Search criteria
6 vulnerabilities found for JPlatform by Jalios
CVE-2025-0942 (GCVE-0-2025-0942)
Vulnerability from cvelistv5 – Published: 2025-04-07 21:35 – Updated: 2025-11-19 20:28
VLAI?
Title
Jalios JPlatform 10 SP6 < 10.0.6 Record Chooser SQL Injection
Summary
The DB chooser functionality in Jalios JPlatform 10 SP6 before 10.0.6 improperly neutralizes special elements used in an SQL command allows for unauthenticated users to trigger SQL Injection.
This issue affects JPlatform before 10.0.6 and a PatchPlugin release 10.0.6 was issued 2023-02-06.
Severity ?
8.6 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Arthur Deloffre (Vozec)
Tristan Bizien (Bizi)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:52:34.954355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:52:43.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "JPlatform",
"vendor": "Jalios",
"versions": [
{
"lessThan": "10.0.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.6",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arthur Deloffre (Vozec)"
},
{
"lang": "en",
"type": "finder",
"value": "Tristan Bizien (Bizi)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe DB chooser functionality in\u0026nbsp;Jalios JPlatform 10 SP6 before 10.0.6 improperly neutralizes special elements used in an SQL command allows for unauthenticated users to trigger SQL Injection.\u003c/div\u003e\u003cp\u003eThis issue affects JPlatform before 10.0.6 and a PatchPlugin release 10.0.6 was issued 2023-02-06.\u003c/p\u003e"
}
],
"value": "The DB chooser functionality in\u00a0Jalios JPlatform 10 SP6 before 10.0.6 improperly neutralizes special elements used in an SQL command allows for unauthenticated users to trigger SQL Injection.\n\nThis issue affects JPlatform before 10.0.6 and a PatchPlugin release 10.0.6 was issued 2023-02-06."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:28:43.044Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.jalios.com/jcms/jc2_734797/fr/avertissement-de-securite-2023-02-06"
},
{
"tags": [
"patch"
],
"url": "https://community.jalios.com/patchplugin-10.0.6"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/jalios-jplatform-record-chooser-sqli"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jalios JPlatform 10 SP6 \u003c 10.0.6 Record Chooser SQL Injection",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-0942",
"datePublished": "2025-04-07T21:35:31.322Z",
"dateReserved": "2025-01-31T18:32:39.809Z",
"dateUpdated": "2025-11-19T20:28:43.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-25036 (GCVE-0-2025-25036)
Vulnerability from cvelistv5 – Published: 2025-03-21 19:27 – Updated: 2025-11-19 20:26
VLAI?
Title
Jalios JPlatform 10 Authenticated XML External Entity Injection (XXE)
Summary
Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8).
Severity ?
6.8 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Credits
Arthur Deloffre (Vozec)
Tristan Bizien (Bizi)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25036",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T19:49:39.974923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T19:50:06.001Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "JPlatform",
"vendor": "Jalios",
"versions": [
{
"lessThan": "10.0.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.8",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arthur Deloffre (Vozec)"
},
{
"lang": "en",
"type": "finder",
"value": "Tristan Bizien (Bizi)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.\u003cp\u003eThis issue affects all versions of JPlatform 10 before 10.0.8 (SP8).\u003c/p\u003e"
}
],
"value": "Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8)."
}
],
"impacts": [
{
"capecId": "CAPEC-250",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-250 XML Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:26:50.070Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"url": "https://community.jalios.com/jcms/jc1_893720/en/security-alert-2025-02-19"
},
{
"url": "https://issues.jalios.com/browse/JCMS-11250"
},
{
"url": "https://vulncheck.com/advisories/jalios-jplatform-xxe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jalios JPlatform 10 Authenticated XML External Entity Injection (XXE)",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-25036",
"datePublished": "2025-03-21T19:27:12.472Z",
"dateReserved": "2025-01-31T18:32:36.214Z",
"dateUpdated": "2025-11-19T20:26:50.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-25035 (GCVE-0-2025-25035)
Vulnerability from cvelistv5 – Published: 2025-03-21 19:02 – Updated: 2025-11-19 20:26
VLAI?
