Search

Find a vulnerability

Search criteria

    52 vulnerabilities found for a-blog cms by appleple inc.

    CVE-2025-41429 (GCVE-0-2025-41429)

    Vulnerability from nvd – Published: 2025-05-19 08:07 – Updated: 2025-05-19 15:46
    VLAI
    Summary
    a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user's session.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-117 - Improper output neutralization for logs
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Affected: Ver. 2.8.85 and earlier (Ver. 2.8.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 3.1.43 and earlier (Ver. 3.1.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 3.0.47 and earlier (Ver. 3.0.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.11.75 and earlier (Ver. 2.11.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.10.63 and earlier (Ver. 2.10.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.9.52 and earlier (Ver. 2.9.x series)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-41429",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T15:46:16.181139Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T15:46:29.408Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.8.85 and earlier (Ver. 2.8.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 3.1.43 and earlier (Ver. 3.1.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 3.0.47 and earlier (Ver. 3.0.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.11.75 and earlier (Ver. 2.11.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.10.63 and earlier (Ver. 2.10.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.9.52 and earlier (Ver. 2.9.x series)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user\u0027s session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-117",
                  "description": "Improper output neutralization for logs",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T08:07:38.068Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU90760614/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-41429",
        "datePublished": "2025-05-19T08:07:38.068Z",
        "dateReserved": "2025-05-12T23:37:54.373Z",
        "dateUpdated": "2025-05-19T15:46:29.408Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-36560 (GCVE-0-2025-36560)

    Vulnerability from nvd – Published: 2025-05-19 08:08 – Updated: 2025-05-19 15:45
    VLAI
    Summary
    Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-side request forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Affected: Ver. 2.8.85 and earlier (Ver. 2.8.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 3.1.43 and earlier (Ver. 3.1.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 3.0.47 and earlier (Ver. 3.0.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.11.75 and earlier (Ver. 2.11.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.10.63 and earlier (Ver. 2.10.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.9.52 and earlier (Ver. 2.9.x series)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36560",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T15:45:12.728197Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T15:45:37.691Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.8.85 and earlier (Ver. 2.8.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 3.1.43 and earlier (Ver. 3.1.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 3.0.47 and earlier (Ver. 3.0.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.11.75 and earlier (Ver. 2.11.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.10.63 and earlier (Ver. 2.10.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.9.52 and earlier (Ver. 2.9.x series)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-side request forgery (SSRF)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T08:08:00.732Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU90760614/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-36560",
        "datePublished": "2025-05-19T08:08:00.732Z",
        "dateReserved": "2025-05-12T23:37:55.230Z",
        "dateUpdated": "2025-05-19T15:45:37.691Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32999 (GCVE-0-2025-32999)

    Vulnerability from nvd – Published: 2025-05-19 08:08 – Updated: 2025-05-19 15:28
    VLAI
    Summary
    Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Affected: prior to Ver. 3.1.43 (Ver. 3.1.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: prior to Ver. 3.0.47 (Ver. 3.0.x series)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32999",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T15:28:29.608680Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T15:28:40.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver. 3.1.43 (Ver. 3.1.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver. 3.0.47 (Ver. 3.0.x series)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges.  If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T08:08:51.815Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU90760614/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-32999",
        "datePublished": "2025-05-19T08:08:51.815Z",
        "dateReserved": "2025-05-12T23:37:56.186Z",
        "dateUpdated": "2025-05-19T15:28:40.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27566 (GCVE-0-2025-27566)

    Vulnerability from nvd – Published: 2025-05-19 08:09 – Updated: 2025-05-19 14:42
    VLAI
    Summary
    Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Affected: prior to Ver. 3.1.43 (Ver. 3.1.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: prior to Ver. 3.0.47 (Ver. 3.0.x series)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27566",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T14:42:37.649183Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T14:42:50.286Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver. 3.1.43 (Ver. 3.1.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver. 3.0.47 (Ver. 3.0.x series)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T08:09:26.427Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU90760614/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-27566",
        "datePublished": "2025-05-19T08:09:26.427Z",
        "dateReserved": "2025-05-12T23:37:57.129Z",
        "dateUpdated": "2025-05-19T14:42:50.286Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31395 (GCVE-0-2024-31395)

