JVN#51394666
Multiple vulnerabilities in wivia 5

Overview

wivia 5 provided by UCHIDA YOKO CO., LTD. contains multiple vulnerabilities.

Products Affected

• wivia 5 all versions

Description

wivia 5 provided by UCHIDA YOKO CO., LTD. contains multiple vulnerabilities listed below.

• OS Command Injection (CWE-78)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 7.1
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H Base Score 6.7
  • CVE-2025-41385
• Cross-site Scripting (CWE-79)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Base Score 5.1
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
  • CVE-2025-41406
• Client-Side Enforcement of Server-Side Security (CWE-602)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 6.9
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score 6.5
  • CVE-2025-47697

Impact

• An arbitrary OS command may be executed by a logged-in administrative user. (CVE-2025-41385)
• When a user connects to the affected device with a specific operation, an arbitrary script may be executed on the web browser of the moderator user. (CVE-2025-41406)
• An unauthenticated attacker may bypass authentication and operate the affected device as the moderator user. (CVE-2025-47697)

Solution

Stop using the affected product
The affected product is no longer supported. They recommend migrating to the successor product “wivia R+”.

For more information, refer to the information provided by the developer.