Search criteria
78 vulnerabilities found for a-blog_cms by appleple
FKIE_CVE-2025-41429
Vulnerability from fkie_nvd - Published: 2025-05-19 09:15 - Updated: 2025-09-30 19:05
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user's session.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/vu/JVNVU90760614/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9BEE1198-0FD0-4EF7-B337-DB59A00506AB",
"versionEndIncluding": "2.8.85",
"versionStartIncluding": "2.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "179008A3-CD69-447C-9070-9D43B278B144",
"versionEndIncluding": "2.9.52",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6FC3756F-A0EB-4F60-9F80-8571346F6A24",
"versionEndIncluding": "2.10.63",
"versionStartIncluding": "2.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "028EA7E6-66D2-45B3-9B3B-1A801DCD8280",
"versionEndIncluding": "2.11.75",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79B312B7-4093-4430-95D4-3622099C8D3A",
"versionEndIncluding": "3.0.47",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC0760E4-87CB-47F2-9B27-546303286C28",
"versionEndIncluding": "3.1.43",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user\u0027s session."
},
{
"lang": "es",
"value": "Varias versiones de a-blog cms neutralizan los registros incorrectamente. Si se explota esta vulnerabilidad con CVE-2025-36560, un atacante remoto no autenticado podr\u00eda secuestrar la sesi\u00f3n de un usuario leg\u00edtimo."
}
],
"id": "CVE-2025-41429",
"lastModified": "2025-09-30T19:05:09.840",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.1,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
},
"published": "2025-05-19T09:15:25.160",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-117"
}
],
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-27566
Vulnerability from fkie_nvd - Published: 2025-05-19 09:15 - Updated: 2025-09-30 19:22
Severity ?
3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/vu/JVNVU90760614/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F79A94B-62EA-445F-A981-AEF212573C40",
"versionEndExcluding": "3.0.47",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CA6EF90-7365-4CFE-B74F-C2FF09E69E00",
"versionEndExcluding": "3.1.43",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Path Traversal en versiones de a-blog CMS anteriores a la 3.1.43 y a la 3.0.47. Se trata de un problema con la validaci\u00f3n de rutas insuficiente en la funci\u00f3n de copia de seguridad, y su explotaci\u00f3n requiere privilegios de administrador. Si se explota esta vulnerabilidad, un atacante remoto autenticado con privilegios de administrador podr\u00eda obtener o eliminar cualquier archivo del servidor."
}
],
"id": "CVE-2025-27566",
"lastModified": "2025-09-30T19:22:01.057",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
},
"published": "2025-05-19T09:15:24.627",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-32999
Vulnerability from fkie_nvd - Published: 2025-05-19 09:15 - Updated: 2025-09-30 19:20
Severity ?
Summary
Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/vu/JVNVU90760614/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F79A94B-62EA-445F-A981-AEF212573C40",
"versionEndExcluding": "3.0.47",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CA6EF90-7365-4CFE-B74F-C2FF09E69E00",
"versionEndExcluding": "3.1.43",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cross-site scripting en versiones de a-blog CMS anteriores a la 3.1.43 y a la 3.0.47. Este problema se presenta en un campo espec\u00edfico de la pantalla de edici\u00f3n de entradas y su explotaci\u00f3n requiere privilegios de colaborador o de nivel superior. Si se explota esta vulnerabilidad, se podr\u00eda ejecutar un script arbitrario en el navegador web del usuario que inicia sesi\u00f3n en el producto."
}
],
"id": "CVE-2025-32999",
"lastModified": "2025-09-30T19:20:42.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
},
"published": "2025-05-19T09:15:24.820",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-36560
Vulnerability from fkie_nvd - Published: 2025-05-19 09:15 - Updated: 2025-09-30 19:14
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/vu/JVNVU90760614/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9BEE1198-0FD0-4EF7-B337-DB59A00506AB",
"versionEndIncluding": "2.8.85",
"versionStartIncluding": "2.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "179008A3-CD69-447C-9070-9D43B278B144",
"versionEndIncluding": "2.9.52",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6FC3756F-A0EB-4F60-9F80-8571346F6A24",
"versionEndIncluding": "2.10.63",
"versionStartIncluding": "2.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "028EA7E6-66D2-45B3-9B3B-1A801DCD8280",
"versionEndIncluding": "2.11.75",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79B312B7-4093-4430-95D4-3622099C8D3A",
"versionEndIncluding": "3.0.47",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC0760E4-87CB-47F2-9B27-546303286C28",
"versionEndIncluding": "3.1.43",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de server-side request forgery en varias versiones de a-blog cms. Si se explota, un atacante remoto no autenticado podr\u00eda acceder a informaci\u00f3n confidencial mediante el env\u00edo de una solicitud especialmente manipulada."
