Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
20 vulnerabilities by exrick
CVE-2023-36331 (GCVE-0-2023-36331)
Vulnerability from cvelistv5 – Published: 2026-01-12 00:00 – Updated: 2026-01-12 20:12
VLAI
Summary
Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId.
Severity
8.2 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-36331",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T20:10:24.330003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T20:12:16.471Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users\u0027 order details via manipulation of the query parameter userId."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T19:47:14.487Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Exrick/xmall/issues/100"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36331",
"datePublished": "2026-01-12T00:00:00.000Z",
"dateReserved": "2023-06-21T00:00:00.000Z",
"dateUpdated": "2026-01-12T20:12:16.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65540 (GCVE-0-2025-65540)
Vulnerability from cvelistv5 – Published: 2025-11-29 00:00 – Updated: 2025-12-01 14:49
VLAI
Summary
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-65540",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T14:47:59.938260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T14:49:02.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-29T03:26:05.636Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Exrick/xmall/issues/101"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-65540",
"datePublished": "2025-11-29T00:00:00.000Z",
"dateReserved": "2025-11-18T00:00:00.000Z",
"dateUpdated": "2025-12-01T14:49:02.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8528 (GCVE-0-2025-8528)
Vulnerability from cvelistv5 – Published: 2025-08-04 22:02 – Updated: 2025-08-05 13:35
VLAI
Title
Exrick xboot getMenuList sensitive information in a cookie
Summary
A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318654 | vdb-entry |
| https://vuldb.com/?ctiid.318654 | signaturepermissions-required |
| https://vuldb.com/?submit.622175 | third-party-advisory |
| https://github.com/Exrick/xboot/issues/69 | issue-tracking |
| https://github.com/Exrick/xboot/issues/69#issue-3… | exploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8528",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T13:35:17.163825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T13:35:38.680Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xboot",
"vendor": "Exrick",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in Exrick xboot bis 3.3.4 entdeckt. Betroffen hiervon ist ein unbekannter Ablauf der Datei /xboot/permission/getMenuList. Mittels Manipulieren mit unbekannten Daten kann eine cleartext storage of sensitive information in a cookie-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig auszunutzen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-315",
"description": "Cleartext Storage of Sensitive Information in a Cookie",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T22:02:06.163Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318654 | Exrick xboot getMenuList sensitive information in a cookie",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.318654"
},
{
"name": "VDB-318654 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318654"
},
{
"name": "Submit #622175 | Exrick https://github.com/Exrick/xboot \u003c=3.3.4 User\u0027s Sensitive Information is included in Cookies",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.622175"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/69"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/69#issue-3252177305"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-04T08:56:43.000Z",
"value": "VulDB entry last update"
}
],
"title": "Exrick xboot getMenuList sensitive information in a cookie"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8528",
"datePublished": "2025-08-04T22:02:06.163Z",
"dateReserved": "2025-08-04T06:51:27.628Z",
"dateUpdated": "2025-08-05T13:35:38.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8527 (GCVE-0-2025-8527)
Vulnerability from cvelistv5 – Published: 2025-08-04 21:32 – Updated: 2025-08-05 13:38
VLAI
Title
Exrick xboot Swagger SecurityController.java server-side request forgery
Summary
A vulnerability was found in Exrick xboot up to 3.3.4. It has been rated as critical. This issue affects some unknown processing of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java of the component Swagger. The manipulation of the argument loginUrl leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318653 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.318653 | signaturepermissions-required |
| https://vuldb.com/?submit.622174 | third-party-advisory |
| https://github.com/Exrick/xboot/issues/70 | issue-tracking |
| https://github.com/Exrick/xboot/issues/70#issue-3… | exploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8527",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T13:37:59.148036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T13:38:09.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Swagger"
],
"product": "xboot",
"vendor": "Exrick",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Exrick xboot up to 3.3.4. It has been rated as critical. This issue affects some unknown processing of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java of the component Swagger. The manipulation of the argument loginUrl leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Exrick xboot bis 3.3.4 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist ein unbekannter Prozess der Datei xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java der Komponente Swagger. Mittels dem Manipulieren des Arguments loginUrl mit unbekannten Daten kann eine server-side request forgery-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T21:32:06.008Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318653 | Exrick xboot Swagger SecurityController.java server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.318653"
},
{
"name": "VDB-318653 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318653"
},
{
