@severity": "Critical",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2021-000105",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN17645965/index.html",
      "@id": "JVN#17645965",
      "@source": "JVN"
    },
    {
      "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20850",
      "@id": "CVE-2021-20850",
      "@source": "CVE"
    },
    {
      "#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20850",
      "@id": "CVE-2021-20850",
      "@source": "NVD"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-78",
      "@title": "OS Command Injection(CWE-78)"
    }
  ],
  "title": "PowerCMS XMLRPC API vulnerable to OS command injection"
}