    Vulnerability from nvd – Published: 2024-05-22 04:35 – Updated: 2024-10-31 14:53
    VLAI
    Summary
    Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31395",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-22T14:24:22.284116Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-31T14:53:49.233Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:52:56.829Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN70977403/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.12"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.32"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.61"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.53"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-22T04:35:37.216Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN70977403/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-31395",
        "datePublished": "2024-05-22T04:35:37.216Z",
        "dateReserved": "2024-04-03T02:24:22.988Z",
        "dateUpdated": "2024-10-31T14:53:49.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31394 (GCVE-0-2024-31394)

    Vulnerability from nvd – Published: 2024-05-22 04:35 – Updated: 2025-03-27 15:03
    VLAI
    Summary
    Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Directory traversal
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-22T17:10:48.613952Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-27T15:03:43.986Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:52:56.577Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN70977403/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.12"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.32"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.61"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.53"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Directory traversal",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-22T04:35:31.768Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN70977403/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-31394",
        "datePublished": "2024-05-22T04:35:31.768Z",
        "dateReserved": "2024-04-03T02:24:22.988Z",
        "dateUpdated": "2025-03-27T15:03:43.986Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-30419 (GCVE-0-2024-30419)

    Vulnerability from nvd – Published: 2024-05-22 04:35 – Updated: 2024-08-02 01:32
    VLAI
    Summary
    Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Ver.3.1.x series Affected: prior to Ver.3.1.12
    Create a notification for this product.
    appleple inc. a-blog cms Ver.3.0.x series Affected: prior to Ver.3.0.32
    Create a notification for this product.
    appleple inc. a-blog cms Ver.2.11.x series Affected: prior to Ver.2.11.61
    Create a notification for this product.
    appleple inc. a-blog cms Ver.2.10.x series Affected: prior to Ver.2.10.53
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver.2.9 and earlier
    Create a notification for this product.
    appleple a-blog_cms Affected: 3.1.0 , < 3.1.12 (custom)
    Affected: 3.0.0 , < 3.0.32 (custom)
    Affected: 2.11.0 , < 2.11.61 (custom)
    Affected: 2.10.0 , < 2.10.53 (custom)
    Affected: 0 , ≤ 2.9 (custom)
        cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "a-blog_cms",
                "vendor": "appleple",
                "versions": [
                  {
                    "lessThan": "3.1.12",
                    "status": "affected",
                    "version": "3.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "3.0.32",
                    "status": "affected",
                    "version": "3.0.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "2.11.61",
                    "status": "affected",
                    "version": "2.11.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "2.10.53",
                    "status": "affected",
                    "version": "2.10.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThanOrEqual": "2.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-30419",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-22T14:36:51.156737Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-06T16:16:04.625Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:32:07.430Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN70977403/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.12"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.32"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.61"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.53"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-22T04:35:09.652Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN70977403/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-30419",
        "datePublished": "2024-05-22T04:35:09.652Z",
        "dateReserved": "2024-03-27T03:59:36.078Z",
        "dateUpdated": "2024-08-02T01:32:07.430Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-27279 (GCVE-0-2024-27279)

    Vulnerability from nvd – Published: 2024-03-12 08:19 – Updated: 2024-10-31 18:12
    VLAI
    Summary
    Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with editor or higher privilege who can login to the product may obtain arbitrary files on the server including password files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Directory traversal
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:27:59.741Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-48443978.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN48443978/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27279",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T20:11:57.193866Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-31T18:12:32.261Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.1.9 and earlier"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.0.30 and earlier"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.11.59 and earlier"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.10.51 and earlier"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with editor or higher privilege who can login to the product may obtain arbitrary files on the server including password files."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Directory traversal",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-12T08:19:48.705Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-48443978.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN48443978/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-27279",
        "datePublished": "2024-03-12T08:19:48.705Z",
        "dateReserved": "2024-02-22T02:26:33.074Z",
        "dateUpdated": "2024-10-31T18:12:32.261Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-25559 (GCVE-0-2024-25559)

    Vulnerability from nvd – Published: 2024-02-15 04:32 – Updated: 2024-11-01 20:52
    VLAI
    Summary
    URL spoofing vulnerability exists in a-blog cms Ver.3.1.0 to Ver.3.1.8. If an attacker sends a specially crafted request, the administrator of the product may be forced to access an arbitrary website when clicking a link in the audit log.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • User Interface (UI) Misrepresentation of Critical Information
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Affected: Ver.3.1.0 to Ver.3.1.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:44:09.680Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-48966481.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN48966481/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-25559",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-16T15:40:13.733974Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-601",
                    "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-01T20:52:44.326Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.1.0 to Ver.3.1.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "URL spoofing vulnerability exists in a-blog cms Ver.3.1.0 to Ver.3.1.8. If an attacker sends a specially crafted request, the administrator of the product may be forced to access an arbitrary website when clicking a link in the audit log."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-15T04:32:37.608Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-48966481.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN48966481/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-25559",
        "datePublished": "2024-02-15T04:32:37.608Z",
        "dateReserved": "2024-02-08T01:35:27.596Z",
        "dateUpdated": "2024-11-01T20:52:44.326Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23782 (GCVE-0-2024-23782)

