|
[Japanese]
|
JVNDB-2025-000074
|
Multiple vulnerabilities in desknet's NEO
|
|
desknets NEO provided by NEOJAPAN Inc. contains multiple vulnerabilities listed below.
- Stored cross-site scripting (CWE-79) - CVE-2025-24833, CVE-2025-54760, CVE-2025-55072
- Reflected cross-site scripting (CWE-79) - CVE-2025-52583
- Stored cross-site scripting (CWE-79) - CVE-2025-54859
- Improper protection of alternate path in AppSuite (CWE-424) - CVE-2025-58079
- Use of hard-coded cryptographic key (CWE-321) - CVE-2025-58426
The following people reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2025-24833
Reporter: Sho Odagiri of GMO Cybersecurity by Ierae, Inc.
CVE-2025-52583, CVE-2025-54760
Reporter: Ryo Sato
CVE-2025-54859
Reporter: Ryo Sato and Daijiro Obata
CVE-2025-55072, CVE-2025-58079, CVE-2025-58426
Reporter: Kentaro Ishii of GMO Cybersecurity by Ierae, Inc.
|
|
CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-52583
|
CVSS V3 Severity:
Base Metrics:5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-24833, CVE-2025-54760, CVE-2025-55072
|
CVSS V3 Severity:
Base Metrics:4.8 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-54859
|
CVSS V3 Severity:
Base Metrics:4.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-58079
|
CVSS V3 Severity:
Base Metrics:4.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-58426
|
|
|
NEOJAPAN Inc.
- desknet's Web Server (CVE-2025-52583)
- desknet's NEO V4.0R1.0 to V9.0R2.0 (CVE-2025-24833, CVE-2025-58079, CVE-2025-58426)
- desknet's NEO V9.0R2.0 and earlier (CVE-2025-54760, CVE-2025-54859)
- desknet's NEO V2.0R1.0 to V9.0R2.0 (CVE-2025-55072)
|
|
|
- An arbitrary JavaScript may be executed in the web browser of the user of the product (CVE-2025-24833, CVE-2025-52583, CVE-2025-54760, CVE-2025-54859, CVE-2025-55072)
- Malicious AppSuite apps may be created by a remote authenticated attacker (CVE-2025-58079, CVE-2025-58426)
|
|
For CVE-2025-24833, CVE-2025-54760, CVE-2025-54859, CVE-2025-55072, CVE-2025-58079, CVE-2025-58426:
[Update the Software]
Update the software to the latest version according to the information provided by the developer.
For CVE-2025-52583:
[Stop using desknet's Web Server and switch to IIS]
The developer recommends that users stop using desknet's Web Server and switch to Internet Information Services (IIS). For more details, refer to the information provided by the developer.
|
|
NEOJAPAN Inc.
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2025-24833
- CVE-2025-52583
- CVE-2025-54760
- CVE-2025-55072
- CVE-2025-58079
- CVE-2025-58426
- CVE-2025-54859
|
|
- JVN : JVN#90757550
|
|
- [2025/10/16]
Web page was published
|
