[Japanese]

JVNDB-2025-005050

Multiple vulnerabilities in a-blog cms

Overview

a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below.


  • Path traversal (CWE-22)


    • CVE-2025-27566

    • This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege



  • Cross-site scripting (CWE-79)


    • CVE-2025-32999

    • This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges



  • Server-side request forgery (CWE-918)

    • CVE-2025-36560


  • Improper output neutralization for logs (CWE-117)

    • CVE-2025-41429


    CVE-2025-27566, CVE-2025-32999
    haidv35 (Dinh Viet Hai) reported these vulnerabilities to the developer and coordinated. After the coordination was completed, haidv35 (Dinh Viet Hai) reported the case to JPCERT/CC to notify users of the solution through JVN.

    CVE-2025-36560, CVE-2025-41429
    vcth4nh from VCSLab of Viettel Cyber Security (Vu Chi Thanh) reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.

CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.6 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-36560

CVSS V3 Severity:
Base Metrics5.4 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-32999

CVSS V3 Severity:
Base Metrics4.8 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-41429

CVSS V3 Severity:
Base Metrics3.8 (Low) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2025-27566
Affected Products


appleple inc.
  • a-blog cms versions prior to Ver. 3.1.43 (Ver. 3.1.x series) - CVE-2025-27566, CVE-2025-32999
  • a-blog cms versions prior to Ver. 3.0.47 (Ver. 3.0.x series) - CVE-2025-27566, CVE-2025-32999
  • a-blog cms Ver. 3.1.43 and earlier (Ver. 3.1.x series) - CVE-2025-36560, CVE-2025-41429
  • a-blog cms Ver. 3.0.47 and earlier (Ver. 3.0.x series) - CVE-2025-36560, CVE-2025-41429
  • a-blog cms Ver. 2.11.75 and earlier (Ver. 2.11.x series) - CVE-2025-36560, CVE-2025-41429
  • a-blog cms Ver. 2.10.63 and earlier (Ver. 2.10.x series) - CVE-2025-36560, CVE-2025-41429
  • a-blog cms Ver. 2.9.52 and earlier (Ver. 2.9.x series) - CVE-2025-36560, CVE-2025-41429
  • a-blog cms Ver. 2.8.85 and earlier (Ver. 2.8.x series) - CVE-2025-36560, CVE-2025-41429

According to the developer, a-blog cms Ver. 2.11 and earlier versions, which are now unsupported, are affected by the above vulnerabilities as well. - CVE-2025-27566, CVE-2025-32999

According to the developer, a-blog cms Ver. 2.7.x and earlier versions, which are now unsupported, are affected by the above vulnerabilities as well. - CVE-2025-36560, CVE-2025-41429

For information about the maintenance policy, please refer to the "Maintenance Policy (Text in Japanese)" provided by the developer.
Impact


  • Any files on the server may be retrieved or deleted (CVE-2025-27566)

  • An arbitrary script may be executed on the web browser of the user who is logging in to the product (CVE-2025-32999)

  • Processing a specially crafted request may allow access to sensitive information (CVE-2025-36560)

  • The combination of these vulnerabilities may allow an attacker to hijack a legitimate user's session (CVE-2025-36560, CVE-2025-41429)


Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.

[Apply the workaround]
The developer has also provided a workaround for CVE-2025-36560 and CVE-2025-41429.

For more information, refer to the information provided by the developer.
Vendor Information

appleple inc.
CWE (What is CWE?)

  1. Improper Output Neutralization for Logs(CWE-117) [Other]
  2. Path Traversal(CWE-22) [Other]
  3. Cross-site Scripting(CWE-79) [Other]
  4. Server-Side Request Forgery (SSRF)(CWE-918) [Other]
CVE (What is CVE?)

  1. CVE-2025-27566
  2. CVE-2025-32999
  3. CVE-2025-36560
  4. CVE-2025-41429
References

  1. JVN : JVNVU#90760614
Revision History

  • [2025/05/15]
      Web page was published

Date Public2025/05/14
Date First Published2025/05/15
Date Last Updated2025/05/15