Published:2025/07/02  Last Updated:2025/07/02

JVN#89505333
Multiple vulnerabilities in Active! mail

Overview

Active! mail provided by QUALITIA CO., LTD. contains multiple vulnerabilities.

Products Affected

CVE-2025-52462

  • Active! mail 6 BuildInfo: 6.30.01004145 to 6.60.06008562
CVE-2025-52463
  • Active! mail 6 BuildInfo: 6.60.06008562 and earlier

Description

Active! mail provided by QUALITIA CO., LTD. contains multiple vulnerabilities listed below.

  • Cross-site scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
    • CVE-2025-52462
  • Cross-site request forgery (CSRF) (CWE-352)
    • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 2.3
    • CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
    • CVE-2025-52463

Impact

  • An arbitrary script may be executed on the logged-in user's web browser when accessing a specially crafted URL (CVE-2025-52462)
  • Unintended E-mail may be sent if a user accesses a specially crafted URL while logged in (CVE-2025-52463)

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version that address these vulnerabilities.

  • Active! mail 6 BuildInfo: 6.61.01008654

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Rintaro Fujita and Shoji Baba of GAKUSHUIN UNIVERSITY reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-52462
CVE-2025-52463
JVN iPedia JVNDB-2025-000045