JVN#19940619
Multiple vulnerabilities in GroupSession
Overview
GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities.
Products Affected
CVE-2025-53523, CVE-2025-54407, CVE-2025-57883, CVE-2025-58576, CVE-2025-61950, CVE-2025-61987, CVE-2025-62192
- GroupSession Free edition versions prior to ver5.3.0
- GroupSession byCloud versions prior to ver5.3.3
- GroupSession ZION versions prior to ver5.3.2
- GroupSession Free edition versions prior to ver5.7.1
- GroupSession byCloud versions prior to ver5.7.1
- GroupSession ZION versions prior to ver5.7.1
Description
GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below.
- Stored cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.8
- CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
- CVE-2025-53523
- Stored cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
- CVE-2025-54407
- Reflected cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
- CVE-2025-57883
- Cross-site request forgery (CWE-352)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2025-58576
- Authorization bypass through user-controlled key (CWE-639)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2025-61950
- Missing origin validation in webSockets (CWE-1385)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.9
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
- CVE-2025-61987
- SQL injection (CWE-89)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Base Score 5.4
- CVE-2025-62192
- Initialization of a resource with an insecure default (CWE-1188)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score 4.7
- CVE-2025-64781
- This can be exploited only when External page display restriction is set as "Do not limit", as in the initial configuration
- Reflected cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
- CVE-2025-65120
- Stored cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.8
- CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
- CVE-2025-66284
Impact
- If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user (CVE-2025-53523, CVE-2025-54407, CVE-2025-57883, CVE-2025-65120, CVE-2025-66284)
- If a user accesses a malicious page while logged in, unintended operations may be performed (CVE-2025-58576)
- The memo of Circular notice may be altered by an authenticated user (CVE-2025-61950)
- If a user accesses a crafted page, Chat information sent to the user may be exposed (CVE-2025-61987)
- Information stored in the database may be obtained or altered by an authenticated user (CVE-2025-62192)
- When accessing a specially crafted URL, the user may be redirected to an arbitrary website (CVE-2025-64781)
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Japan Total System Co.,Ltd. | Vulnerable | 2025/12/08 | Japan Total System Co.,Ltd. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
The following people reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2025-53523
Reporter: Shogo Iyota of GMO Cybersecurity by Ierae
Gaku Mochizuki and Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc.
Natsumi Furukawa
CVE-2025-54407
Reporter: Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc.
CVE-2025-57883
Reporter: Tsuyuki Takumi of Mitsui Bussan Secure Directions, Inc.
Ryo Sato
CVE-2025-58576
Reporter: Tsuyuki Takumi, Kenta Yamamoto, and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.
Shogo Iyota of GMO Cybersecurity by Ierae
CVE-2025-61950
Reporter: Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc.
CVE-2025-61987
Reporter: Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.
CVE-2025-62192
Gaku Mochizuki and Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc.
CVE-2025-64781
Reporter: Ryo Sato
CVE-2025-65120
Reporter: Kentaro Ishii of GMO Cybersecurity by Ierae, Inc.
Shiga Takuma of BroadBand Security, Inc.
CVE-2025-66284
Reporter: Kentaro Ishii of GMO Cybersecurity by Ierae, Inc.
KOJIRO ENOKIDA
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-53523 |
|
CVE-2025-54407 |
|
|
CVE-2025-57883 |
|
|
CVE-2025-58576 |
|
|
CVE-2025-61950 |
|
|
CVE-2025-61987 |
|
|
CVE-2025-62192 |
|
|
CVE-2025-64781 |
|
|
CVE-2025-65120 |
|
|
CVE-2025-66284 |
|
| JVN iPedia |
JVNDB-2025-000113 |