    Vulnerability from nvd – Published: 2024-01-28 23:09 – Updated: 2025-06-02 19:47
    VLAI
    Summary
    Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege may execute an arbitrary script on the web browser of the user who accessed the website using the product.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:13:08.244Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN34565930/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23782",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-29T16:03:01.341879Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-02T19:47:56.058Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.7"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.29"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.58"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.50"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9.0 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege may execute an arbitrary script on the web browser of the user who accessed the website using the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-28T23:09:13.092Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN34565930/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-23782",
        "datePublished": "2024-01-28T23:09:13.092Z",
        "dateReserved": "2024-01-22T07:59:48.826Z",
        "dateUpdated": "2025-06-02T19:47:56.058Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23348 (GCVE-0-2024-23348)

    Vulnerability from nvd – Published: 2024-01-23 09:39 – Updated: 2025-05-30 14:19
    VLAI
    Summary
    Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary JavaScript code by uploading a specially crafted SVG file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T22:59:32.154Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN34565930/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23348",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T17:30:48.646555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-30T14:19:38.246Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.7"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.29"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.58"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.50"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9.0 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary JavaScript code by uploading a specially crafted SVG file."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper input validation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-23T09:39:14.190Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN34565930/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-23348",
        "datePublished": "2024-01-23T09:39:14.190Z",
        "dateReserved": "2024-01-15T23:36:05.944Z",
        "dateUpdated": "2025-05-30T14:19:38.246Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23183 (GCVE-0-2024-23183)

    Vulnerability from nvd – Published: 2024-01-23 09:39 – Updated: 2025-06-20 19:11
    VLAI
    Summary
    Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute an arbitrary script on the logged-in user's web browser.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T22:59:31.779Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN34565930/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23183",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-23T14:26:51.427740Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-20T19:11:32.290Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.7"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.29"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.58"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.50"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9.0 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute an arbitrary script on the logged-in user\u0027s web browser."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-23T09:39:05.114Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN34565930/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-23183",
        "datePublished": "2024-01-23T09:39:05.114Z",
        "dateReserved": "2024-01-12T05:24:51.969Z",
        "dateUpdated": "2025-06-20T19:11:32.290Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23182 (GCVE-0-2024-23182)

    Vulnerability from nvd – Published: 2024-01-23 09:38 – Updated: 2025-05-30 14:19
    VLAI
    Summary
    Relative path traversal vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to delete arbitrary files on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Relative path traversal
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T22:59:32.082Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN34565930/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23182",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T17:35:32.973909Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-30T14:19:44.009Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.7"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.29"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.58"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.50"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9.0 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Relative path traversal vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to delete arbitrary files on the server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Relative path traversal",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-23T09:38:58.906Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN34565930/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-23182",
        "datePublished": "2024-01-23T09:38:58.906Z",
        "dateReserved": "2024-01-12T05:24:51.969Z",
        "dateUpdated": "2025-05-30T14:19:44.009Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23181 (GCVE-0-2024-23181)

    Vulnerability from nvd – Published: 2024-01-23 09:38 – Updated: 2025-06-20 19:10
    VLAI
    Summary
    Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the logged-in user's web browser.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T22:59:32.204Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN34565930/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23181",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-23T13:49:49.168842Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-20T19:10:49.356Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.7"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.29"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.58"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.50"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9.0 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the logged-in user\u0027s web browser."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-23T09:38:08.211Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN34565930/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-23181",
        "datePublished": "2024-01-23T09:38:08.211Z",
        "dateReserved": "2024-01-12T05:24:51.969Z",
        "dateUpdated": "2025-06-20T19:10:49.356Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23180 (GCVE-0-2024-23180)

