JVN#20611740
Multiple stored cross-site scripting vulnerabilities in Pleasanter
Overview
Pleasanter provided by Implem Inc. contains multiple stored cross-site scripting vulnerabilities.
Products Affected
- Pleasanter 1.4.20.0 and earlier versions
Description
Pleasanter provided by Implem Inc. contains multiple stored cross-site scripting vulnerabilities listed below.
- Stored cross-site scripting vulnerability in Preview for Attachments (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
- CVE-2025-58070
- Stored cross-site scripting vulnerability in Body, Description and Comments (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.8
- CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
- CVE-2025-61931
Impact
An arbitrary script may be executed in a logged-in user's web browser.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released version 1.4.21.0 that contains the fixes for these vulnerabilities.
Vendor Status
| Vendor | Link |
| Implem Inc. | Cross-site scripting vulnerabilities in Pleasanter (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
The following people reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2025-58070
Reporter: Tomoya Shirahashi of X-Force Red, IBM Japan, Ltd.
CVE-2025-61931
Reporter: Kohei Yagyu of Mitsui Bussan Secure Directions, Inc.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-58070 |
|
CVE-2025-61931 |
|
| JVN iPedia |
JVNDB-2025-000093 |