[Japanese]

JVNDB-2025-000113

Multiple vulnerabilities in GroupSession

Overview

GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below.
  • Stored cross-site scripting (CWE-79) - CVE-2025-53523
  • Stored cross-site scripting (CWE-79) - CVE-2025-54407
  • Reflected cross-site scripting (CWE-79) - CVE-2025-57883
  • Cross-site request forgery (CWE-352) - CVE-2025-58576
  • Authorization bypass through user-controlled key (CWE-639) - CVE-2025-61950
  • Missing origin validation in webSockets (CWE-1385) - CVE-2025-61987
  • SQL injection (CWE-89) - CVE-2025-62192
  • Initialization of a resource with an insecure default (CWE-1188) - CVE-2025-64781
  • This can be exploited only when External page display restriction is set as "Do not limit", as in the initial configurationReflected cross-site scripting (CWE-79) - CVE-2025-65120
  • Stored cross-site scripting (CWE-79) - CVE-2025-66284
The following people reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2025-53523
Reporter: Shogo Iyota of GMO Cybersecurity by Ierae
Gaku Mochizuki and Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc.
Natsumi Furukawa

CVE-2025-54407
Reporter: Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc.

CVE-2025-57883
Reporter: Tsuyuki Takumi of Mitsui Bussan Secure Directions, Inc.
Ryo Sato

CVE-2025-58576
Reporter: Tsuyuki Takumi, Kenta Yamamoto, and Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.
Shogo Iyota of GMO Cybersecurity by Ierae

CVE-2025-61950
Reporter: Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc.

CVE-2025-61987
Reporter: Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc.

CVE-2025-62192
Gaku Mochizuki and Tsutomu Aramaki of Mitsui Bussan Secure Directions, Inc.

CVE-2025-64781
Reporter: Ryo Sato

CVE-2025-65120
Reporter: Kentaro Ishii of GMO Cybersecurity by Ierae, Inc.
Shiga Takuma of BroadBand Security, Inc.

CVE-2025-66284
Reporter: Kentaro Ishii of GMO Cybersecurity by Ierae, Inc.
KOJIRO ENOKIDA
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-54407

CVSS v3 Severity
Base Metrics: 6.1(Medium) [IPA Score]
  • Access Vector : Network
  • Access Complexity : Low
  • Privileges Required : None
  • User Interaction : Required
  • Scope : Changed
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : None
The above CVSS base scores have been assigned for CVE-2025-57883, CVE-2025-65120

CVSS v3 Severity
Base Metrics: 5.4(Medium) [IPA Score]
  • Access Vector : Network
  • Access Complexity : Low
  • Privileges Required : Low
  • User Interaction : Required
  • Scope : Changed
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : None
The above CVSS base scores have been assigned for CVE-2025-53523, CVE-2025-66284

CVSS v3 Severity
Base Metrics: 5.4(Medium) [IPA Score]
  • Access Vector : Network
  • Access Complexity : Low
  • Privileges Required : Low
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : None
The above CVSS base scores have been assigned for CVE-2025-62192

CVSS v3 Severity
Base Metrics: 5.3(Medium) [IPA Score]
  • Access Vector : Network
  • Access Complexity : Low
  • Privileges Required : None
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : Low
  • Integrity Impact : None
  • Availability Impact : None
The above CVSS base scores have been assigned for CVE-2025-61987

CVSS v3 Severity
Base Metrics: 4.7(Medium) [IPA Score]
  • Access Vector : Network
  • Access Complexity : Low
  • Privileges Required : None
  • User Interaction : Required
  • Scope : Changed
  • Confidentiality Impact : None
  • Integrity Impact : Low
  • Availability Impact : None
This can be exploited only when External page display restriction is set as "Do not limit", as in the initial configuration
The above CVSS base scores have been assigned for CVE-2025-64781

CVSS v3 Severity
Base Metrics: 4.3(Medium) [IPA Score]
  • Access Vector : Network
  • Access Complexity : Low
  • Privileges Required : None
  • User Interaction : Required
  • Scope : Unchanged
  • Confidentiality Impact : None
  • Integrity Impact : Low
  • Availability Impact : None
The above CVSS base scores have been assigned for CVE-2025-58576

CVSS v3 Severity
Base Metrics: 4.3(Medium) [IPA Score]
  • Access Vector : Network
  • Access Complexity : Low
  • Privileges Required : Low
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : None
  • Integrity Impact : Low
  • Availability Impact : None
The above CVSS base scores have been assigned for CVE-2025-61950
Affected Products


Japan Total System Co.,Ltd.
  • GroupSession Free edition versions prior to ver5.3.0 (CVE-2025-53523, CVE-2025-54407, CVE-2025-57883, CVE-2025-58576, CVE-2025-61950, CVE-2025-61987, CVE-2025-62192)
  • GroupSession byCloud byCloud versions prior to ver5.3.3 (CVE-2025-53523, CVE-2025-54407, CVE-2025-57883, CVE-2025-58576, CVE-2025-61950, CVE-2025-61987, CVE-2025-62192)
  • GroupSession ZION versions prior to ver5.3.2 (CVE-2025-53523, CVE-2025-54407, CVE-2025-57883, CVE-2025-58576, CVE-2025-61950, CVE-2025-61987, CVE-2025-62192)
  • GroupSession Free edition versions prior to ver5.7.1 (CVE-2025-64781, CVE-2025-65120, CVE-2025-66284)
  • GroupSession byCloud versions prior to ver5.7.1 (CVE-2025-64781, CVE-2025-65120, CVE-2025-66284)
  • GroupSession ZION versions prior to ver5.7.1 (CVE-2025-64781, CVE-2025-65120, CVE-2025-66284)

Impact

  • If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user (CVE-2025-53523, CVE-2025-54407, CVE-2025-57883, CVE-2025-65120, CVE-2025-66284)
  • If a user accesses a malicious page while logged in, unintended operations may be performed (CVE-2025-58576)
  • The memo of Circular notice may be altered by an authenticated user (CVE-2025-61950)
  • If a user accesses a crafted page, Chat information sent to the user may be exposed (CVE-2025-61987)
  • Information stored in the database may be obtained or altered by an authenticated user (CVE-2025-62192)
  • When accessing a specially crafted URL, the user may be redirected to an arbitrary website (CVE-2025-64781)
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Japan Total System Co.,Ltd.
CWE (What is CWE?)

  1. Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
  3. SQL Injection(CWE-89) [IPA Evaluation]
  4. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2025-53523
  2. CVE-2025-54407
  3. CVE-2025-57883
  4. CVE-2025-58576
  5. CVE-2025-61950
  6. CVE-2025-61987
  7. CVE-2025-62192
  8. CVE-2025-64781
  9. CVE-2025-65120
  10. CVE-2025-66284
References

  1. JVN : JVN#19940619
Revision History

  • [2025/12/08]
      Web page was published

Date Public2025/12/08
Date First Published2025/12/08
Date Last Updated2025/12/08