Published:2025/06/03  Last Updated:2025/06/03

JVN#37075430
TimeWorks vulnerable to path traversal

Overview

TimeWorks provided by Keiyo System Co., LTD contains a path traversal vulnerability.

Products Affected

  • TimeWorks versions 10.0 to 10.3

Description

The web server module of TimeWorks provided by Keiyo System Co., LTD contains the following vulnerability.

  • Path traversal (CWE-22)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.9
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 5.3
    • CVE-2025-41428

Impact

Arbitrary JSON files on the server may be viewed by a remote unauthenticated attacker.

Solution

Apply the Patch
Apply the patch for the product's web server module according to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Masamu Asato of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-41428
JVN iPedia JVNDB-2025-000036