}
],
"id": "CVE-2025-36560",
"lastModified": "2025-09-30T19:14:19.060",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
},
"published": "2025-05-19T09:15:24.987",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-31103
Vulnerability from fkie_nvd - Published: 2025-03-31 05:15 - Updated: 2025-05-13 15:15
Severity ?
Summary
Untrusted data deserialization vulnerability exists in a-blog cms. Processing a specially crafted request may store arbitrary files on the server where the product is running. This can be leveraged to execute an arbitrary script on the server.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/entry-4197.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/security-update202503.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN66982699/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60F04B77-7245-4462-A93E-B6EABF10070A",
"versionEndIncluding": "2.8.80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E221BFF-CC8F-4CA6-ACF3-259586C36F43",
"versionEndIncluding": "2.9.46",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94D68E7F-750D-41C6-A7AF-50B817B5C717",
"versionEndExcluding": "2.10.58",
"versionStartIncluding": "2.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9FB4E-2C16-4989-9E08-3AE7BDD80518",
"versionEndExcluding": "2.11.70",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7985F2B-BF4C-4B00-9988-D184037229A1",
"versionEndExcluding": "3.0.41",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "666198C0-5D1D-442F-8659-358F7AC09A0B",
"versionEndExcluding": "3.1.37",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Untrusted data deserialization vulnerability exists in a-blog cms. Processing a specially crafted request may store arbitrary files on the server where the product is running. This can be leveraged to execute an arbitrary script on the server."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de deserializaci\u00f3n de datos no confiables en a-blog CMS. Al procesar una solicitud especialmente manipulada, se pueden almacenar archivos arbitrarios en el servidor donde se ejecuta el producto. Esto puede aprovecharse para ejecutar un script arbitrario en el servidor."
}
],
"id": "CVE-2025-31103",
"lastModified": "2025-05-13T15:15:19.237",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-31T05:15:16.500",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/entry-4197.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/security-update202503.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN66982699/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "vultures@jpcert.or.jp",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-31394
Vulnerability from fkie_nvd - Published: 2024-05-22 05:15 - Updated: 2025-05-12 14:23
Severity ?
Summary
Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/JVN-70977403.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN70977403/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://developer.a-blogcms.jp/blog/news/JVN-70977403.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN70977403/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "49BBE24F-A0EA-49F6-B2C2-732AF0DA0F87",
"versionEndExcluding": "2.10.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38B5399B-4410-471F-AC10-82E4946957F0",
"versionEndExcluding": "2.11.61",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5CDA3C7-736D-4E64-B2E0-7C45C702DF32",
"versionEndExcluding": "3.0.32",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "358CC9AE-9361-45BA-B28D-1AE64536FA46",
"versionEndExcluding": "3.1.12",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server."
},
{
"lang": "es",
"value": "La vulnerabilidad de Directory traversal existe en las versiones de la serie a-blog cms Ver.3.1.x anteriores a la Ver.3.1.12, versiones de la serie Ver.3.0.x anteriores a la Ver.3.0.32, versiones de la serie Ver.2.11.x anteriores a la Ver. 2.11.61, versiones de la serie Ver.2.10.x anteriores a la Ver.2.10.53 y Ver.2.9 y versiones anteriores. Si se explota esta vulnerabilidad, un usuario con un editor o un privilegio superior que pueda iniciar sesi\u00f3n en el producto puede obtener archivos arbitrarios en el servidor."
}
],
"id": "CVE-2024-31394",
"lastModified": "2025-05-12T14:23:14.540",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-05-22T05:15:53.053",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-31396
Vulnerability from fkie_nvd - Published: 2024-05-22 05:15 - Updated: 2025-05-12 14:23
Severity ?
Summary
Code injection vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may execute an arbitrary command on the server.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/JVN-70977403.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN70977403/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://developer.a-blogcms.jp/blog/news/JVN-70977403.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN70977403/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5CDA3C7-736D-4E64-B2E0-7C45C702DF32",
"versionEndExcluding": "3.0.32",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "358CC9AE-9361-45BA-B28D-1AE64536FA46",
"versionEndExcluding": "3.1.12",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Code injection vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may execute an arbitrary command on the server."
},
{
"lang": "es",
"value": "La vulnerabilidad de inyecci\u00f3n de c\u00f3digo existe en las versiones de la serie a-blog cms Ver.3.1.x anteriores a la Ver.3.1.12 y en las versiones de la serie Ver.3.0.x anteriores a la Ver.3.0.32. Si se explota esta vulnerabilidad, un usuario con privilegios de administrador o superiores que pueda iniciar sesi\u00f3n en el producto puede ejecutar un comando arbitrario en el servidor."
}
],
"id": "CVE-2024-31396",
"lastModified": "2025-05-12T14:23:37.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-05-22T05:15:53.183",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-31395
Vulnerability from fkie_nvd - Published: 2024-05-22 05:15 - Updated: 2025-05-12 14:23
Severity ?
Summary
Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/JVN-70977403.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN70977403/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://developer.a-blogcms.jp/blog/news/JVN-70977403.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN70977403/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "49BBE24F-A0EA-49F6-B2C2-732AF0DA0F87",
"versionEndExcluding": "2.10.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38B5399B-4410-471F-AC10-82E4946957F0",
"versionEndExcluding": "2.11.61",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5CDA3C7-736D-4E64-B2E0-7C45C702DF32",
"versionEndExcluding": "3.0.32",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "358CC9AE-9361-45BA-B28D-1AE64536FA46",
"versionEndExcluding": "3.1.12",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page."
},
{
"lang": "es",
"value": "La vulnerabilidad de Cross-Site Scripting existe en las versiones de la serie a-blog cms Ver.3.1.x anteriores a la Ver.3.1.12, versiones de la serie Ver.3.0.x anteriores a la Ver.3.0.32, versiones de la serie Ver.2.11.x anteriores a Ver.2.11.61, versiones de la serie Ver.2.10.x anteriores a Ver.2.10.53 y Ver.2.9 y versiones anteriores. Si se explota esta vulnerabilidad, un usuario con un privilegio de editor o superior que pueda iniciar sesi\u00f3n en el producto puede ejecutar un script arbitrario en el navegador web del usuario que accedi\u00f3 a la p\u00e1gina de administraci\u00f3n de programaci\u00f3n."
}
],
"id": "CVE-2024-31395",
"lastModified": "2025-05-12T14:23:17.680",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-05-22T05:15:53.120",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-30420
Vulnerability from fkie_nvd - Published: 2024-05-22 05:15 - Updated: 2025-05-12 14:23
Severity ?
Summary
Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/JVN-70977403.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN70977403/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://developer.a-blogcms.jp/blog/news/JVN-70977403.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN70977403/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5CDA3C7-736D-4E64-B2E0-7C45C702DF32",
"versionEndExcluding": "3.0.32",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "358CC9AE-9361-45BA-B28D-1AE64536FA46",
"versionEndExcluding": "3.1.12",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public."
},
{
"lang": "es",
"value": "La vulnerabilidad de Server-Side Request Forgery (SSRF) existe en las versiones de la serie a-blog cms Ver.3.1.x anteriores a la Ver.3.1.12 y en las versiones de la serie Ver.3.0.x anteriores a la Ver.3.0.32. Si se explota esta vulnerabilidad, un usuario con privilegios de administrador o superiores que pueda iniciar sesi\u00f3n en el producto puede obtener archivos arbitrarios en el servidor e informaci\u00f3n en el servidor interno que no se divulga al p\u00fablico."
}
],
"id": "CVE-2024-30420",
"lastModified": "2025-05-12T14:23:35.353",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-05-22T05:15:52.983",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-30419
Vulnerability from fkie_nvd - Published: 2024-05-22 05:15 - Updated: 2025-05-12 14:23
Severity ?
