XML External Entity Reference Vulnerability in CRMEB Java E-commerce System
CVE-2025-2365

6.3MEDIUM

Key Information:

Vendor: CRMEB
Status: CRMEB Java E-commerce System
Vendor: CVE Published:; 17 March 2025

What is CVE-2025-2365?

A vulnerability has been identified in versions of CRMEB Java E-commerce System up to 1.3.4, specifically within the webHook function of WeChatMessageController.java. This issue allows for XML External Entity (XXE) injection, potentially enabling an attacker to manipulate XML input and launch remote exploitation. The details of this vulnerability have been made public, highlighting the urgent need for users to review their systems for exposure.

References

https://github.com/jmx0hxq/Vulnerability-learning/blob/ma...

https://vuldb.com/?ctiid.299864

https://vuldb.com/?id.299864

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 17, 2025