Information from JIP InfoBridge Co., Ltd.

(1) JVN#80527854
- Overview
A vulnerability in the server-side request forgery (SSRF) has been identified in FileMegane versions 3.0.0.0 and later. If exploited, this vulnerability could allow an attacker to execute arbitrary requests to the backend Web API.

- Affected Systems
Product Name: FileMegane
Affected Versions: All versions from 3.0.0.0 onwards

- Detailed Information
Due to the SSRF vulnerability in the search keyword suggestion feature, arbitrary requests to the backend Web API are possible.

- Potential Impact
Executing arbitrary backend Web API requests could potentially lead to actions such as restarting the service.

- Solution
Update FileMegane to the latest version. For information on obtaining the latest version, please contact the support desk specified at the time of product purchase.

- Acknowledgments
This vulnerability information was reported to JPCERT/CC by Asato Masamu of GMO Cybersecurity by Ierae, Inc.


(2) JVN#65386391
- Overview
A vulnerability in the authentication process has been identified in FileMegane versions 1.0.0.0 and later. If exploited, this vulnerability could allow an attacker to impersonate a user and access file contents that should not be accessible.

- Affected Systems
Product Name: FileMegane
Affected Versions: All versions from 1.0.0.0 onwards

- Detailed Information
Due to the Windows authentication process on the search screen, after Windows authentication, the login process is completed with just a request, allowing an attacker to set arbitrary user information and impersonate a user.

- Potential Impact
User impersonation could allow access to file contents that should not be accessible.

- Solution
Update FileMegane to the latest version. For information on obtaining the latest version, please contact the support desk specified at the time of product purchase.

- Acknowledgments
This vulnerability information was reported to JPCERT/CC by Asato Masamu of GMO Cybersecurity by Ierae, Inc.