Summary
Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://developer.a-blogcms.jp/blog/news/JVN-70977403.html | Vendor Advisory | |
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN70977403/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://developer.a-blogcms.jp/blog/news/JVN-70977403.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN70977403/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * | |
| appleple | a-blog_cms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "49BBE24F-A0EA-49F6-B2C2-732AF0DA0F87",
"versionEndExcluding": "2.10.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38B5399B-4410-471F-AC10-82E4946957F0",
"versionEndExcluding": "2.11.61",
"versionStartIncluding": "2.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5CDA3C7-736D-4E64-B2E0-7C45C702DF32",
"versionEndExcluding": "3.0.32",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "358CC9AE-9361-45BA-B28D-1AE64536FA46",
"versionEndExcluding": "3.1.12",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product."
},
{
"lang": "es",
"value": "La vulnerabilidad de Cross-Site Scripting existe en las versiones de la serie a-blog cms Ver.3.1.x anteriores a la Ver.3.1.12, versiones de la serie Ver.3.0.x anteriores a la Ver.3.0.32, versiones de la serie Ver.2.11.x anteriores a Ver.2.11.61, versiones de la serie Ver.2.10.x anteriores a Ver.2.10.53 y Ver.2.9 y versiones anteriores. Si se explota esta vulnerabilidad, un usuario con un privilegio de colaborador o superior que pueda iniciar sesi\u00f3n en el producto puede ejecutar un script arbitrario en el navegador web del usuario que accedi\u00f3 al sitio web utilizando el producto."
}
],
"id": "CVE-2024-30419",
"lastModified": "2025-05-12T14:23:06.877",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-05-22T05:15:52.137",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2025-27566 (GCVE-0-2025-27566)
Vulnerability from cvelistv5 – Published: 2025-05-19 08:09 – Updated: 2025-05-19 14:42
VLAI?
Summary
Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server.
Severity ?
CWE
- CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms |
Affected:
prior to Ver. 3.1.43 (Ver. 3.1.x series)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:42:37.649183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:42:50.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver. 3.1.43 (Ver. 3.1.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver. 3.0.47 (Ver. 3.0.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.8,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T08:09:26.427Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-27566",
"datePublished": "2025-05-19T08:09:26.427Z",
"dateReserved": "2025-05-12T23:37:57.129Z",
"dateUpdated": "2025-05-19T14:42:50.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32999 (GCVE-0-2025-32999)
Vulnerability from cvelistv5 – Published: 2025-05-19 08:08 – Updated: 2025-05-19 15:28
VLAI?
Summary
Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms |
Affected:
prior to Ver. 3.1.43 (Ver. 3.1.x series)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T15:28:29.608680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T15:28:40.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver. 3.1.43 (Ver. 3.1.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver. 3.0.47 (Ver. 3.0.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T08:08:51.815Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-32999",
"datePublished": "2025-05-19T08:08:51.815Z",
"dateReserved": "2025-05-12T23:37:56.186Z",
"dateUpdated": "2025-05-19T15:28:40.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36560 (GCVE-0-2025-36560)
Vulnerability from cvelistv5 – Published: 2025-05-19 08:08 – Updated: 2025-05-19 15:45
VLAI?
Summary
Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request.
Severity ?
8.6 (High)
CWE
- CWE-918 - Server-side request forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms |
Affected:
Ver. 2.8.85 and earlier (Ver. 2.8.x series)
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T15:45:12.728197Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T15:45:37.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.8.85 and earlier (Ver. 2.8.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 3.1.43 and earlier (Ver. 3.1.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 3.0.47 and earlier (Ver. 3.0.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.11.75 and earlier (Ver. 2.11.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.10.63 and earlier (Ver. 2.10.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.9.52 and earlier (Ver. 2.9.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-side request forgery (SSRF)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T08:08:00.732Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-36560",
"datePublished": "2025-05-19T08:08:00.732Z",
"dateReserved": "2025-05-12T23:37:55.230Z",
"dateUpdated": "2025-05-19T15:45:37.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41429 (GCVE-0-2025-41429)
Vulnerability from cvelistv5 – Published: 2025-05-19 08:07 – Updated: 2025-05-19 15:46
VLAI?
