Release date June 22, 2023<br> <br> <h3>■Overview</h3> It has been discovered that all versions of our product "Pleasanter" are vulnerable to cross-site scripting and directory traversal. If this vulnerability is exploited, there is a risk that malicious third parties may redirect users to external fraudulent sites or leak or tamper with data registered in Pleasanter.<br> The versions of Pleasanter affected by this issue are listed below. Please take the measures listed in the countermeasures.<br> <br> <h3>■How to check the affected version</h3> The affected versions are as follows:<br> ・All versions prior to 1.3.39.2<br> 　*This applies to both Community Edition and Enterprise Edition.<br> 　*This also applies to versions 1.2, 1.1, 0.51, 0.50, 0.49 and earlier.<br> ・Please, refer to the following user manual for how to check the version.<br> 　「<a href="https://pleasanter.org/manual/faq-version">FAQ: I want to check the version of Pleasanter</a>」<br> <br> <h3>■Vulnerability description</h3> When a logged-in general user pastes an image in the content, explanation item, comment, etc., or attaches a file to the attachment item, the request is fraudulently altered to lead to an external site or script provided by Pleasanter. A vulnerability allows the user to execute, and upload files to unexpected folders. Anonymous users who cannot log in to Pleasanter cannot perform attacks using this vulnerability.<br> <br> <h3>■Threat posed by vulnerabilities</h3> The script installed by the attacker may lead to malicious external sites, or if the administrator of Pleasanter opens a page where the attacker installed the script, it may unintentionally cause the administrator of Pleasanter to execute administrative operations on Pleasanter. Files may also be saved to unexpected folders.<br> <br> <h3>■Countermeasure</h3> ・For customers using versions 1.3.X, 1.2.X, 1.1.X, 0.51.X, 0.50.X, 0.49.X or earlier<br> 　Please upgrade to the latest version, 1.3.40.0 or later (released June 6, 2023), which contains the fix.<br> 　* Individual patches will not be provided to address the issue without upgrading.<br> ・For customers using a dedicated environment<br> 　We will update the version as soon as possible after adjusting the schedule separately.（Restart is required.）<br> <br> <h3>■Change log</h3> 2023.6.22　This vulnerability has been made public.<br> <br> <h3>■Contact information</h3> If you have any questions, Please contact us via the form below.<br> Inquiry form<br> <a href="https://pleasanter.org/contact/">https://pleasanter.org/contact/</a><br>