Published:2025/03/26  Last Updated:2025/03/26

JVN#39026557
Multiple vulnerabilities in PowerCMS

Overview

PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities.

Products Affected

  • PowerCMS 6.6 and earlier (PowerCMS 6.x series)
  • PowerCMS 5.27 and earlier (PowerCMS 5.x series)
  • PowerCMS 4.58 and earlier (PowerCMS 4.x series)

Description

PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.

  • Injection (CWE-74)
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 5.3
    • CVE-2025-29993
    • The product improperly processes HTTP headers.
  • Dependency on vulnerable third-party component (CWE-1395)
    • jQuery Validation plugin used in the product is vulnerable to ReDoS vulnerability (CVE-2021-21252)

Impact

  • The affected product may be directed to send email to a user, such as password reset mail, with a tampered URL (CVE-2025-29993)
  • The vulnerability (CVE-2021-21252) in jQuery Validation plugin used in the product may be exploited to cause a denial-of-service (DoS) condition

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Alfasado Inc. Vulnerable 2025/03/26 Alfasado Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Alfasado Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-29993
JVN iPedia JVNDB-2025-000021