Summary
a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user's session.
Severity ?
CWE
- CWE-117 - Improper output neutralization for logs
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms |
Affected:
Ver. 2.8.85 and earlier (Ver. 2.8.x series)
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41429",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T15:46:16.181139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T15:46:29.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.8.85 and earlier (Ver. 2.8.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 3.1.43 and earlier (Ver. 3.1.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 3.0.47 and earlier (Ver. 3.0.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.11.75 and earlier (Ver. 2.11.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.10.63 and earlier (Ver. 2.10.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.9.52 and earlier (Ver. 2.9.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user\u0027s session."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 2.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "Improper output neutralization for logs",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T08:07:38.068Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-41429",
"datePublished": "2025-05-19T08:07:38.068Z",
"dateReserved": "2025-05-12T23:37:54.373Z",
"dateUpdated": "2025-05-19T15:46:29.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31103 (GCVE-0-2025-31103)
Vulnerability from cvelistv5 – Published: 2025-03-31 04:54 – Updated: 2025-03-31 12:59
VLAI?
Summary
Untrusted data deserialization vulnerability exists in a-blog cms. Processing a specially crafted request may store arbitrary files on the server where the product is running. This can be leveraged to execute an arbitrary script on the server.
Severity ?
7.5 (High)
CWE
- CWE-502 - Deserialization of untrusted data
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms (Ver.3.1.x series) |
Affected:
prior to Ver.3.1.37
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31103",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T12:59:04.427491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T12:59:20.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms (Ver.3.1.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.37"
}
]
},
{
"product": "a-blog cms (Ver.3.0.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.41"
}
]
},
{
"product": "a-blog cms (Ver.2.11.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.70"
}
]
},
{
"product": "a-blog cms (Ver.2.10.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.58"
}
]
},
{
"product": "a-blog cms (Ver.2.9.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.9.46"
}
]
},
{
"product": "a-blog cms (Ver. 2.8.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.8.80"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Untrusted data deserialization vulnerability exists in a-blog cms. Processing a specially crafted request may store arbitrary files on the server where the product is running. This can be leveraged to execute an arbitrary script on the server."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of untrusted data",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T04:54:03.868Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/security-update202503.html"
},
{
"url": "https://developer.a-blogcms.jp/blog/news/entry-4197.html"
},
{
"url": "https://jvn.jp/en/jp/JVN66982699/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-31103",
"datePublished": "2025-03-31T04:54:03.868Z",
"dateReserved": "2025-03-26T09:54:15.256Z",
"dateUpdated": "2025-03-31T12:59:20.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31396 (GCVE-0-2024-31396)
Vulnerability from cvelistv5 – Published: 2024-05-22 04:35 – Updated: 2024-08-02 01:52
VLAI?
Summary
Code injection vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may execute an arbitrary command on the server.
Severity ?
6.6 (Medium)
CWE
- Code injection
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms Ver.3.1.x series |
Affected:
prior to Ver.3.1.12
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:3.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.1.12",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.0.32",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T17:39:52.677007Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T20:44:24.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Code injection vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may execute an arbitrary command on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:42.765Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31396",
"datePublished": "2024-05-22T04:35:42.765Z",
"dateReserved": "2024-04-03T08:01:33.449Z",
"dateUpdated": "2024-08-02T01:52:56.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31395 (GCVE-0-2024-31395)
Vulnerability from cvelistv5 – Published: 2024-05-22 04:35 – Updated: 2024-10-31 14:53
VLAI?
Summary
Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page.
Severity ?
6.1 (Medium)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms Ver.3.1.x series |
Affected:
prior to Ver.3.1.12
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T14:24:22.284116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T14:53:49.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
},
{
"product": "a-blog cms Ver.2.11.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.61"
}
]
},
{
"product": "a-blog cms Ver.2.10.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.53"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver.2.9 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:37.216Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31395",
"datePublished": "2024-05-22T04:35:37.216Z",
"dateReserved": "2024-04-03T02:24:22.988Z",
"dateUpdated": "2024-10-31T14:53:49.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31394 (GCVE-0-2024-31394)
Vulnerability from cvelistv5 – Published: 2024-05-22 04:35 – Updated: 2025-03-27 15:03
VLAI?
