CVE-2025-61950
Improper Authorization Allows Memo Modification in GroupSession
Publication date: 2025-12-12
Last updated on: 2026-02-17
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| groupsession | groupsession | to 5.3.3 (exc) |
| groupsession | groupsession | to 5.3.0 (exc) |
| groupsession | groupsession | to 5.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GroupSession allows a logged-in user to alter the memo field of a Circular notice, which is supposed to be non-editable. The authorization check for editing the memo field is improperly implemented, enabling modification through a crafted request. It affects GroupSession Free edition prior to version 5.3.0, GroupSession byCloud prior to version 5.3.3, and GroupSession ZION prior to version 5.3.2.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized modification of the memo field in Circular notices within GroupSession. This could lead to integrity issues, where information in the memo field is altered without proper authorization, potentially causing misinformation or misuse of the system's notice functionality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update GroupSession to the latest versions: GroupSession Free edition to version 5.3.0 or later, GroupSession byCloud to version 5.3.3 or later, and GroupSession ZION to version 5.3.2 or later. [2]