Published:2025/07/31  Last Updated:2025/07/31

JVNVU#93412964
Multiple vulnerabilities in PowerCMS

Overview

PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities.

Products Affected

  • PowerCMS 6.7 and earlier (PowerCMS 6.x series)
  • PowerCMS 5.3 and earlier (PowerCMS 5.x series)
  • PowerCMS 4.6 and earlier (PowerCMS 4.x series)

Description

PowerCMS provided by Alfasado Inc. contains multiple vulnerabilities listed below.

  • Reflected cross-site scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.3
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
    • CVE-2025-36563
  • Stored cross-site scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
    • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
    • CVE-2025-41391
  • Path traversal in file uploading (CWE-22)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N Base Score 5.3
    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Base Score 5.4
    • CVE-2025-41396
  • Path traversal in backup restore (CWE-22)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.6
    • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
    • CVE-2025-46359
  • Improper neutralization of formula elements in a CSV file (CWE-1236)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L Base Score 4.8
    • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Base Score 6.5
    • CVE-2025-54752
  • Unrestricted upload of file with dangerous type (CWE-434)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L Base Score 5.1
    • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Base Score 6.5
    • CVE-2025-54757

Impact

  • If an administrator of the product accesses a URL crafted by an attacker, an arbitrary script may be executed on the administrator's browser (CVE-2025-36563)
  • If a user of the product accesses a malicious page, an arbitrary script may be executed on the user's browser (CVE-2025-41391)
  • Arbitrary files may be overwritten by a product user (CVE-2025-41396)
  • If a product administrator restores an altered backup file, arbitrary code may be executed (CVE-2025-46359)
  • If a user of the product creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user's environment, the embedded code may be executed (CVE-2025-54752)
  • If an administrator of the product accesses a malicious file uploaded by a product user, an arbitrary script may be executed on the administrator's browser (CVE-2025-54757)

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Alfasado Inc. Vulnerable 2025/07/31 Alfasado Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

The following people of VCSLab - Viettel Cyber Security reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

thanhtt74 (Tran Thi Thanh)
namdi (Do Ich Nam)
quanlna2 (Le Nguyen Anh Quan)

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-36563
CVE-2025-41391
CVE-2025-41396
CVE-2025-46359
CVE-2025-54752
CVE-2025-54757
JVN iPedia