Published:2025/06/03 Last Updated:2025/06/03
JVN#37075430
TimeWorks vulnerable to path traversal
Overview
TimeWorks provided by Keiyo System Co., LTD contains a path traversal vulnerability.
Products Affected
- TimeWorks versions 10.0 to 10.3
Description
The web server module of TimeWorks provided by Keiyo System Co., LTD contains the following vulnerability.
- Path traversal (CWE-22)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.9
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
- CVE-2025-41428
Impact
Arbitrary JSON files on the server may be viewed by a remote unauthenticated attacker.
Solution
Apply the Patch
Apply the patch for the product's web server module according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Keiyo System Co., LTD | Report on Vulnerability Response in TimeWorks (Text in Japanse) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Masamu Asato of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-41428 |
| JVN iPedia |
JVNDB-2025-000036 |