Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for oa_git_free by bestfeng

    CVE-2025-13209 (GCVE-0-2025-13209)

    Vulnerability from nvd – Published: 2025-11-15 18:32 – Updated: 2025-11-17 15:58
    VLAI
    Title
    bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference
    Summary
    A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\server\c-flow\src\main\java\com\cloudweb\oa\controller\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - XML External Entity Reference
    • CWE-610 - Externally Controlled Reference
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.332528 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.332528 signaturepermissions-required
    https://vuldb.com/?submit.685626 third-party-advisory
    https://github.com/bkglfpp/CVE-md/blob/main/%E4%B… exploit
    Impacted products
    Vendor Product Version
    bestfeng oa_git_free Affected: 9.0
    Affected: 9.1
    Affected: 9.2
    Affected: 9.3
    Affected: 9.4
    Affected: 9.5
    Create a notification for this product.
    Credits
    youran (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13209",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-17T15:58:27.666432Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-17T15:58:53.721Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "oa_git_free",
              "vendor": "bestfeng",
              "versions": [
                {
                  "status": "affected",
                  "version": "9.0"
                },
                {
                  "status": "affected",
                  "version": "9.1"
                },
                {
                  "status": "affected",
                  "version": "9.2"
                },
                {
                  "status": "affected",
                  "version": "9.3"
                },
                {
                  "status": "affected",
                  "version": "9.4"
                },
                {
                  "status": "affected",
                  "version": "9.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "youran (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\\server\\c-flow\\src\\main\\java\\com\\cloudweb\\oa\\controller\\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited."
            },
            {
              "lang": "de",
              "value": "Eine Schwachstelle wurde in bestfeng oa_git_free up to 9.5 gefunden. Hierbei geht es um die Funktion updateWriteBack der Datei yimioa-oa9.5\\server\\c-flow\\src\\main\\java\\com\\cloudweb\\oa\\controller\\WorkflowPredefineController.java. Dank der Manipulation des Arguments writeProp mit unbekannten Daten kann eine xml external entity reference-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-610",
                  "description": "Externally Controlled Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-15T18:32:06.823Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-332528 | bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.332528"
            },
            {
              "name": "VDB-332528 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.332528"
            },
            {
              "name": "Submit #685626 | https://gitee.com/bestfeng/oa_git_free oa_git_free 8.0 XML external entity injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.685626"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/bkglfpp/CVE-md/blob/main/%E4%BA%91%E7%BD%91%E5%8D%8F%E5%90%8C%E5%8A%9E%E5%85%AC%E7%B3%BB%E7%BB%9F/XXE.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-14T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-11-14T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-11-14T20:06:01.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-13209",
        "datePublished": "2025-11-15T18:32:06.823Z",
        "dateReserved": "2025-11-14T19:00:50.250Z",
        "dateUpdated": "2025-11-17T15:58:53.721Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13209 (GCVE-0-2025-13209)

    Vulnerability from cvelistv5 – Published: 2025-11-15 18:32 – Updated: 2025-11-17 15:58
    VLAI
    Title
    bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference
    Summary
    A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\server\c-flow\src\main\java\com\cloudweb\oa\controller\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - XML External Entity Reference
    • CWE-610 - Externally Controlled Reference
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.332528 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.332528 signaturepermissions-required
    https://vuldb.com/?submit.685626 third-party-advisory
    https://github.com/bkglfpp/CVE-md/blob/main/%E4%B… exploit
    Impacted products
    Vendor Product Version
    bestfeng oa_git_free Affected: 9.0
    Affected: 9.1
    Affected: 9.2
    Affected: 9.3
    Affected: 9.4
    Affected: 9.5
    Create a notification for this product.
    Credits
    youran (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13209",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-17T15:58:27.666432Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-17T15:58:53.721Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "oa_git_free",
              "vendor": "bestfeng",
              "versions": [
                {
                  "status": "affected",
                  "version": "9.0"
                },
                {
                  "status": "affected",
                  "version": "9.1"
                },
                {
                  "status": "affected",
                  "version": "9.2"
                },
                {
                  "status": "affected",
                  "version": "9.3"
                },
                {
                  "status": "affected",
                  "version": "9.4"
                },
                {
                  "status": "affected",
                  "version": "9.5"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "youran (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\\server\\c-flow\\src\\main\\java\\com\\cloudweb\\oa\\controller\\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited."
            },
            {
              "lang": "de",
              "value": "Eine Schwachstelle wurde in bestfeng oa_git_free up to 9.5 gefunden. Hierbei geht es um die Funktion updateWriteBack der Datei yimioa-oa9.5\\server\\c-flow\\src\\main\\java\\com\\cloudweb\\oa\\controller\\WorkflowPredefineController.java. Dank der Manipulation des Arguments writeProp mit unbekannten Daten kann eine xml external entity reference-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit ist \u00f6ffentlich verf\u00fcgbar und k\u00f6nnte genutzt werden."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-610",
                  "description": "Externally Controlled Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-15T18:32:06.823Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-332528 | bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.332528"
            },
            {
              "name": "VDB-332528 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.332528"
            },
            {
              "name": "Submit #685626 | https://gitee.com/bestfeng/oa_git_free oa_git_free 8.0 XML external entity injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.685626"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/bkglfpp/CVE-md/blob/main/%E4%BA%91%E7%BD%91%E5%8D%8F%E5%90%8C%E5%8A%9E%E5%85%AC%E7%B3%BB%E7%BB%9F/XXE.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-14T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-11-14T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-11-14T20:06:01.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-13209",
        "datePublished": "2025-11-15T18:32:06.823Z",
        "dateReserved": "2025-11-14T19:00:50.250Z",
        "dateUpdated": "2025-11-17T15:58:53.721Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }