Search
Find a vulnerability
Search criteria
6 vulnerabilities by Extra Innovation Inc.
CVE-2021-46686 (GCVE-0-2021-46686)
Vulnerability from nvd – Published: 2025-02-17 23:58 – Updated: 2025-02-18 15:41
VLAI
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in acmailer CGI ver.4.0.3 and earlier and acmailer DB ver.1.1.5 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Extra Innovation Inc. | acmailer CGI |
Affected:
ver.4.0.3 and earlier
|
|
| Extra Innovation Inc. | acmailer DB |
Affected:
ver.1.1.5 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-46686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:40:35.495948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:41:25.766Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "acmailer CGI",
"vendor": "Extra Innovation Inc.",
"versions": [
{
"status": "affected",
"version": "ver.4.0.3 and earlier"
}
]
},
{
"product": "acmailer DB",
"vendor": "Extra Innovation Inc.",
"versions": [
{
"status": "affected",
"version": "ver.1.1.5 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in acmailer CGI ver.4.0.3 and earlier and acmailer DB ver.1.1.5 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-17T23:58:10.727Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://acmailer.jp/info/de.cgi?id=103"
},
{
"url": "https://www.acmailer.jp/info/de.cgi?id=102"
},
{
"url": "https://jvn.jp/en/jp/JVN96957439/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-46686",
"datePublished": "2025-02-17T23:58:10.727Z",
"dateReserved": "2025-02-12T07:20:49.360Z",
"dateUpdated": "2025-02-18T15:41:25.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49780 (GCVE-0-2023-49780)
Vulnerability from nvd – Published: 2025-02-12 07:42 – Updated: 2025-02-18 17:39
VLAI
Summary
Cross-site scripting vulnerability exists in acmailer CGI ver.4.0.5 and earlier. An arbitrary script may be executed on the web browser of the user who accessed the management page of the affected product.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site scripting (XSS)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Extra Innovation Inc. | acmailer CGI |
Affected:
ver.4.0.5 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:46:54.875439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T17:39:45.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "acmailer CGI",
"vendor": "Extra Innovation Inc.",
"versions": [
{
"status": "affected",
"version": "ver.4.0.5 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in acmailer CGI ver.4.0.5 and earlier. An arbitrary script may be executed on the web browser of the user who accessed the management page of the affected product."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T07:42:56.826Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://acmailer.jp/info/de.cgi?id=113"
},
{
"url": "https://jvn.jp/en/jp/JVN84319378/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49780",
"datePublished": "2025-02-12T07:42:56.826Z",
"dateReserved": "2025-02-07T06:34:04.219Z",
"dateUpdated": "2025-02-18T17:39:45.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-46686 (GCVE-0-2021-46686)
Vulnerability from cvelistv5 – Published: 2025-02-17 23:58 – Updated: 2025-02-18 15:41
VLAI
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in acmailer CGI ver.4.0.3 and earlier and acmailer DB ver.1.1.5 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Extra Innovation Inc. | acmailer CGI |
Affected:
ver.4.0.3 and earlier
|
|
| Extra Innovation Inc. | acmailer DB |
Affected:
ver.1.1.5 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-46686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T15:40:35.495948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T15:41:25.766Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "acmailer CGI",
"vendor": "Extra Innovation Inc.",
"versions": [
{
"status": "affected",
"version": "ver.4.0.3 and earlier"
}
]
},
{
"product": "acmailer DB",
"vendor": "Extra Innovation Inc.",
"versions": [
{
"status": "affected",
"version": "ver.1.1.5 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) issue exists in acmailer CGI ver.4.0.3 and earlier and acmailer DB ver.1.1.5 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-17T23:58:10.727Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://acmailer.jp/info/de.cgi?id=103"
},
{
"url": "https://www.acmailer.jp/info/de.cgi?id=102"
},
{
"url": "https://jvn.jp/en/jp/JVN96957439/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-46686",
"datePublished": "2025-02-17T23:58:10.727Z",
"dateReserved": "2025-02-12T07:20:49.360Z",
"dateUpdated": "2025-02-18T15:41:25.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49780 (GCVE-0-2023-49780)
Vulnerability from cvelistv5 – Published: 2025-02-12 07:42 – Updated: 2025-02-18 17:39
VLAI
Summary
Cross-site scripting vulnerability exists in acmailer CGI ver.4.0.5 and earlier. An arbitrary script may be executed on the web browser of the user who accessed the management page of the affected product.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site scripting (XSS)
