Alfasado PowerCMS Vulnerability Advisory: XSS, Path Traversal, Unrestricted Upload (CVE-2025-36563, 41391, 41396, 46359, 54752, 54757)

Critical Vulnerability Information Vulnerability Overview Vulnerability ID: JVNVD-93412964 Product: PowerCMS by Alfasado Inc. Affected Versions: - PowerCMS 6.7 and earlier (PowerCMS 6.x series) - PowerCMS 5.3 and earlier (PowerCMS 5.x series) - PowerCMS 4.6 and earlier (PowerCMS 4.x series) Vulnerability Details Reflected Cross-Site Scripting (CWE-79): - CVSS v3.0: AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VL:N/VA:N/SC:L/SL:S/A:N Base Score 5.3 - CVSS v3.1: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Base Score 6.1 - CVE-2025-36563 Stored Cross-Site Scripting (CWE-79): - CVSS v3.0: AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VL:N/VA:N/SC:L/SL:S/A:N Base Score 5.1 - CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4 - CVE-2025-41391 Path Traversal in File Upload (CWE-22): - CVSS v3.0: AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VL:A/L:SC/N/SE:N/SA:N Base Score 5.3 - CVSS v3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/E:L/A:L Base Score 5.4 - CVE-2025-41396 Path Traversal in Backup Restoration (CWE-22): - CVSS v3.0: AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VH:V/A:H/SC:N/SE:N/SA:N Base Score 8.6 - CVSS v3.1: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2 - CVE-2025-46359 Improper Neutralization of Formula Elements in CSV Files (CWE-1236): - CVSS v3.0: AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VL:N/VA:N/SC:L/SL:S/A:L Base Score 4.8 - CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Base Score 6.5 - CVE-2025-54752 Unrestricted Upload of Dangerous File Types (CWE-434): - CVSS v3.0: AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VEN/VA:N/SC:L/SL:S/A:L Base Score 5.1 - CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Base Score 6.5 - CVE-2025-54757 Impact If an administrator accesses a malicious URL crafted by an attacker, arbitrary scripts may execute in the administrator’s browser. If a user accesses a malicious page, arbitrary scripts may execute in the user’s browser. Arbitrary files may be overwritten by product users. If an administrator restores a tampered backup file, arbitrary code may execute. If a user creates a malformed entry and it is downloaded as a CSV file by a victim and opened in their environment, embedded code may be executed. If an administrator accesses a malicious file uploaded by a product user, arbitrary scripts may execute in the administrator’s browser. Solution Update the software to the latest version, following the update instructions provided by the developer. Vendor Status Vendor: Alfasado Inc. Status: Vulnerable Last Updated: July 31, 2025 Vendor Notes: Alfasado Inc. Website Additional Information CVE IDs: - CVE-2025-36563 - CVE-2025-41391 - CVE-2025-41396 - CVE-2025-46359 - CVE-2025-54752 - CVE-2025-54757

Goal Reached Thanks to every supporter — we hit 100%!

Alfasado PowerCMS Vulnerability Advisory: XSS, Path Traversal, Unrestricted Upload (CVE-2025-36563, 41391, 41396, 46359, 54752, 54757)