Published:2023/12/26  Last Updated:2023/12/26

Multiple vulnerabilities in PowerCMS


PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities.

Products Affected

  • PowerCMS 6.31 and earlier (PowerCMS 6 Series)
  • PowerCMS 5.24 and earlier (PowerCMS 5 Series)
  • PowerCMS 4.54 and earlier (PowerCMS 4 Series)
According to the developer, PowerCMS 3 Series and earlier versions, which are now unsupported, are affected by the vulnerabilities as well.


PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.

  • Stored cross-site scripting vulnerability in the management screen (CWE-79) - CVE-2023-49117
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
    CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5
  • Open redirect vulnerability in the members' site (CWE-601) - CVE-2023-50297
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 4.7
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6


  • An arbitrary script may be executed on a logged-in user's web browser - CVE-2023-49117
  • When accessing a specially crafted URL, the user may be redirected to an arbitrary website - CVE-2023-50297


Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Alfasado Inc. Vulnerable 2023/12/26 Alfasado Inc. website


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC


Alfasado Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2023-49117
JVN iPedia JVNDB-2023-000126