Title
Jalios JPlatform 10 Multiple Cross-Site Scripting (XSS)
Summary
Improper Neutralization of Input During Web Page Generation Cross-site Scripting vulnerability in Jalios JPlatform 10 allows for Reflected XSS and Stored XSS.This issue affects JPlatform 10: before 10.0.8 (SP8), before 10.0.7 (SP7), before 10.0.6 (SP6) and Jalios Workplace 6.2, Jalios Workplace 6.1, Jalios Workplace 6.0, and Jalios Workplace 5.3 to 5.5
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Credits
Arthur Deloffre (Vozec)
Tristan Bizien (Bizi)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25035",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T19:24:21.316651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T19:24:57.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "JPlatform",
"vendor": "Jalios",
"versions": [
{
"lessThan": "10.0.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "10.0.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.8",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.7",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.6",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arthur Deloffre (Vozec)"
},
{
"lang": "en",
"type": "finder",
"value": "Tristan Bizien (Bizi)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation Cross-site Scripting vulnerability in Jalios JPlatform 10 allows for Reflected XSS and Stored XSS.\u003cp\u003eThis issue affects JPlatform 10: before 10.0.8 (SP8), before 10.0.7 (SP7), before 10.0.6 (SP6) and Jalios Workplace 6.2, Jalios Workplace 6.1, Jalios Workplace 6.0, and Jalios Workplace 5.3 to 5.5\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation Cross-site Scripting vulnerability in Jalios JPlatform 10 allows for Reflected XSS and Stored XSS.This issue affects JPlatform 10: before 10.0.8 (SP8), before 10.0.7 (SP7), before 10.0.6 (SP6) and Jalios Workplace 6.2, Jalios Workplace 6.1, Jalios Workplace 6.0, and Jalios Workplace 5.3 to 5.5"
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
},
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:26:02.084Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"url": "https://community.jalios.com/jcms/jc1_893720/en/security-alert-2025-02-19"
},
{
"url": "https://issues.jalios.com/browse/JCMS-11259"
},
{
"url": "https://issues.jalios.com/browse/JCMS-11246"
},
{
"url": "https://issues.jalios.com/browse/JCMS-11248"
},
{
"url": "https://vulncheck.com/advisories/jalios-jplatform-xss"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jalios JPlatform 10 Multiple Cross-Site Scripting (XSS)",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-25035",
"datePublished": "2025-03-21T19:02:39.718Z",
"dateReserved": "2025-01-31T18:32:36.214Z",
"dateUpdated": "2025-11-19T20:26:02.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-0942 (GCVE-0-2025-0942)
Vulnerability from nvd – Published: 2025-04-07 21:35 – Updated: 2025-11-19 20:28
VLAI?
Title
Jalios JPlatform 10 SP6 < 10.0.6 Record Chooser SQL Injection
Summary
The DB chooser functionality in Jalios JPlatform 10 SP6 before 10.0.6 improperly neutralizes special elements used in an SQL command allows for unauthenticated users to trigger SQL Injection.
This issue affects JPlatform before 10.0.6 and a PatchPlugin release 10.0.6 was issued 2023-02-06.
Severity ?
8.6 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Arthur Deloffre (Vozec)
Tristan Bizien (Bizi)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:52:34.954355Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T14:52:43.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "JPlatform",
"vendor": "Jalios",
"versions": [
{
"lessThan": "10.0.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.6",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arthur Deloffre (Vozec)"
},
{
"lang": "en",
"type": "finder",
"value": "Tristan Bizien (Bizi)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe DB chooser functionality in\u0026nbsp;Jalios JPlatform 10 SP6 before 10.0.6 improperly neutralizes special elements used in an SQL command allows for unauthenticated users to trigger SQL Injection.\u003c/div\u003e\u003cp\u003eThis issue affects JPlatform before 10.0.6 and a PatchPlugin release 10.0.6 was issued 2023-02-06.\u003c/p\u003e"
}
],
"value": "The DB chooser functionality in\u00a0Jalios JPlatform 10 SP6 before 10.0.6 improperly neutralizes special elements used in an SQL command allows for unauthenticated users to trigger SQL Injection.\n\nThis issue affects JPlatform before 10.0.6 and a PatchPlugin release 10.0.6 was issued 2023-02-06."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:28:43.044Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.jalios.com/jcms/jc2_734797/fr/avertissement-de-securite-2023-02-06"
},
{
"tags": [
"patch"
],
"url": "https://community.jalios.com/patchplugin-10.0.6"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/jalios-jplatform-record-chooser-sqli"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jalios JPlatform 10 SP6 \u003c 10.0.6 Record Chooser SQL Injection",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-0942",
"datePublished": "2025-04-07T21:35:31.322Z",
"dateReserved": "2025-01-31T18:32:39.809Z",
"dateUpdated": "2025-11-19T20:28:43.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-25036 (GCVE-0-2025-25036)
Vulnerability from nvd – Published: 2025-03-21 19:27 – Updated: 2025-11-19 20:26
VLAI?
