Release date: May 25, 2023<br> <br> <h3>■Overview</h3> It has been discovered that all versions of our product "Pleasanter" are vulnerable to cross-site scripting. If this vulnerability is exploited, there is a risk that malicious third parties may redirect users to external fraudulent sites or leak or tamper with data registered in Pleasanter.<br> The versions of Pleasanter affected by this issue are listed below. Please take the measures listed in the countermeasures.<br> <br> <h3>■How to check the affected version</h3> The affected versions are as follows:<br> <b>All versions prior to 1.3.38.1</b><br> *Apply to both Community Edition and Enterprise Edition.<br> *This also applies to versions 1.2, 1.1, 0.51, 0.50, 0.49 and earlier.<br> <br> Please refer to the following user manual for how to check the version. <br> "FAQ: How do I check the version of Pleasanter?" <br> <a href="https://pleasanter.org/manual/faq-version">https://pleasanter.org/manual/faq-version<br></a> <br> <h3>■Vulnerability description</h3> There is a vulnerability that allows a logged-in general user to embed a script in a special notation method in items that can be entered in Markdown format (content, explanation, comments, etc.), which can lead to external sites or executing scripts provided by Pleasanter. Anonymous users who cannot log in to Pleasanter cannot use this vulnerability to carry out attacks.<br> <br> <h3>■Threat posed by vulnerabilities</h3> Scripts installed by attackers may redirect users to malicious external sites. In addition, if a Pleasanter administrator opens a page where an attacker has installed a script, they may be forced to unintentionally perform administrative operations on Pleasanter.<br> <br> <h3>■Countermeasure</h3> <b>For customers using version 1.3.X</b><br> Please upgrade to the latest fixed version, 1.3.38.2 or later (released on May 25, 2023). If you want to avoid upgrading, please apply the individual patch published in the "Temporary Workaround" section.<br><br> <b>For customers using versions 1.2.X, 1.1.X, 0.51.X, 0.50.X, 0.49.X or earlier</b><br> Please upgrade to the latest version 1.3.38.2 or later (released on May 25, 2023), which has been fixed. If you want to avoid upgrading, customers with annual support contracts can contact the support desk to receive an individual patch tailored to their version. For more information, please contact the support desk.<br> In addition, customers who do not have an annual support service contract should upgrade to version 1.3.38.2. If you want to avoid upgrading, please sign up for the annual support service and contact us at the "Contact Information" below to receive an individual patch.  <br> <br> <h3>■Temporary measures</h3> <b>For customers using version 1.3.X</b><br> Please download the individual patches below.<br> <a href="https://github.com/Implem/Implem.Pleasanter/issues/474">https://github.com/Implem/Implem.Pleasanter/issues/474</a><br><br> [Note] If you upgrade to Pleasanter 1.3.38.2 or later after applying this individual patch, please delete this individual patch.<br><br> <b>For customers using versions 1.2.X, 1.1.X, 0.51.X, 0.50.X, 0.49.X or earlier</b><br> Please contact us via the support website. (Annual support contract required)<br> <br> <h3>■Change log</h3> 2023.5.25　This vulnerability has been made public.<br> <br> <h3>■Contact information</h3> If you have any questions regarding this matter, please contact us using the information below.<br> <p class="btn" style="width: 60%; margin: auto;"><a href="/contact/" target="_blank" class="c-btn">Contact us</a></p>