JVN#66982699
a-blog cms vulnerable to untrusted data deserialization
Critical
Overview
a-blog cms provided by appleple inc. contains untrusted data deserialization vulnerability.
Products Affected
- a-blog cms versions prior to Ver.3.1.37 (Ver.3.1.x series)
- a-blog cms versions prior to Ver.3.0.41 (Ver.3.0.x series)
- a-blog cms versions prior to Ver.2.11.70 (Ver.2.11.x series)
- a-blog cms versions prior to Ver.2.10.58 (Ver.2.10.x series)
- a-blog cms versions prior to Ver.2.9.46 (Ver.2.9.x series)
- a-blog cms versions prior to Ver.2.8.80 (Ver.2.8.x series)
Description
a-blog cms provided by appleple inc. contains untrusted data deserialization vulnerability (CWE-502).
The developer states that attacks exploiting the vulnerability has been observed on a-blog cms Ver.2.8.x series or later.
Impact
Processing a specially crafted request may store arbitrary files on the server where the product is running.
This can be leveraged to execute an arbitrary script on the server.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Apply the workaround
Until the software is updated, the developer recommends to apply the workaround to mitigate the impact of this vulnerability.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| appleple inc. | Vulnerable | 2025/03/28 | appleple inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
appleple inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and appleple inc. coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
JPCERT-AT-2025-0007 Alert Regarding Attacks Exploiting Untrusted Data Deserialization Vulnerability in a-blog cms (Text in Japanese) |
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-31103 |
| JVN iPedia |
JVNDB-2025-000024 |
Update History
- 2025/03/28
- Information under the section [Other Information] was updated