Arbitrary Password Reset Vulnerability in YunzMall HTTP POST Request
CVE-2025-0331

6.9MEDIUM

Key Information:

Vendor

YunzMall

Status
Yunzmall
Vendor
CVE Published:
9 January 2025

Badges

👾 Exploit Exists

What is CVE-2025-0331?

A vulnerability has been identified in YunzMall versions up to 2.4.2, specifically within the changePwd function of the ResetpwdController.php file. This weakness allows for remote manipulation of the password recovery process, potentially enabling unauthorized access to user accounts through weak recovery mechanisms. The exploit has been publicly disclosed, raising significant security concerns. Despite early notification, the vendor has not acknowledged this issue.

Affected Version(s)

YunzMall 2.4.0

YunzMall 2.4.1

YunzMall 2.4.2

References

https://vuldb.com/?id.290819
vdb-entrytechnical-description
https://vuldb.com/?ctiid.290819
signaturepermissions-required
https://vuldb.com/?submit.471663
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

glzjin (VulDB User)
.
CVE-2025-0331 : Arbitrary Password Reset Vulnerability in YunzMall HTTP POST Request