"name": "Submit #622174 | Exrick https://github.com/Exrick/xboot \u003c=3.3.4 SSRF",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.622174"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/70"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/70#issue-3252425972"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-04T08:56:42.000Z",
"value": "VulDB entry last update"
}
],
"title": "Exrick xboot Swagger SecurityController.java server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8527",
"datePublished": "2025-08-04T21:32:06.008Z",
"dateReserved": "2025-08-04T06:51:25.085Z",
"dateUpdated": "2025-08-05T13:38:09.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8526 (GCVE-0-2025-8526)
Vulnerability from cvelistv5 – Published: 2025-08-04 21:02 – Updated: 2025-08-05 15:43
VLAI
Title
Exrick xboot UploadController.java upload unrestricted upload
Summary
A vulnerability was found in Exrick xboot up to 3.3.4. It has been declared as critical. This vulnerability affects the function Upload of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318652 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.318652 | signaturepermissions-required |
| https://vuldb.com/?submit.622173 | third-party-advisory |
| https://github.com/Exrick/xboot/issues/71 | issue-tracking |
| https://github.com/Exrick/xboot/issues/71#issue-3… | exploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8526",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T15:43:51.705486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T15:43:54.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Exrick/xboot/issues/71"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Exrick/xboot/issues/71#issue-3252446955"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xboot",
"vendor": "Exrick",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Exrick xboot up to 3.3.4. It has been declared as critical. This vulnerability affects the function Upload of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "In Exrick xboot bis 3.3.4 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion Upload der Datei xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java. Durch Manipulation des Arguments File mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T21:02:05.466Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318652 | Exrick xboot UploadController.java upload unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.318652"
},
{
"name": "VDB-318652 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318652"
},
{
"name": "Submit #622173 | Exrick https://github.com/Exrick/xboot \u003c=3.3.4 Unrestricted Upload of File with Dangerous Type (CWE-434)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.622173"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/71"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/71#issue-3252446955"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-04T08:56:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "Exrick xboot UploadController.java upload unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8526",
"datePublished": "2025-08-04T21:02:05.466Z",
"dateReserved": "2025-08-04T06:51:22.039Z",
"dateUpdated": "2025-08-05T15:43:54.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8525 (GCVE-0-2025-8525)
Vulnerability from cvelistv5 – Published: 2025-08-04 20:32 – Updated: 2025-08-05 15:44
VLAI
Title
Exrick xboot Spring Boot Admin/Spring Actuator information disclosure
Summary
A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318651 | vdb-entry |
| https://vuldb.com/?ctiid.318651 | signaturepermissions-required |
| https://vuldb.com/?submit.622172 | third-party-advisory |
| https://github.com/Exrick/xboot/issues/72 | issue-tracking |
| https://github.com/Exrick/xboot/issues/72#issue-3… | exploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8525",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T15:44:40.501207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T15:44:45.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Exrick/xboot/issues/72"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Exrick/xboot/issues/72#issue-3252465914"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Spring Boot Admin/Spring Actuator"
],
"product": "xboot",
"vendor": "Exrick",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Exrick xboot bis 3.3.4 ausgemacht. Sie wurde als problematisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Spring Boot Admin/Spring Actuator. Durch die Manipulation mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T20:32:05.870Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318651 | Exrick xboot Spring Boot Admin/Spring Actuator information disclosure",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.318651"
},
{
"name": "VDB-318651 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318651"
},
{
"name": "Submit #622172 | Exrick https://github.com/Exrick/xboot \u003c=3.3.4 Sensitive Info Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.622172"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/72"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/72#issue-3252465914"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-04T08:56:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "Exrick xboot Spring Boot Admin/Spring Actuator information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8525",
"datePublished": "2025-08-04T20:32:05.870Z",
"dateReserved": "2025-08-04T06:51:12.095Z",
"dateUpdated": "2025-08-05T15:44:45.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-45612 (GCVE-0-2025-45612)
Vulnerability from cvelistv5 – Published: 2025-05-05 00:00 – Updated: 2025-05-06 13:51
VLAI
Summary
Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-284 - Improper Access Control
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-45612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T13:50:48.823231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T13:51:22.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T19:14:04.321Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Exrick/xmall/issues/96"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-45612",
