uatech 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting があり、vendor surface production workloads and vendor surface software deployment の利用場面で vendor impact session compromise などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-15398 | A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not | [email protected] | 2.9 | 0.03% | 2025-12-31 | 2026-04-29 |
| CVE-2025-52353 | An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php exte | [email protected] | 9.8 | 0.39% | 2025-08-26 | 2025-09-09 |
| CVE-2023-38970 | Cross Site Scripting vulnerabiltiy in Badaso v.0.0.1 thru v.2.9.7 allows a remote attacker to execute arbitrary code via a crafted payload to the Name of member parameter in the add new member function. | [email protected] | 5.4 | 0.40% | 2023-08-30 | 2024-11-21 |
| CVE-2023-38971 | Cross Site Scripting vulnerabiltiy in Badaso v.0.0.1 thru v.2.9.7 allows a remote attacker to execute arbitrary code via a crafted payload to the rack number parameter in the add new rack function. | [email protected] | 5.4 | 0.44% | 2023-08-29 | 2024-11-21 |
| CVE-2023-38969 | Cross Site Scripting vulnerabiltiy in Badaso v.2.9.7 allows a remote attacker to execute arbitrary code via a crafted payload to the title parameter in the new book and edit book function. | [email protected] | 5.4 | 0.44% | 2023-08-28 | 2024-11-21 |
| CVE-2023-38974 | A stored cross-site scripting (XSS) vulnerability in the Edit Category function of Badaso v2.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter. | [email protected] | 5.4 | 0.08% | 2023-08-25 | 2024-11-21 |
| CVE-2023-38973 | A stored cross-site scripting (XSS) vulnerability in the Add Tag function of Badaso v2.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter. | [email protected] | 5.4 | 0.08% | 2023-08-25 | 2024-11-21 |
| CVE-2022-41705 | Badaso version 2.6.3 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | [email protected] | 9.8 | 5.95% | 2022-11-25 | 2025-04-29 |
| CVE-2022-41711 | Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users. | [email protected] | 9.8 | 10.00% | 2022-10-25 | 2025-05-07 |