    Vulnerability from nvd – Published: 2024-01-23 09:37 – Updated: 2025-06-04 15:09
    VLAI
    Summary
    Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary code by uploading a specially crafted SVG file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Improper input validation
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T22:59:31.845Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN34565930/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23180",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-26T16:26:53.058447Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-434",
                    "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-04T15:09:52.447Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.7"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.29"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.58"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.50"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9.0 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary code by uploading a specially crafted SVG file."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper input validation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-23T09:37:22.303Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN34565930/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-23180",
        "datePublished": "2024-01-23T09:37:22.303Z",
        "dateReserved": "2024-01-12T05:24:51.968Z",
        "dateUpdated": "2025-06-04T15:09:52.447Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27566 (GCVE-0-2025-27566)

    Vulnerability from cvelistv5 – Published: 2025-05-19 08:09 – Updated: 2025-05-19 14:42
    VLAI
    Summary
    Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Affected: prior to Ver. 3.1.43 (Ver. 3.1.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: prior to Ver. 3.0.47 (Ver. 3.0.x series)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27566",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T14:42:37.649183Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T14:42:50.286Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver. 3.1.43 (Ver. 3.1.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver. 3.0.47 (Ver. 3.0.x series)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T08:09:26.427Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU90760614/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-27566",
        "datePublished": "2025-05-19T08:09:26.427Z",
        "dateReserved": "2025-05-12T23:37:57.129Z",
        "dateUpdated": "2025-05-19T14:42:50.286Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-32999 (GCVE-0-2025-32999)

    Vulnerability from cvelistv5 – Published: 2025-05-19 08:08 – Updated: 2025-05-19 15:28
    VLAI
    Summary
    Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Affected: prior to Ver. 3.1.43 (Ver. 3.1.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: prior to Ver. 3.0.47 (Ver. 3.0.x series)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32999",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T15:28:29.608680Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T15:28:40.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver. 3.1.43 (Ver. 3.1.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver. 3.0.47 (Ver. 3.0.x series)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges.  If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T08:08:51.815Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU90760614/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-32999",
        "datePublished": "2025-05-19T08:08:51.815Z",
        "dateReserved": "2025-05-12T23:37:56.186Z",
        "dateUpdated": "2025-05-19T15:28:40.444Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-36560 (GCVE-0-2025-36560)

    Vulnerability from cvelistv5 – Published: 2025-05-19 08:08 – Updated: 2025-05-19 15:45
    VLAI
    Summary
    Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-side request forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Affected: Ver. 2.8.85 and earlier (Ver. 2.8.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 3.1.43 and earlier (Ver. 3.1.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 3.0.47 and earlier (Ver. 3.0.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.11.75 and earlier (Ver. 2.11.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.10.63 and earlier (Ver. 2.10.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.9.52 and earlier (Ver. 2.9.x series)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-36560",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T15:45:12.728197Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T15:45:37.691Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.8.85 and earlier (Ver. 2.8.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 3.1.43 and earlier (Ver. 3.1.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 3.0.47 and earlier (Ver. 3.0.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.11.75 and earlier (Ver. 2.11.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.10.63 and earlier (Ver. 2.10.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.9.52 and earlier (Ver. 2.9.x series)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-side request forgery (SSRF)",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T08:08:00.732Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU90760614/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-36560",
        "datePublished": "2025-05-19T08:08:00.732Z",
        "dateReserved": "2025-05-12T23:37:55.230Z",
        "dateUpdated": "2025-05-19T15:45:37.691Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-41429 (GCVE-0-2025-41429)

    Vulnerability from cvelistv5 – Published: 2025-05-19 08:07 – Updated: 2025-05-19 15:46
    VLAI
    Summary
    a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user's session.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-117 - Improper output neutralization for logs
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Affected: Ver. 2.8.85 and earlier (Ver. 2.8.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 3.1.43 and earlier (Ver. 3.1.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 3.0.47 and earlier (Ver. 3.0.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.11.75 and earlier (Ver. 2.11.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.10.63 and earlier (Ver. 2.10.x series)
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver. 2.9.52 and earlier (Ver. 2.9.x series)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-41429",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-19T15:46:16.181139Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-19T15:46:29.408Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.8.85 and earlier (Ver. 2.8.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 3.1.43 and earlier (Ver. 3.1.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 3.0.47 and earlier (Ver. 3.0.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.11.75 and earlier (Ver. 2.11.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.10.63 and earlier (Ver. 2.10.x series)"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver. 2.9.52 and earlier (Ver. 2.9.x series)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user\u0027s session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-117",
                  "description": "Improper output neutralization for logs",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-19T08:07:38.068Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
            },
            {
              "url": "https://jvn.jp/en/vu/JVNVU90760614/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-41429",
        "datePublished": "2025-05-19T08:07:38.068Z",
        "dateReserved": "2025-05-12T23:37:54.373Z",
        "dateUpdated": "2025-05-19T15:46:29.408Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31395 (GCVE-0-2024-31395)

