JVN#84319378
acmailer vulnerable to cross-site scripting
Overview
acmailer provided by Extra Innovation Inc. contains a cross-site scripting vulnerability.
Products Affected
- acmailer CGI ver.4.0.5 and earlier
Description
acmailer provided by Extra Innovation Inc. contains a cross-site scripting vulnerability (CWE-79).
Impact
An arbitrary script may be executed on the web browser of the user who accessed the management page of the affected product.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Extra Innovation Inc. | Enhanced Cross-Site Scripting (XSS) Protection Release (Text in Japanese) |
| Download for acmailer CGI (Text in Japanese) |
References
JPCERT/CC Addendum
This vulnerability was reported to IPA, and JPCERT/CC started coordination with the developer in 2023.
The developer released the fixed version on 2023.
The coordination between JPCERT/CC and the developer completed and this JVN is published on 2025.
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-49780 |
| JVN iPedia |
JVNDB-2025-000010 |