Published:2025/03/26 Last Updated:2025/03/26
JVN#39026557
Multiple vulnerabilities in PowerCMS
Overview
PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities.
Products Affected
- PowerCMS 6.6 and earlier (PowerCMS 6.x series)
- PowerCMS 5.27 and earlier (PowerCMS 5.x series)
- PowerCMS 4.58 and earlier (PowerCMS 4.x series)
Description
PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.
- Injection (CWE-74)
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score 5.3
- CVE-2025-29993
- The product improperly processes HTTP headers.
- Dependency on vulnerable third-party component (CWE-1395)
- jQuery Validation plugin used in the product is vulnerable to ReDoS vulnerability (CVE-2021-21252)
Impact
- The affected product may be directed to send email to a user, such as password reset mail, with a tampered URL (CVE-2025-29993)
- The vulnerability (CVE-2021-21252) in jQuery Validation plugin used in the product may be exploited to cause a denial-of-service (DoS) condition
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Alfasado Inc. | Vulnerable | 2025/03/26 | Alfasado Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Alfasado Inc. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Alfasado Inc. coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-29993 |
| JVN iPedia |
JVNDB-2025-000021 |