Summary
Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server.
Severity ?
6.5 (Medium)
CWE
- Directory traversal
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms Ver.3.1.x series |
Affected:
prior to Ver.3.1.12
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31394",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T17:10:48.613952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T15:03:43.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
},
{
"product": "a-blog cms Ver.2.11.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.61"
}
]
},
{
"product": "a-blog cms Ver.2.10.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.53"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver.2.9 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:31.768Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31394",
"datePublished": "2024-05-22T04:35:31.768Z",
"dateReserved": "2024-04-03T02:24:22.988Z",
"dateUpdated": "2025-03-27T15:03:43.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30420 (GCVE-0-2024-30420)
Vulnerability from cvelistv5 – Published: 2024-05-22 04:35 – Updated: 2024-08-19 19:36
VLAI?
Summary
Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public.
Severity ?
4.4 (Medium)
CWE
- Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms Ver.3.1.x series |
Affected:
prior to Ver.3.1.12
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:07.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.1.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.32",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30420",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T19:22:17.028297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T19:36:17.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:26.240Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-30420",
"datePublished": "2024-05-22T04:35:26.240Z",
"dateReserved": "2024-03-27T03:59:36.078Z",
"dateUpdated": "2024-08-19T19:36:17.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30419 (GCVE-0-2024-30419)
Vulnerability from cvelistv5 – Published: 2024-05-22 04:35 – Updated: 2024-08-02 01:32
VLAI?
Summary
Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms Ver.3.1.x series |
Affected:
prior to Ver.3.1.12
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.1.12",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.0.32",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.11.61",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
},
{
"lessThan": "2.10.53",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T14:36:51.156737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T16:16:04.625Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:07.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
},
{
"product": "a-blog cms Ver.2.11.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.61"
}
]
},
{
"product": "a-blog cms Ver.2.10.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.53"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver.2.9 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:09.652Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-30419",
"datePublished": "2024-05-22T04:35:09.652Z",
"dateReserved": "2024-03-27T03:59:36.078Z",
"dateUpdated": "2024-08-02T01:32:07.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27566 (GCVE-0-2025-27566)
Vulnerability from nvd – Published: 2025-05-19 08:09 – Updated: 2025-05-19 14:42
VLAI?
Summary
Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server.
Severity ?
CWE
- CWE-22 - Improper limitation of a pathname to a restricted directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms |
Affected:
prior to Ver. 3.1.43 (Ver. 3.1.x series)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:42:37.649183Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:42:50.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver. 3.1.43 (Ver. 3.1.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver. 3.0.47 (Ver. 3.0.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Path traversal vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and versions prior to Ver. 3.0.47. This is an issue with insufficient path validation in the backup feature, and exploitation requires the administrator privilege. If this vulnerability is exploited, a remote authenticated attacker with the administrator privilege may obtain or delete any file on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.8,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T08:09:26.427Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-27566",
"datePublished": "2025-05-19T08:09:26.427Z",
"dateReserved": "2025-05-12T23:37:57.129Z",
"dateUpdated": "2025-05-19T14:42:50.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32999 (GCVE-0-2025-32999)
Vulnerability from nvd – Published: 2025-05-19 08:08 – Updated: 2025-05-19 15:28
VLAI?
Summary
Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms |
Affected:
prior to Ver. 3.1.43 (Ver. 3.1.x series)
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T15:28:29.608680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T15:28:40.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver. 3.1.43 (Ver. 3.1.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver. 3.0.47 (Ver. 3.0.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms versions prior to Ver. 3.1.43 and prior to Ver. 3.0.47. This issue exists in a specific field in the entry editing screen, and exploitation requires contributor or higher level privileges. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the product."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T08:08:51.815Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-32999",
"datePublished": "2025-05-19T08:08:51.815Z",
"dateReserved": "2025-05-12T23:37:56.186Z",
"dateUpdated": "2025-05-19T15:28:40.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36560 (GCVE-0-2025-36560)
Vulnerability from nvd – Published: 2025-05-19 08:08 – Updated: 2025-05-19 15:45
VLAI?
Summary
Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request.
Severity ?
