JVNDB-2025-000005

Vulnerability from jvndb - Published: 2025-01-27 14:25 - Updated:2025-01-27 14:25
Severity ?
6.1 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
EXIF Viewer Classic vulnerable to cross-site scripting
Details
EXIF Viewer Classic provided by Rodrigue (former Kakera) is a Google Chrome browser extension. The affected versions of the product improperly handle EXIF meta data, resulting in a cross-site scripting vulnerability (CWE-79). Versions 2.3.2 and 2.4.0 were reported as vulnerable. The vendor informs us that the product has been refactored after those old versions and that the current version 3.0.1 is not vulnerable. Yuji Tounai of Mitsui Bussan Secure Directions, Inc. and Kouhei Morita reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
Show details on JVN DB website
To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000005.html",
  "dc:date": "2025-01-27T14:25+09:00",
  "dcterms:issued": "2025-01-27T14:25+09:00",
  "dcterms:modified": "2025-01-27T14:25+09:00",
  "description": "EXIF Viewer Classic provided by Rodrigue (former Kakera) is a Google Chrome browser extension.\r\nThe affected versions of the product improperly handle EXIF meta data, resulting in a cross-site scripting vulnerability (CWE-79).\r\n\r\nVersions 2.3.2 and 2.4.0 were reported as vulnerable. The vendor informs us that the product has been refactored after those old versions and that the current version 3.0.1 is not vulnerable.\r\n\r\nYuji Tounai of Mitsui Bussan Secure Directions, Inc. and Kouhei Morita reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000005.html",
  "sec:cpe": {
    "#text": "cpe:/a:misc:rodrigue_exif_viewer_classic",
    "@product": "EXIF Viewer Classic",
    "@vendor": "Rodrigue",
    "@version": "2.2"
  },
  "sec:cvss": {
    "@score": "6.1",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2025-000005",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN05508012/index.html",
      "@id": "JVN#05508012",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2025-23362",
      "@id": "CVE-2025-23362",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    }
  ],
  "title": "EXIF Viewer Classic vulnerable to cross-site scripting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.