JVN#13030751
Multiple vulnerabilities in ChatLuck

Overview

ChatLuck provided by NEOJAPAN Inc. contains multiple vulnerabilities.

Products Affected

CVE-2025-53858, CVE-2025-54461

• ChatLuck V6.6 R2.0 and earlier

• ChatLuck V3.6 R1.0 to V6.6 R1.0

Description

ChatLuck provided by NEOJAPAN Inc. contains multiple vulnerabilities listed below.

• Cross-site scripting vulnerability in Chat Rooms (CWE-79)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.8
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
  • CVE-2025-53858
• Insufficient granularity of access control vulnerability in Invitation of Guest Users (CWE-1220)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.9
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
  • CVE-2025-54461
• Cross-site scripting vulnerability in Guest User Sign-up (CWE-79)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.3
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
  • CVE-2025-58115

Impact

• An arbitrary script may be executed on the web browser of the user who is accessing the product (CVE-2025-53858, CVE-2025-58115)
• An uninvited guest user may register itself as a guest user (CVE-2025-54461)

Solution

Update the software
Update software to the latest version according to the information provided by the developer.
The developer has released the following updates that contain fixes for these vulnerabilities.

CVE-2025-53858, CVE-2025-54461

• ChatLuck V6.7 R1.0

• ChatLuck V6.6 R2.0