8.6 (High)
CWE
- CWE-918 - Server-side request forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms |
Affected:
Ver. 2.8.85 and earlier (Ver. 2.8.x series)
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T15:45:12.728197Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T15:45:37.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.8.85 and earlier (Ver. 2.8.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 3.1.43 and earlier (Ver. 3.1.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 3.0.47 and earlier (Ver. 3.0.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.11.75 and earlier (Ver. 2.11.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.10.63 and earlier (Ver. 2.10.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.9.52 and earlier (Ver. 2.9.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-side request forgery (SSRF)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T08:08:00.732Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-36560",
"datePublished": "2025-05-19T08:08:00.732Z",
"dateReserved": "2025-05-12T23:37:55.230Z",
"dateUpdated": "2025-05-19T15:45:37.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41429 (GCVE-0-2025-41429)
Vulnerability from nvd – Published: 2025-05-19 08:07 – Updated: 2025-05-19 15:46
VLAI?
Summary
a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user's session.
Severity ?
CWE
- CWE-117 - Improper output neutralization for logs
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms |
Affected:
Ver. 2.8.85 and earlier (Ver. 2.8.x series)
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41429",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T15:46:16.181139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T15:46:29.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.8.85 and earlier (Ver. 2.8.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 3.1.43 and earlier (Ver. 3.1.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 3.0.47 and earlier (Ver. 3.0.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.11.75 and earlier (Ver. 2.11.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.10.63 and earlier (Ver. 2.10.x series)"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver. 2.9.52 and earlier (Ver. 2.9.x series)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "a-blog cms multiple versions neutralize logs improperly. If this vulnerability is exploited with CVE-2025-36560, a remote unauthenticated attacker may hijack a legitimate user\u0027s session."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 2.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "Improper output neutralization for logs",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T08:07:38.068Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVNVU-90760614.html"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90760614/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-41429",
"datePublished": "2025-05-19T08:07:38.068Z",
"dateReserved": "2025-05-12T23:37:54.373Z",
"dateUpdated": "2025-05-19T15:46:29.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31103 (GCVE-0-2025-31103)
Vulnerability from nvd – Published: 2025-03-31 04:54 – Updated: 2025-03-31 12:59
VLAI?
Summary
Untrusted data deserialization vulnerability exists in a-blog cms. Processing a specially crafted request may store arbitrary files on the server where the product is running. This can be leveraged to execute an arbitrary script on the server.
Severity ?
7.5 (High)
CWE
- CWE-502 - Deserialization of untrusted data
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms (Ver.3.1.x series) |
Affected:
prior to Ver.3.1.37
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31103",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T12:59:04.427491Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T12:59:20.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms (Ver.3.1.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.37"
}
]
},
{
"product": "a-blog cms (Ver.3.0.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.41"
}
]
},
{
"product": "a-blog cms (Ver.2.11.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.70"
}
]
},
{
"product": "a-blog cms (Ver.2.10.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.58"
}
]
},
{
"product": "a-blog cms (Ver.2.9.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.9.46"
}
]
},
{
"product": "a-blog cms (Ver. 2.8.x series)",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.8.80"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Untrusted data deserialization vulnerability exists in a-blog cms. Processing a specially crafted request may store arbitrary files on the server where the product is running. This can be leveraged to execute an arbitrary script on the server."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of untrusted data",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T04:54:03.868Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/security-update202503.html"
},
{
"url": "https://developer.a-blogcms.jp/blog/news/entry-4197.html"
},
{
"url": "https://jvn.jp/en/jp/JVN66982699/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-31103",
"datePublished": "2025-03-31T04:54:03.868Z",
"dateReserved": "2025-03-26T09:54:15.256Z",
"dateUpdated": "2025-03-31T12:59:20.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31396 (GCVE-0-2024-31396)
Vulnerability from nvd – Published: 2024-05-22 04:35 – Updated: 2024-08-02 01:52
VLAI?
Summary
Code injection vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may execute an arbitrary command on the server.
Severity ?