Title
Jalios JPlatform 10 Authenticated XML External Entity Injection (XXE)
Summary
Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8).
Severity ?
6.8 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Credits
Arthur Deloffre (Vozec)
Tristan Bizien (Bizi)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25036",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T19:49:39.974923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T19:50:06.001Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "JPlatform",
"vendor": "Jalios",
"versions": [
{
"lessThan": "10.0.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.8",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arthur Deloffre (Vozec)"
},
{
"lang": "en",
"type": "finder",
"value": "Tristan Bizien (Bizi)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.\u003cp\u003eThis issue affects all versions of JPlatform 10 before 10.0.8 (SP8).\u003c/p\u003e"
}
],
"value": "Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8)."
}
],
"impacts": [
{
"capecId": "CAPEC-250",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-250 XML Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:26:50.070Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"url": "https://community.jalios.com/jcms/jc1_893720/en/security-alert-2025-02-19"
},
{
"url": "https://issues.jalios.com/browse/JCMS-11250"
},
{
"url": "https://vulncheck.com/advisories/jalios-jplatform-xxe"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jalios JPlatform 10 Authenticated XML External Entity Injection (XXE)",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-25036",
"datePublished": "2025-03-21T19:27:12.472Z",
"dateReserved": "2025-01-31T18:32:36.214Z",
"dateUpdated": "2025-11-19T20:26:50.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-25035 (GCVE-0-2025-25035)
Vulnerability from nvd – Published: 2025-03-21 19:02 – Updated: 2025-11-19 20:26
VLAI?
Title
Jalios JPlatform 10 Multiple Cross-Site Scripting (XSS)
Summary
Improper Neutralization of Input During Web Page Generation Cross-site Scripting vulnerability in Jalios JPlatform 10 allows for Reflected XSS and Stored XSS.This issue affects JPlatform 10: before 10.0.8 (SP8), before 10.0.7 (SP7), before 10.0.6 (SP6) and Jalios Workplace 6.2, Jalios Workplace 6.1, Jalios Workplace 6.0, and Jalios Workplace 5.3 to 5.5
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Credits
Arthur Deloffre (Vozec)
Tristan Bizien (Bizi)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25035",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T19:24:21.316651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-21T19:24:57.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "JPlatform",
"vendor": "Jalios",
"versions": [
{
"lessThan": "10.0.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "10.0.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.8",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.7",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0.6",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arthur Deloffre (Vozec)"
},
{
"lang": "en",
"type": "finder",
"value": "Tristan Bizien (Bizi)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation Cross-site Scripting vulnerability in Jalios JPlatform 10 allows for Reflected XSS and Stored XSS.\u003cp\u003eThis issue affects JPlatform 10: before 10.0.8 (SP8), before 10.0.7 (SP7), before 10.0.6 (SP6) and Jalios Workplace 6.2, Jalios Workplace 6.1, Jalios Workplace 6.0, and Jalios Workplace 5.3 to 5.5\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation Cross-site Scripting vulnerability in Jalios JPlatform 10 allows for Reflected XSS and Stored XSS.This issue affects JPlatform 10: before 10.0.8 (SP8), before 10.0.7 (SP7), before 10.0.6 (SP6) and Jalios Workplace 6.2, Jalios Workplace 6.1, Jalios Workplace 6.0, and Jalios Workplace 5.3 to 5.5"
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
},
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:26:02.084Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"url": "https://community.jalios.com/jcms/jc1_893720/en/security-alert-2025-02-19"
},
{
"url": "https://issues.jalios.com/browse/JCMS-11259"
},
{
"url": "https://issues.jalios.com/browse/JCMS-11246"
},
{
"url": "https://issues.jalios.com/browse/JCMS-11248"
},
{
"url": "https://vulncheck.com/advisories/jalios-jplatform-xss"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Jalios JPlatform 10 Multiple Cross-Site Scripting (XSS)",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-25035",
"datePublished": "2025-03-21T19:02:39.718Z",
"dateReserved": "2025-01-31T18:32:36.214Z",
"dateUpdated": "2025-11-19T20:26:02.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}