Published:2025/05/30  Last Updated:2025/05/30

JVN#51394666
Multiple vulnerabilities in wivia 5

Overview

wivia 5 provided by UCHIDA YOKO CO., LTD. contains multiple vulnerabilities.

Products Affected

  • wivia 5 all versions

Description

wivia 5 provided by UCHIDA YOKO CO., LTD. contains multiple vulnerabilities listed below.

  • OS Command Injection (CWE-78)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 7.1
    • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H Base Score 6.7
    • CVE-2025-41385
  • Cross-site Scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Base Score 5.1
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
    • CVE-2025-41406
  • Client-Side Enforcement of Server-Side Security (CWE-602)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 6.9
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Base Score 6.5
    • CVE-2025-47697

Impact

  • An arbitrary OS command may be executed by a logged-in administrative user. (CVE-2025-41385)
  • When a user connects to the affected device with a specific operation, an arbitrary script may be executed on the web browser of the moderator user. (CVE-2025-41406)
  • An unauthenticated attacker may bypass authentication and operate the affected device as the moderator user. (CVE-2025-47697)

Solution

Stop using the affected product
The affected product is no longer supported. They recommend migrating to the successor product “wivia R+”.

For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
UCHIDA YOKO CO., LTD. Vulnerable 2025/05/30 UCHIDA YOKO CO., LTD. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Shogo Iyota of GMO Cybersecurity by Ierae reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-41385
CVE-2025-41406
CVE-2025-47697
JVN iPedia JVNDB-2025-000034