Published:2025/12/08  Last Updated:2025/12/10

JVN#19940619
Multiple vulnerabilities in GroupSession

Overview

GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities.

Products Affected

CVE-2025-53523, CVE-2025-54407, CVE-2025-57883, CVE-2025-58576, CVE-2025-61950, CVE-2025-61987, CVE-2025-62192

  • GroupSession Free edition versions prior to ver5.3.0
  • GroupSession byCloud versions prior to ver5.3.3
  • GroupSession ZION versions prior to ver5.3.2
CVE-2025-64781, CVE-2025-65120, CVE-2025-66284
  • GroupSession Free edition versions prior to ver5.7.1
  • GroupSession byCloud versions prior to ver5.7.1
  • GroupSession ZION versions prior to ver5.7.1

Description

GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below.

  • Stored cross-site scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.8
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
    • CVE-2025-53523
  • Stored cross-site scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
    • CVE-2025-54407
  • Reflected cross-site scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
    • CVE-2025-57883
  • Cross-site request forgery (CWE-352)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.1
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
    • CVE-2025-58576
  • Authorization bypass through user-controlled key (CWE-639)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.3
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score 4.3
    • CVE-2025-61950
  • Missing origin validation in webSockets (CWE-1385)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.9
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
    • CVE-2025-61987
  • SQL injection (CWE-89)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.3
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Base Score 5.4
    • CVE-2025-62192
  • Initialization of a resource with an insecure default (CWE-1188)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.1
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score 4.7
    • CVE-2025-64781
    • This can be exploited only when External page display restriction is set as "Do not limit", as in the initial configuration
  • Reflected cross-site scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
    • CVE-2025-65120
  • Stored cross-site scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.8
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
    • CVE-2025-66284

Impact

  • If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user (CVE-2025-53523, CVE-2025-54407, CVE-2025-57883, CVE-2025-65120, CVE-2025-66284)
  • If a user accesses a malicious page while logged in, unintended operations may be performed (CVE-2025-58576)
  • The memo of Circular notice may be altered by an authenticated user (CVE-2025-61950)
  • If a user accesses a crafted page, Chat information sent to the user may be exposed (CVE-2025-61987)
  • Information stored in the database may be obtained or altered by an authenticated user (CVE-2025-62192)
  • When accessing a specially crafted URL, the user may be redirected to an arbitrary website (CVE-2025-64781)

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Japan Total System Co.,Ltd. Vulnerable 2025/12/08 Japan Total System Co.,Ltd. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

The following people reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2025-53523
Reporter: Shogo Iyota of GMO Cybersecurity by Ierae
    Gaku Mochizuki, Tsutomu Aramaki, and Taiga Shirakura of Mitsui Bussan Secure Directions, Inc.
    Natsumi Furukawa

CVE-2025-54407
Reporter: Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc.

CVE-2025-57883
Reporter: Tsuyuki Takumi of Mitsui Bussan Secure Directions, Inc.
    Ryo Sato

CVE-2025-58576
Reporter: Tsuyuki Takumi, Kenta Yamamoto, and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.
    Shogo Iyota of GMO Cybersecurity by Ierae

CVE-2025-61950
Reporter: Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc.

CVE-2025-61987
Reporter: Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.

CVE-2025-62192
Gaku Mochizuki and Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc.

CVE-2025-64781
Reporter: Ryo Sato

CVE-2025-65120
Reporter: Kentaro Ishii of GMO Cybersecurity by Ierae, Inc.
    Shiga Takuma of BroadBand Security, Inc.

CVE-2025-66284
Reporter: Kentaro Ishii of GMO Cybersecurity by Ierae, Inc.
    KOJIRO ENOKIDA

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-53523
CVE-2025-54407
CVE-2025-57883
CVE-2025-58576
CVE-2025-61950
CVE-2025-61987
CVE-2025-62192
CVE-2025-64781
CVE-2025-65120
CVE-2025-66284
JVN iPedia JVNDB-2025-000113

Update History

2025/12/10
Information under the section [Credit] was updated