Published:2025/05/30 Last Updated:2025/05/30
JVN#51394666
Multiple vulnerabilities in wivia 5
Overview
wivia 5 provided by UCHIDA YOKO CO., LTD. contains multiple vulnerabilities.
Products Affected
- wivia 5 all versions
Description
wivia 5 provided by UCHIDA YOKO CO., LTD. contains multiple vulnerabilities listed below.
- OS Command Injection (CWE-78)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 7.1
- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H Base Score 6.7
- CVE-2025-41385
- Cross-site Scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
- CVE-2025-41406
- Client-Side Enforcement of Server-Side Security (CWE-602)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 6.9
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score 6.5
- CVE-2025-47697
Impact
- An arbitrary OS command may be executed by a logged-in administrative user. (CVE-2025-41385)
- When a user connects to the affected device with a specific operation, an arbitrary script may be executed on the web browser of the moderator user. (CVE-2025-41406)
- An unauthenticated attacker may bypass authentication and operate the affected device as the moderator user. (CVE-2025-47697)
Solution
Stop using the affected product
The affected product is no longer supported. They recommend migrating to the successor product “wivia R+”.
For more information, refer to the information provided by the developer.
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
UCHIDA YOKO CO., LTD. | Vulnerable | 2025/05/30 | UCHIDA YOKO CO., LTD. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Shogo Iyota of GMO Cybersecurity by Ierae reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2025-41385 |
CVE-2025-41406 |
|
CVE-2025-47697 |
|
JVN iPedia |
JVNDB-2025-000034 |