Reflected Cross-Site Scripting Vulnerability in GroupSession by GroupSession Inc.
CVE-2025-65120

5.1MEDIUM

Key Information:

Vendor: Japan Total System Co.,ltd.
Status: Groupsession Free Edition; Groupsession Bycloud; Groupsession Zion
Vendor: CVE Published:; 12 December 2025

🔔 Create Japan Total System Co.,ltd. Vulnerability Alert

What is CVE-2025-65120?

A reflected cross-site scripting vulnerability was identified in GroupSession products, particularly affecting the Free edition, byCloud, and ZION versions prior to 5.7.1. This vulnerability allows an attacker to embed malicious scripts in a link, which can then execute an arbitrary script in the web browser of any user who accesses the crafted URL. Proper mitigations should be implemented to protect against unauthorized script execution and maintain user data integrity.

Affected Version(s)

GroupSession byCloud prior to ver5.7.1

GroupSession Free edition prior to ver5.7.1

GroupSession ZION prior to ver5.7.1

References

https://groupsession.jp/info/info-news/security20251208

https://jvn.jp/en/jp/JVN19940619/

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

CVSS V3.0

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Nov 27, 2025

JSON