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Extra Innovation Inc. | acmailer CGI |
Affected:
ver.4.0.5 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49780",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:46:54.875439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T17:39:45.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "acmailer CGI",
"vendor": "Extra Innovation Inc.",
"versions": [
{
"status": "affected",
"version": "ver.4.0.5 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in acmailer CGI ver.4.0.5 and earlier. An arbitrary script may be executed on the web browser of the user who accessed the management page of the affected product."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T07:42:56.826Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://acmailer.jp/info/de.cgi?id=113"
},
{
"url": "https://jvn.jp/en/jp/JVN84319378/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2023-49780",
"datePublished": "2025-02-12T07:42:56.826Z",
"dateReserved": "2025-02-07T06:34:04.219Z",
"dateUpdated": "2025-02-18T17:39:45.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2025-000013
Vulnerability from jvndb - Published: 2025-02-14 16:39 - Updated:2025-02-14 16:39
Severity
Summary
acmailer CGI and acmailer DB vulnerable to OS command injection
Details
acmailer CGI and acmailer DB provided by Extra Innovation Inc. contain an OS command injection vulnerability (CWE-78).
Extra Innovation Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Extra Innovation Inc. coordinated under the Information Security Early Warning Partnership.
JPCERT/CC Addendum
The version fixing this vulnerability has been released on 2021.
This JVN is published responding to the developer's notification to JPCERT/CC on 2025 about the vulnerability and the product update information.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000013.html",
"dc:date": "2025-02-14T16:39+09:00",
"dcterms:issued": "2025-02-14T16:39+09:00",
"dcterms:modified": "2025-02-14T16:39+09:00",
"description": "acmailer CGI and acmailer DB provided by Extra Innovation Inc. contain an OS command injection vulnerability (CWE-78).\r\n\r\nExtra Innovation Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Extra Innovation Inc. coordinated under the Information Security Early Warning Partnership.\r\n\r\n\u003cb\u003eJPCERT/CC Addendum\u003c/b\u003e\r\nThe version fixing this vulnerability has been released on 2021.\r\nThis JVN is published responding to the developer\u0027s notification to JPCERT/CC on 2025 about the vulnerability and the product update information.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000013.html",
"sec:cpe": {
"#text": "cpe:/a:misc:extrainnovation_acmailer",
"@product": "acmailer",
"@vendor": "Extra Innovation Inc.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "9.8",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000013",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN96957439/index.html",
"@id": "JVN#96957439",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2021-46686",
"@id": "CVE-2021-46686",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
}
],
"title": "acmailer CGI and acmailer DB vulnerable to OS command injection"
}
JVNDB-2025-000010
Vulnerability from jvndb - Published: 2025-02-12 15:05 - Updated:2025-02-12 15:05
Severity
Summary
acmailer vulnerable to cross-site scripting
Details
acmailer provided by Extra Innovation Inc. contains a cross-site scripting vulnerability (CWE-79).
This vulnerability was reported to IPA, and JPCERT/CC started coordination with the developer in 2023.
The developer released the fixed version on 2023.
The coordination between JPCERT/CC and the developer completed and this JVN is published on 2025.
Yuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000010.html",
"dc:date": "2025-02-12T15:05+09:00",
"dcterms:issued": "2025-02-12T15:05+09:00",
"dcterms:modified": "2025-02-12T15:05+09:00",
"description": "acmailer provided by Extra Innovation Inc. contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nThis vulnerability was reported to IPA, and JPCERT/CC started coordination with the developer in 2023.\r\nThe developer released the fixed version on 2023.\r\nThe coordination between JPCERT/CC and the developer completed and this JVN is published on 2025.\r\n\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000010.html",
"sec:cpe": {
"#text": "cpe:/a:misc:extrainnovation_acmailer",
"@product": "acmailer",
"@vendor": "Extra Innovation Inc.",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2025-000010",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN84319378/index.html",
"@id": "JVN#84319378",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-49780",
"@id": "CVE-2023-49780",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "acmailer vulnerable to cross-site scripting"
}