CVE-2025-61950

EUVD-2025-203022
In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented. With some crafted request, a logged-in user may alter the memo field. The affected products and versions are GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
groupsessiongroupsession
𝑥
< 5.3.0
groupsessiongroupsession
𝑥
< 5.3.2
groupsessiongroupsession
𝑥
< 5.3.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://groupsession.jp/info/info-news/security20251208
https://jvn.jp/en/jp/JVN19940619/