Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Hope-Boot by java-aodeng

    CVE-2025-6552 (GCVE-0-2025-6552)

    Vulnerability from nvd – Published: 2025-06-24 02:00 – Updated: 2025-06-24 16:55
    VLAI
    Title
    java-aodeng Hope-Boot Login WebController.java doLogin redirect
    Summary
    A vulnerability was found in java-aodeng Hope-Boot 1.0.0. It has been classified as problematic. Affected is the function doLogin of the file /src/main/java/com/hope/controller/WebController.java of the component Login. The manipulation of the argument redirect_url leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    java-aodeng Hope-Boot Affected: 1.0.0
    Create a notification for this product.
    Credits
    ShenxiuSecurity (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-6552",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-24T16:54:22.861885Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-24T16:55:31.508Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Login"
              ],
              "product": "Hope-Boot",
              "vendor": "java-aodeng",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ShenxiuSecurity (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in java-aodeng Hope-Boot 1.0.0. It has been classified as problematic. Affected is the function doLogin of the file /src/main/java/com/hope/controller/WebController.java of the component Login. The manipulation of the argument redirect_url leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Es wurde eine problematische Schwachstelle in java-aodeng Hope-Boot 1.0.0 ausgemacht. Es geht dabei um die Funktion doLogin der Datei /src/main/java/com/hope/controller/WebController.java der Komponente Login. Mittels dem Manipulieren des Arguments redirect_url mit unbekannten Daten kann eine open redirect-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "Open Redirect",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-24T02:00:15.980Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-313692 | java-aodeng Hope-Boot Login WebController.java doLogin redirect",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.313692"
            },
            {
              "name": "VDB-313692 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.313692"
            },
            {
              "name": "Submit #596681 | java-aodeng hope-boot 1.0.0-release Open Redirect",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.596681"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250613-02.md"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250613-02.md#steps-to-reproduce"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-23T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-06-23T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-06-23T22:13:14.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "java-aodeng Hope-Boot Login WebController.java doLogin redirect"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-6552",
        "datePublished": "2025-06-24T02:00:15.980Z",
        "dateReserved": "2025-06-23T20:08:06.325Z",
        "dateUpdated": "2025-06-24T16:55:31.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-6551 (GCVE-0-2025-6551)

    Vulnerability from nvd – Published: 2025-06-24 01:31 – Updated: 2025-06-24 13:28
    VLAI
    Title
    java-aodeng Hope-Boot WebController.java login cross site scripting
    Summary
    A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    java-aodeng Hope-Boot Affected: 1.0.0
    Create a notification for this product.
    Credits
    ShenxiuSecurity (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-6551",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-24T13:28:29.401326Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-24T13:28:33.434Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250613-01/report.md"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Hope-Boot",
              "vendor": "java-aodeng",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ShenxiuSecurity (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Eine problematische Schwachstelle wurde in java-aodeng Hope-Boot 1.0.0 gefunden. Es geht hierbei um die Funktion Login der Datei /src/main/java/com/hope/controller/WebController.java. Durch Manipulation des Arguments errorMsg mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-24T01:31:08.210Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-313691 | java-aodeng Hope-Boot WebController.java login cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.313691"
            },
            {
              "name": "VDB-313691 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.313691"
            },
            {
              "name": "Submit #596615 | java-aodeng hope-boot 1.0.0-release Cross Site Scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.596615"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250613-01/report.md"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250613-01/report.md#steps-to-reproduce"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-23T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-06-23T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-06-23T22:13:12.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "java-aodeng Hope-Boot WebController.java login cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-6551",
        "datePublished": "2025-06-24T01:31:08.210Z",
        "dateReserved": "2025-06-23T20:07:53.997Z",
        "dateUpdated": "2025-06-24T13:28:33.434Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-45611 (GCVE-0-2025-45611)

    Vulnerability from nvd – Published: 2025-05-05 00:00 – Updated: 2025-05-06 13:53
    VLAI
    Summary
    Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-284 - Improper Access Control
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-45611",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-06T13:52:11.693441Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-06T13:53:00.221Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-05T19:14:03.609Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/java-aodeng/hope-boot/issues/86"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-45611",
        "datePublished": "2025-05-05T00:00:00.000Z",
        "dateReserved": "2025-04-22T00:00:00.000Z",
        "dateUpdated": "2025-05-06T13:53:00.221Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-6552 (GCVE-0-2025-6552)

