|
[Japanese]
|
JVNDB-2025-000047
|
Multiple vulnerabilities in Nimesa Backup and Recovery
|
|
Nimesa Backup and Recovery provided by Nimesa contains multiple vulnerabilities listed below.- OS command injection (CWE-78) - CVE-2025-48501
- Server-side request forgery (CWE-918) - CVE-2025-53473
Kentaro Kawane of GMO Cybersecurity by Ierae reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-48501
|
CVSS V3 Severity:
Base Metrics:7.3 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2025-53473
|
|
|
Nimesa
- Nimesa Backup and Recovery v2.3 (CVE-2025-48501, CVE-2025-53473)
- Nimesa Backup and Recovery v2.4 (CVE-2025-48501, CVE-2025-53473)
- Nimesa Backup and Recovery versions prior to v3.0.2025062305 (CVE-2025-53473)
|
According to the developer, the affected versions are no longer supported.
|
|
- Arbitrary OS commands may be executed on the server where the product is running (CVE-2025-48501)
- Unintended requests may be sent to internal servers (CVE-2025-53473)
|
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
|
|
Nimesa
|
|
- OS Command Injection(CWE-78) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2025-48501
- CVE-2025-53473
|
|
- JVN : JVN#88251376
|
|
- [2025/07/07]
Web page was published
|
