CVE-2025-61931

Vulnerability

Overview

CVE-2025-61931 is a stored cross-site scripting (XSS) vulnerability in Pleasanter, a web-based business application platform by Implem Inc. The flaw resides in the Body, Description, and Comments fields, where an attacker can inject malicious scripts using special notation. This vulnerability is distinct from a related XSS in the attachment preview (CVE-2025-58070) but shares a similar root cause in insufficient input sanitization [1][2].

Attack

Vector and Prerequisites

The attack requires the attacker to be authenticated as a regular user (anonymous users cannot exploit this flaw). The attacker crafts a payload using special notation within the Body, Description, or Comments fields of a record. When another logged-in user views the affected record, the injected script executes in their browser. The CVSS v3.1 base score is 5.4 (Medium), with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating low attack complexity but requiring user interaction (the victim must view the record) [2].

Potential

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to data exfiltration or modification of Pleasanter data visible to the victim, or to redirect the victim to an external malicious site. The impact is contained to application-level confidentiality and integrity, not system-level [1][2].

Mitigation

Status

The developer has released version 1.4.21.0, which addresses this vulnerability. All users are advised to update to the latest version. Both Community and Enterprise Editions are affected for versions 1.4.20.0 and earlier [1][2].