JVN#23423519
DataSpider Servista improper restriction of XML external entity references
Overview
DataSpider Servista provided by Saison Technology Co.,Ltd. improperly restricts XML external entity references.
Products Affected
- DataSpider Servista 4.4 and earlier
For information on the affected products and the versions, refer to the vendors' advisories from "Vendor Status" of this JVN advisory.
Description
DataSpider Servista provided by Saison Technology Co.,Ltd. is a data integration software.
DataSpider Servista contains the following vulnerability.
- Improper restriction of XML external entity reference (CWE-611)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N Base Score 8.8
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L Base Score 8.2
- CVE-2025-48006
Impact
If a specially crafted request is processed, arbitrary files on the file system where the server application for the product is installed may be read, or may cause a denial-of-service (DoS) condition.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Saison Technology Co.,Ltd. | Notice of XML External Entity (XXE) Vulnerability in DataSpider Servista (Text in Japanese, PDF) |
| TerraSky Co., Ltd. | Notice of XML External Entity (XXE) Vulnerability in DCSpider (Text in Japanese, PDF) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Shigeaki Tsunoda of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-48006 |
| JVN iPedia |
JVNDB-2025-000081 |
Update History
- 2025/10/07
- [Products Affected] and [Vendor Status] sections are updated