|
[Japanese]
|
JVNDB-2025-000043
|
Multiple vulnerabilities in iroha Board
|
|
iroha Board provided by iroha Soft Co., Ltd. contains multiple vulnerabilities listed below.
- Forced browsing (CWE-425) - CVE-2025-41404
- Cross-site request forgery (CWE-352) - CVE-2025-48497
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-41404
|
CVSS V3 Severity:
Base Metrics:4.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-48497
|
|
|
iroha Soft Co., Ltd.
- iroha Board versions v0.10.12 and earlier
|
|
|
- Unpublic contents may be viewed by an attacker who can logs in to the affected product (CVE-2025-41404)
- If a user accesses a specially crafted page while logged in to the affected product, arbitrary learning histories may be registered (CVE-2025-48497)
|
|
[Update the Software]
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version that addresses these vulnerabilities.
|
|
iroha Soft Co., Ltd.
- iroha Soft Co., Ltd. : Security (in Japanese)
|
|
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2025-41404
- CVE-2025-48497
|
|
- JVN : JVN#92520966
|
|
- [2025/06/26]
Web page was published
|