6.6 (Medium)
CWE
- Code injection
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms Ver.3.1.x series |
Affected:
prior to Ver.3.1.12
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:3.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.1.12",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.0.32",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T17:39:52.677007Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T20:44:24.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Code injection vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may execute an arbitrary command on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Code injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:42.765Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31396",
"datePublished": "2024-05-22T04:35:42.765Z",
"dateReserved": "2024-04-03T08:01:33.449Z",
"dateUpdated": "2024-08-02T01:52:56.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31395 (GCVE-0-2024-31395)
Vulnerability from nvd – Published: 2024-05-22 04:35 – Updated: 2024-10-31 14:53
VLAI?
Summary
Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page.
Severity ?
6.1 (Medium)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms Ver.3.1.x series |
Affected:
prior to Ver.3.1.12
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T14:24:22.284116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T14:53:49.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
},
{
"product": "a-blog cms Ver.2.11.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.61"
}
]
},
{
"product": "a-blog cms Ver.2.10.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.53"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver.2.9 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the schedule management page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:37.216Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31395",
"datePublished": "2024-05-22T04:35:37.216Z",
"dateReserved": "2024-04-03T02:24:22.988Z",
"dateUpdated": "2024-10-31T14:53:49.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31394 (GCVE-0-2024-31394)
Vulnerability from nvd – Published: 2024-05-22 04:35 – Updated: 2025-03-27 15:03
VLAI?
Summary
Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server.
Severity ?
6.5 (Medium)
CWE
- Directory traversal
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms Ver.3.1.x series |
Affected:
prior to Ver.3.1.12
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31394",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T17:10:48.613952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T15:03:43.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
},
{
"product": "a-blog cms Ver.2.11.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.61"
}
]
},
{
"product": "a-blog cms Ver.2.10.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.53"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver.2.9 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with an editor or higher privilege who can log in to the product may obtain arbitrary files on the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:31.768Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-31394",
"datePublished": "2024-05-22T04:35:31.768Z",
"dateReserved": "2024-04-03T02:24:22.988Z",
"dateUpdated": "2025-03-27T15:03:43.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30420 (GCVE-0-2024-30420)
Vulnerability from nvd – Published: 2024-05-22 04:35 – Updated: 2024-08-19 19:36
VLAI?
Summary
Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public.
Severity ?
4.4 (Medium)
CWE
- Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms Ver.3.1.x series |
Affected:
prior to Ver.3.1.12
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:07.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.1.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.32",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30420",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T19:22:17.028297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T19:36:17.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:26.240Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-30420",
"datePublished": "2024-05-22T04:35:26.240Z",
"dateReserved": "2024-03-27T03:59:36.078Z",
"dateUpdated": "2024-08-19T19:36:17.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30419 (GCVE-0-2024-30419)
Vulnerability from nvd – Published: 2024-05-22 04:35 – Updated: 2024-08-02 01:32
VLAI?
Summary
Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product.
Severity ?
5.4 (Medium)
CWE
- Cross-site scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| appleple inc. | a-blog cms Ver.3.1.x series |
Affected:
prior to Ver.3.1.12
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:appleple:a-blog_cms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "a-blog_cms",
"vendor": "appleple",
"versions": [
{
"lessThan": "3.1.12",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
},
{
"lessThan": "3.0.32",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.11.61",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
},
{
"lessThan": "2.10.53",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T14:36:51.156737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T16:16:04.625Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:32:07.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "a-blog cms Ver.3.1.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.1.12"
}
]
},
{
"product": "a-blog cms Ver.3.0.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.3.0.32"
}
]
},
{
"product": "a-blog cms Ver.2.11.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.11.61"
}
]
},
{
"product": "a-blog cms Ver.2.10.x series",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "prior to Ver.2.10.53"
}
]
},
{
"product": "a-blog cms",
"vendor": "appleple inc.",
"versions": [
{
"status": "affected",
"version": "Ver.2.9 and earlier "
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12, Ver.3.0.x series versions prior to Ver.3.0.32, Ver.2.11.x series versions prior to Ver.2.11.61, Ver.2.10.x series versions prior to Ver.2.10.53, and Ver.2.9 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-22T04:35:09.652Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://developer.a-blogcms.jp/blog/news/JVN-70977403.html"
},
{
"url": "https://jvn.jp/en/jp/JVN70977403/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-30419",
"datePublished": "2024-05-22T04:35:09.652Z",
"dateReserved": "2024-03-27T03:59:36.078Z",
"dateUpdated": "2024-08-02T01:32:07.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}