    Vulnerability from cvelistv5 – Published: 2025-06-24 02:00 – Updated: 2025-06-24 16:55
    VLAI
    Title
    java-aodeng Hope-Boot Login WebController.java doLogin redirect
    Summary
    A vulnerability was found in java-aodeng Hope-Boot 1.0.0. It has been classified as problematic. Affected is the function doLogin of the file /src/main/java/com/hope/controller/WebController.java of the component Login. The manipulation of the argument redirect_url leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    java-aodeng Hope-Boot Affected: 1.0.0
    Create a notification for this product.
    Credits
    ShenxiuSecurity (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-6552",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-24T16:54:22.861885Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-24T16:55:31.508Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Login"
              ],
              "product": "Hope-Boot",
              "vendor": "java-aodeng",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ShenxiuSecurity (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in java-aodeng Hope-Boot 1.0.0. It has been classified as problematic. Affected is the function doLogin of the file /src/main/java/com/hope/controller/WebController.java of the component Login. The manipulation of the argument redirect_url leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Es wurde eine problematische Schwachstelle in java-aodeng Hope-Boot 1.0.0 ausgemacht. Es geht dabei um die Funktion doLogin der Datei /src/main/java/com/hope/controller/WebController.java der Komponente Login. Mittels dem Manipulieren des Arguments redirect_url mit unbekannten Daten kann eine open redirect-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "Open Redirect",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-24T02:00:15.980Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-313692 | java-aodeng Hope-Boot Login WebController.java doLogin redirect",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.313692"
            },
            {
              "name": "VDB-313692 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.313692"
            },
            {
              "name": "Submit #596681 | java-aodeng hope-boot 1.0.0-release Open Redirect",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.596681"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250613-02.md"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250613-02.md#steps-to-reproduce"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-23T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-06-23T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-06-23T22:13:14.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "java-aodeng Hope-Boot Login WebController.java doLogin redirect"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-6552",
        "datePublished": "2025-06-24T02:00:15.980Z",
        "dateReserved": "2025-06-23T20:08:06.325Z",
        "dateUpdated": "2025-06-24T16:55:31.508Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-6551 (GCVE-0-2025-6551)

    Vulnerability from cvelistv5 – Published: 2025-06-24 01:31 – Updated: 2025-06-24 13:28
    VLAI
    Title
    java-aodeng Hope-Boot WebController.java login cross site scripting
    Summary
    A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    java-aodeng Hope-Boot Affected: 1.0.0
    Create a notification for this product.
    Credits
    ShenxiuSecurity (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-6551",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-24T13:28:29.401326Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-24T13:28:33.434Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250613-01/report.md"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Hope-Boot",
              "vendor": "java-aodeng",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ShenxiuSecurity (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Eine problematische Schwachstelle wurde in java-aodeng Hope-Boot 1.0.0 gefunden. Es geht hierbei um die Funktion Login der Datei /src/main/java/com/hope/controller/WebController.java. Durch Manipulation des Arguments errorMsg mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-24T01:31:08.210Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-313691 | java-aodeng Hope-Boot WebController.java login cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.313691"
            },
            {
              "name": "VDB-313691 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.313691"
            },
            {
              "name": "Submit #596615 | java-aodeng hope-boot 1.0.0-release Cross Site Scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.596615"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250613-01/report.md"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250613-01/report.md#steps-to-reproduce"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-23T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-06-23T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-06-23T22:13:12.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "java-aodeng Hope-Boot WebController.java login cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-6551",
        "datePublished": "2025-06-24T01:31:08.210Z",
        "dateReserved": "2025-06-23T20:07:53.997Z",
        "dateUpdated": "2025-06-24T13:28:33.434Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-45611 (GCVE-0-2025-45611)

    Vulnerability from cvelistv5 – Published: 2025-05-05 00:00 – Updated: 2025-05-06 13:53
    VLAI
    Summary
    Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-284 - Improper Access Control
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-45611",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-06T13:52:11.693441Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-06T13:53:00.221Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Incorrect access control in the /user/edit/ component of hope-boot v1.0.0 allows attackers to bypass authentication via a crafted GET request."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-05T19:14:03.609Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/java-aodeng/hope-boot/issues/86"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-45611",
        "datePublished": "2025-05-05T00:00:00.000Z",
        "dateReserved": "2025-04-22T00:00:00.000Z",
        "dateUpdated": "2025-05-06T13:53:00.221Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }