[Japanese]

JVNDB-2025-000005

EXIF Viewer Classic vulnerable to cross-site scripting

Overview

EXIF Viewer Classic provided by Rodrigue (former Kakera) is a Google Chrome browser extension.
The affected versions of the product improperly handle EXIF meta data, resulting in a cross-site scripting vulnerability (CWE-79).

Versions 2.3.2 and 2.4.0 were reported as vulnerable. The vendor informs us that the product has been refactored after those old versions and that the current version 3.0.1 is not vulnerable.

Yuji Tounai of Mitsui Bussan Secure Directions, Inc. and Kouhei Morita reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


Rodrigue
  • EXIF Viewer Classic versions 2.4.0 and prior

Impact

When an image is rendered and crafted EXIF meta data is processed, an arbitrary script may be executed on the web browser.
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Rodrigue
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-23362
References

  1. JVN : JVN#05508012
Revision History

  • [2025/01/27]
      Web page was published

Date Public2025/01/27
Date First Published2025/01/27
Date Last Updated2025/01/27