XML External Entity Reference Vulnerability in CRMEB Java E-commerce System
CVE-2025-2365

6.3MEDIUM

Key Information:

Vendor

CRMEB

Status
CRMEB Java E-commerce System
Vendor
CVE Published:
17 March 2025

What is CVE-2025-2365?

A vulnerability has been identified in versions of CRMEB Java E-commerce System up to 1.3.4, specifically within the webHook function of WeChatMessageController.java. This issue allows for XML External Entity (XXE) injection, potentially enabling an attacker to manipulate XML input and launch remote exploitation. The details of this vulnerability have been made public, highlighting the urgent need for users to review their systems for exposure.

References

https://github.com/jmx0hxq/Vulnerability-learning/blob/ma...
https://vuldb.com/?ctiid.299864
https://vuldb.com/?id.299864

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.
CVE-2025-2365 : XML External Entity Reference Vulnerability in CRMEB Java E-commerce System