    Vulnerability from cvelistv5 – Published: 2024-05-22 04:35 – Updated: 2024-10-31 14:53
    VLAI
    Summary
    Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31395",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-22T14:24:22.284116Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-31T14:53:49.233Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:52:56.829Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN70977403/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.12"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.32"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.61"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.53"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-22T04:35:37.216Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN70977403/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-31395",
        "datePublished": "2024-05-22T04:35:37.216Z",
        "dateReserved": "2024-04-03T02:24:22.988Z",
        "dateUpdated": "2024-10-31T14:53:49.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31394 (GCVE-0-2024-31394)

    Vulnerability from cvelistv5 – Published: 2024-05-22 04:35 – Updated: 2025-03-27 15:03
    VLAI
    Summary
    Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Directory traversal
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-22T17:10:48.613952Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-27T15:03:43.986Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:52:56.577Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN70977403/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.12"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.32"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.61"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.53"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Directory traversal",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-22T04:35:31.768Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN70977403/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-31394",
        "datePublished": "2024-05-22T04:35:31.768Z",
        "dateReserved": "2024-04-03T02:24:22.988Z",
        "dateUpdated": "2025-03-27T15:03:43.986Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-30419 (GCVE-0-2024-30419)

    Vulnerability from cvelistv5 – Published: 2024-05-22 04:35 – Updated: 2024-08-02 01:32
    VLAI
    Summary
    Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Ver.3.1.x series Affected: prior to Ver.3.1.12
    Create a notification for this product.
    appleple inc. a-blog cms Ver.3.0.x series Affected: prior to Ver.3.0.32
    Create a notification for this product.
    appleple inc. a-blog cms Ver.2.11.x series Affected: prior to Ver.2.11.61
    Create a notification for this product.
    appleple inc. a-blog cms Ver.2.10.x series Affected: prior to Ver.2.10.53
    Create a notification for this product.
    appleple inc. a-blog cms Affected: Ver.2.9 and earlier
    Create a notification for this product.
    appleple a-blog_cms Affected: 3.1.0 , < 3.1.12 (custom)
    Affected: 3.0.0 , < 3.0.32 (custom)
    Affected: 2.11.0 , < 2.11.61 (custom)
    Affected: 2.10.0 , < 2.10.53 (custom)
    Affected: 0 , ≤ 2.9 (custom)
        cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "a-blog_cms",
                "vendor": "appleple",
                "versions": [
                  {
                    "lessThan": "3.1.12",
                    "status": "affected",
                    "version": "3.1.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "3.0.32",
                    "status": "affected",
                    "version": "3.0.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "2.11.61",
                    "status": "affected",
                    "version": "2.11.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "2.10.53",
                    "status": "affected",
                    "version": "2.10.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThanOrEqual": "2.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-30419",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-22T14:36:51.156737Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-06T16:16:04.625Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:32:07.430Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN70977403/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.12"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.32"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.61"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.53"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-22T04:35:09.652Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN70977403/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-30419",
        "datePublished": "2024-05-22T04:35:09.652Z",
        "dateReserved": "2024-03-27T03:59:36.078Z",
        "dateUpdated": "2024-08-02T01:32:07.430Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-27279 (GCVE-0-2024-27279)

    Vulnerability from cvelistv5 – Published: 2024-03-12 08:19 – Updated: 2024-10-31 18:12
    VLAI
    Summary
    Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with editor or higher privilege who can login to the product may obtain arbitrary files on the server including password files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Directory traversal
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:27:59.741Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-48443978.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN48443978/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27279",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T20:11:57.193866Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-31T18:12:32.261Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.1.9 and earlier"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.0.30 and earlier"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.11.59 and earlier"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.10.51 and earlier"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with editor or higher privilege who can login to the product may obtain arbitrary files on the server including password files."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Directory traversal",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-12T08:19:48.705Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-48443978.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN48443978/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-27279",
        "datePublished": "2024-03-12T08:19:48.705Z",
        "dateReserved": "2024-02-22T02:26:33.074Z",
        "dateUpdated": "2024-10-31T18:12:32.261Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-25559 (GCVE-0-2024-25559)

    Vulnerability from cvelistv5 – Published: 2024-02-15 04:32 – Updated: 2024-11-01 20:52
    VLAI
    Summary
    URL spoofing vulnerability exists in a-blog cms Ver.3.1.0 to Ver.3.1.8. If an attacker sends a specially crafted request, the administrator of the product may be forced to access an arbitrary website when clicking a link in the audit log.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • User Interface (UI) Misrepresentation of Critical Information
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    appleple inc. a-blog cms Affected: Ver.3.1.0 to Ver.3.1.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:44:09.680Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-48966481.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN48966481/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-25559",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-16T15:40:13.733974Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-601",
                    "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-01T20:52:44.326Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.3.1.0 to Ver.3.1.8"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "URL spoofing vulnerability exists in a-blog cms Ver.3.1.0 to Ver.3.1.8. If an attacker sends a specially crafted request, the administrator of the product may be forced to access an arbitrary website when clicking a link in the audit log."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-15T04:32:37.608Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-48966481.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN48966481/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-25559",
        "datePublished": "2024-02-15T04:32:37.608Z",
        "dateReserved": "2024-02-08T01:35:27.596Z",
        "dateUpdated": "2024-11-01T20:52:44.326Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-23782 (GCVE-0-2024-23782)

    Vulnerability from cvelistv5 – Published: 2024-01-28 23:09 – Updated: 2025-06-02 19:47
    VLAI
    Summary
    Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege may execute an arbitrary script on the web browser of the user who accessed the website using the product.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-site scripting (XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:13:08.244Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN34565930/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-23782",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-29T16:03:01.341879Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-02T19:47:56.058Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "a-blog cms Ver.3.1.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.1.7"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.3.0.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.3.0.29"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.11.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.11.58"
                }
              ]
            },
            {
              "product": "a-blog cms Ver.2.10.x series",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to Ver.2.10.50"
                }
              ]
            },
            {
              "product": "a-blog cms",
              "vendor": "appleple inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ver.2.9.0 and earlier "
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege may execute an arbitrary script on the web browser of the user who accessed the website using the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-28T23:09:13.092Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://developer.a-blogcms.jp/blog/news/JVN-34565930.html"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN34565930/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2024-23782",
        "datePublished": "2024-01-28T23:09:13.092Z",
        "dateReserved": "2024-01-22T07:59:48.826Z",
        "dateUpdated": "2025-06-02T19:47:56.058Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    JVNDB-2025-005050

    Vulnerability from jvndb - Published: 2025-05-15 18:11 - Updated:2025-05-15 18:11
    Severity
    Summary
    Multiple vulnerabilities in a-blog cms
    Details
    a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below.
    • Path traversal (CWE-22)
      • CVE-2025-27566
      • This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege
    • Cross-site scripting (CWE-79)
      • CVE-2025-32999
      • This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges
    • Server-side request forgery (CWE-918)
      • CVE-2025-36560
    • Improper output neutralization for logs (CWE-117)
      • CVE-2025-41429
      CVE-2025-27566, CVE-2025-32999 haidv35 (Dinh Viet Hai) reported these vulnerabilities to the developer and coordinated. After the coordination was completed, haidv35 (Dinh Viet Hai) reported the case to JPCERT/CC to notify users of the solution through JVN. CVE-2025-36560, CVE-2025-41429 vcth4nh from VCSLab of Viettel Cyber Security (Vu Chi Thanh) reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-005050.html",
      "dc:date": "2025-05-15T18:11+09:00",
      "dcterms:issued": "2025-05-15T18:11+09:00",
      "dcterms:modified": "2025-05-15T18:11+09:00",
      "description": "a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below.\r\n\r\n\u003cul\u003e\r\n\u003cli\u003ePath traversal (CWE-22)\u003c/li\u003e\r\n\u003cul\u003e\r\n\u003cli\u003eCVE-2025-27566\u003c/li\u003e\r\n\u003cli\u003eThis is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege\u003c/li\u003e\r\n\u003c/ul\u003e\r\n\r\n\u003cli\u003eCross-site scripting (CWE-79)\u003c/li\u003e\r\n\u003cul\u003e\r\n\u003cli\u003eCVE-2025-32999\u003c/li\u003e\r\n\u003cli\u003eThis issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges\u003c/li\u003e\r\n\u003c/ul\u003e\r\n\r\n\u003cli\u003eServer-side request forgery (CWE-918)\u003c/li\u003e\r\n\u003cul\u003e\u003cli\u003eCVE-2025-36560\u003c/li\u003e\u003c/ul\u003e\r\n\r\n\u003cli\u003eImproper output neutralization for logs (CWE-117)\u003c/li\u003e\r\n\u003cul\u003e\u003cli\u003eCVE-2025-41429\u003c/li\u003e\u003c/ul\u003e\r\n\r\nCVE-2025-27566, CVE-2025-32999\r\nhaidv35 (Dinh Viet Hai) reported these vulnerabilities to the developer and coordinated. After the coordination was completed, haidv35 (Dinh Viet Hai) reported the case to JPCERT/CC to notify users of the solution through JVN.\r\n\r\nCVE-2025-36560, CVE-2025-41429\r\nvcth4nh from VCSLab of Viettel Cyber Security (Vu Chi Thanh) reported these vulnerabilities to JPCERT/CC. JPCERT/CC coordinated with the developer.",
      "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-005050.html",
      "sec:cpe": {
        "#text": "cpe:/a:appleple:a-blog_cms",
        "@product": "a-blog cms",
        "@vendor": "appleple inc.",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "8.6",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2025-005050",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU90760614/index.html",
          "@id": "JVNVU#90760614",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-27566",
          "@id": "CVE-2025-27566",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-32999",
          "@id": "CVE-2025-32999",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-36560",
          "@id": "CVE-2025-36560",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-41429",
          "@id": "CVE-2025-41429",
          "@source": "CVE"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/117.html",
          "@id": "CWE-117",
          "@title": "Improper Output Neutralization for Logs(CWE-117)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-22",
          "@title": "Path Traversal(CWE-22)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        },
        {
          "#text": "https://cwe.mitre.org/data/definitions/918.html",
          "@id": "CWE-918",
          "@title": "Server-Side Request Forgery (SSRF)(CWE-918)"
        }
      ],
      "title": "Multiple vulnerabilities in a-blog cms"
    }

    JVNDB-2025-000024

    Vulnerability from jvndb - Published: 2025-03-28 10:46 - Updated:2025-03-28 10:46
    Severity
    Summary
    a-blog cms vulnerable to untrusted data deserialization
    Details
    a-blog cms provided by appleple inc. contains untrusted data deserialization vulnerability (CWE-502). The developer states that attacks exploiting the vulnerability has been observed on a-blog cms Ver.2.8.x series or later. appleple inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and appleple inc. coordinated under the Information Security Early Warning Partnership.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000024.html",
      "dc:date": "2025-03-28T10:46+09:00",
      "dcterms:issued": "2025-03-28T10:46+09:00",
      "dcterms:modified": "2025-03-28T10:46+09:00",
      "description": "a-blog cms provided by appleple inc. contains untrusted data deserialization vulnerability (CWE-502).\r\n\r\nThe developer states that attacks exploiting the vulnerability has been observed on a-blog cms Ver.2.8.x series or later.\r\n\r\nappleple inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and appleple inc. coordinated under the Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000024.html",
      "sec:cpe": [
        {
          "#text": "cpe:/a:appleple:a-blog_cms",
          "@product": "a-blog cms",
          "@vendor": "appleple inc.",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/a:appleple:a-blog_cms",
          "@product": "a-blog cms",
          "@vendor": "appleple inc.",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/a:appleple:a-blog_cms",
          "@product": "a-blog cms",
          "@vendor": "appleple inc.",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/a:appleple:a-blog_cms",
          "@product": "a-blog cms",
          "@vendor": "appleple inc.",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/a:appleple:a-blog_cms",
          "@product": "a-blog cms",
          "@vendor": "appleple inc.",
          "@version": "2.2"
        },
        {
          "#text": "cpe:/a:appleple:a-blog_cms",
          "@product": "a-blog cms",
          "@vendor": "appleple inc.",
          "@version": "2.2"
        }
      ],
      "sec:cvss": {
        "@score": "7.5",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2025-000024",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN66982699/index.html",
          "@id": "JVN#66982699",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-31103",
          "@id": "CVE-2025-31103",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "a-blog cms vulnerable to untrusted data deserialization"
    }

