h-mdm 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk cross-site scripting and パス処理の欠陥 などに関し、一部は ファイル上書き を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-43720 | Headwind MDM before 5.33.1 makes configuration details accessible to unauthorized users. The Configuration profile is exposed to the Observer user role, revealing the password requires to escape out of the MDM controlled device's profile. | [email protected] | 6.5 | 0.35% | 2025-07-21 | 2026-06-17 |
| CVE-2023-47316 | Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control. The Web panel allows users to gain access to potentially sensitive API calls such as listing users and their data, file management API calls and audit-related API calls. | [email protected] | 5.4 | 0.42% | 2023-11-22 | 2026-06-17 |
| CVE-2023-47315 | Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to a hard-coded JWT Secret. The secret is hardcoded into the source code available to anyone on Git Hub. This secret is used to sign the application’s JWT token and verify the incoming user-supplied tokens. | [email protected] | 8.8 | 0.78% | 2023-11-22 | 2026-06-17 |
| CVE-2023-47314 | Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting (XSS). The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download function returns the file in inline mode, the victim’s browser will immediately render the content of the HTML file as a web page. As a result, the uploaded client-side code will be evaluated and executed | [email protected] | 5.4 | 0.41% | 2023-11-22 | 2026-06-17 |
| CVE-2023-47313 | Headwind MDM Web panel 5.22.1 is vulnerable to Directory Traversal. The application uses an API call to move the uploaded temporary file to the file directory during the file upload process. This API call receives two input parameters, such as path and localPath. The first one refers to the temporary file with an absolute path without validating it. Attackers may modify this API call by referring to arbitrary files. As a result, arbitrary files can be moved to the files directory and so they can | [email protected] | 5.4 | 0.79% | 2023-11-22 | 2026-06-17 |
| CVE-2023-47312 | Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Control due to Login Credential Leakage via Audit Entries. | [email protected] | 6.5 | 0.40% | 2023-11-22 | 2026-06-17 |