Published:2025/07/02 Last Updated:2025/07/02
JVN#89505333
Multiple vulnerabilities in Active! mail
Overview
Active! mail provided by QUALITIA CO., LTD. contains multiple vulnerabilities.
Products Affected
CVE-2025-52462
- Active! mail 6 BuildInfo: 6.30.01004145 to 6.60.06008562
- Active! mail 6 BuildInfo: 6.60.06008562 and earlier
Description
Active! mail provided by QUALITIA CO., LTD. contains multiple vulnerabilities listed below.
- Cross-site scripting (CWE-79)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
- CVE-2025-52462
- Cross-site request forgery (CSRF) (CWE-352)
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 2.3
- CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2025-52463
Impact
- An arbitrary script may be executed on the logged-in user's web browser when accessing a specially crafted URL (CVE-2025-52462)
- Unintended E-mail may be sent if a user accesses a specially crafted URL while logged in (CVE-2025-52463)
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version that address these vulnerabilities.
- Active! mail 6 BuildInfo: 6.61.01008654
Vendor Status
Vendor | Link |
QUALITIA CO., LTD. | Important Notice Regarding Vulnerability for Active! mail 6 (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Rintaro Fujita and Shoji Baba of GAKUSHUIN UNIVERSITY reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2025-52462 |
CVE-2025-52463 |
|
JVN iPedia |
JVNDB-2025-000045 |