    JVNDB-2024-000039

    Vulnerability from jvndb - Published: 2024-04-10 13:55 - Updated:2024-04-10 13:55
    Severity
    Summary
    Multiple vulnerabilities in a-blog cms
    Details
    a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. * Stored cross-site scripting vulnerability in Entry editing pages (CWE-79) - CVE-2024-30419 * Server-side request forgery (CWE-918) - CVE-2024-30420 * Directory traversal (CWE-22) - CVE-2024-31394 * Stored cross-site scripting vulnerability in Schedule labeling pages (CWE-79) - CVE-2024-31395 * Code injection (CWE-94) - CVE-2024-31396 Rikuto Tauchi of sangi reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000039.html",
      "dc:date": "2024-04-10T13:55+09:00",
      "dcterms:issued": "2024-04-10T13:55+09:00",
      "dcterms:modified": "2024-04-10T13:55+09:00",
      "description": "a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below.\r\n\r\n  * Stored cross-site scripting vulnerability in Entry editing pages (CWE-79) - CVE-2024-30419\r\n  * Server-side request forgery (CWE-918) - CVE-2024-30420\r\n  * Directory traversal (CWE-22) - CVE-2024-31394\r\n  * Stored cross-site scripting vulnerability in Schedule labeling pages (CWE-79) - CVE-2024-31395\r\n  * Code injection (CWE-94) - CVE-2024-31396\r\n\r\nRikuto Tauchi of sangi reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000039.html",
      "sec:cpe": {
        "#text": "cpe:/a:appleple:a-blog_cms",
        "@product": "a-blog cms",
        "@vendor": "appleple inc.",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "6.6",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2024-000039",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN70977403/index.html",
          "@id": "JVN#70977403",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-30419",
          "@id": "CVE-2024-30419",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-30420",
          "@id": "CVE-2024-30420",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-31394",
          "@id": "CVE-2024-31394",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-31395",
          "@id": "CVE-2024-31395",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-31396",
          "@id": "CVE-2024-31396",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-22",
          "@title": "Path Traversal(CWE-22)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-94",
          "@title": "Code Injection(CWE-94)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "Multiple vulnerabilities in a-blog cms"
    }

    JVNDB-2024-000030

    Vulnerability from jvndb - Published: 2024-03-08 15:27 - Updated:2024-03-08 15:27
    Severity
    Summary
    a-blog cms vulnerable to directory traversal
    Details
    a-blog cms provided by appleple Inc. is a content management system (CMS). a-blog cms contains a directory traversal vulnerability (CWE-22). Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000030.html",
      "dc:date": "2024-03-08T15:27+09:00",
      "dcterms:issued": "2024-03-08T15:27+09:00",
      "dcterms:modified": "2024-03-08T15:27+09:00",
      "description": "a-blog cms provided by appleple Inc. is a content management system (CMS). a-blog cms contains a directory traversal vulnerability (CWE-22).\r\n\r\nKentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000030.html",
      "sec:cpe": {
        "#text": "cpe:/a:appleple:a-blog_cms",
        "@product": "a-blog cms",
        "@vendor": "appleple inc.",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "6.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:L/Au:S/C:C/I:N/A:N",
          "@version": "2.0"
        },
        {
          "@score": "6.5",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2024-000030",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN48443978/index.html",
          "@id": "JVN#48443978",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-27279",
          "@id": "CVE-2024-27279",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-22",
          "@title": "Path Traversal(CWE-22)"
        }
      ],
      "title": "a-blog cms vulnerable to directory traversal"
    }

    JVNDB-2024-000019

    Vulnerability from jvndb - Published: 2024-02-15 14:12 - Updated:2024-02-15 14:12
    Severity
    Summary
    a-blog cms vulnerable to URL spoofing
    Details
    a-blog cms provided by appleple Inc. is a content management system (CMS). a-blog cms contains an URL spoofing vulnerability (CWE-451). Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000019.html",
      "dc:date": "2024-02-15T14:12+09:00",
      "dcterms:issued": "2024-02-15T14:12+09:00",
      "dcterms:modified": "2024-02-15T14:12+09:00",
      "description": "a-blog cms provided by appleple Inc. is a content management system (CMS). a-blog cms contains an URL spoofing vulnerability (CWE-451).\r\n\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000019.html",
      "sec:cpe": {
        "#text": "cpe:/a:appleple:a-blog_cms",
        "@product": "a-blog cms",
        "@vendor": "appleple inc.",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "4.3",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "4.7",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2024-000019",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN48966481/index.html",
          "@id": "JVN#48966481",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-25559",
          "@id": "CVE-2024-25559",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "a-blog cms vulnerable to URL spoofing"
    }