"datePublished": "2025-05-05T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-05-06T13:51:22.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-28399 (GCVE-0-2025-28399)
Vulnerability from cvelistv5 – Published: 2025-04-15 00:00 – Updated: 2025-04-16 14:17
VLAI
Summary
An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-28399",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T14:16:13.679106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T14:17:36.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T18:54:05.972Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/20210607/cve_public/blob/main/CVE-2025-28399.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-28399",
"datePublished": "2025-04-15T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-04-16T14:17:36.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24112 (GCVE-0-2024-24112)
Vulnerability from cvelistv5 – Published: 2024-02-06 00:00 – Updated: 2025-05-08 19:09
VLAI
Summary
xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:19:51.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Exrick/xmall/issues/78"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24112",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T19:08:31.731336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T19:09:05.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-06T00:34:14.691Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Exrick/xmall/issues/78"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-24112",
"datePublished": "2024-02-06T00:00:00.000Z",
"dateReserved": "2024-01-25T00:00:00.000Z",
"dateUpdated": "2025-05-08T19:09:05.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43432 (GCVE-0-2021-43432)
Vulnerability from cvelistv5 – Published: 2022-04-07 18:09 – Updated: 2024-08-04 03:55
VLAI
Summary
A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://exrick.com | x_refsource_MISC |
| https://github.com/Exrick/xmall | x_refsource_MISC |
| https://github.com/Exrick/xmall/blob/b146cceb21ca… | x_refsource_MISC |
| https://github.com/Exrick/xmall/blob/b146cceb21ca… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://exrick.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Exrick/xmall"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L38"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-07T18:09:44.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://exrick.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Exrick/xmall"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L38"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43432",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://exrick.com",
"refsource": "MISC",
"url": "http://exrick.com"
},
{
"name": "https://github.com/Exrick/xmall",
"refsource": "MISC",
"url": "https://github.com/Exrick/xmall"
},
{
"name": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L38",
"refsource": "MISC",
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L38"
},
{
"name": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L4",
"refsource": "MISC",
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43432",
"datePublished": "2022-04-07T18:09:44.000Z",
"dateReserved": "2021-11-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:55:28.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36331 (GCVE-0-2023-36331)
Vulnerability from nvd – Published: 2026-01-12 00:00 – Updated: 2026-01-12 20:12
VLAI
Summary
Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId.
Severity
8.2 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-36331",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T20:10:24.330003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T20:12:16.471Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users\u0027 order details via manipulation of the query parameter userId."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T19:47:14.487Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Exrick/xmall/issues/100"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36331",
"datePublished": "2026-01-12T00:00:00.000Z",
"dateReserved": "2023-06-21T00:00:00.000Z",
"dateUpdated": "2026-01-12T20:12:16.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65540 (GCVE-0-2025-65540)
Vulnerability from nvd – Published: 2025-11-29 00:00 – Updated: 2025-12-01 14:49
VLAI
Summary
Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-65540",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T14:47:59.938260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T14:49:02.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-29T03:26:05.636Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Exrick/xmall/issues/101"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-65540",
"datePublished": "2025-11-29T00:00:00.000Z",
"dateReserved": "2025-11-18T00:00:00.000Z",
"dateUpdated": "2025-12-01T14:49:02.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8528 (GCVE-0-2025-8528)
Vulnerability from nvd – Published: 2025-08-04 22:02 – Updated: 2025-08-05 13:35
VLAI
Title
Exrick xboot getMenuList sensitive information in a cookie
Summary
A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318654 | vdb-entry |
| https://vuldb.com/?ctiid.318654 | signaturepermissions-required |
| https://vuldb.com/?submit.622175 | third-party-advisory |
| https://github.com/Exrick/xboot/issues/69 | issue-tracking |
| https://github.com/Exrick/xboot/issues/69#issue-3… | exploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8528",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T13:35:17.163825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T13:35:38.680Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xboot",
"vendor": "Exrick",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in Exrick xboot bis 3.3.4 entdeckt. Betroffen hiervon ist ein unbekannter Ablauf der Datei /xboot/permission/getMenuList. Mittels Manipulieren mit unbekannten Daten kann eine cleartext storage of sensitive information in a cookie-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig auszunutzen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-315",
"description": "Cleartext Storage of Sensitive Information in a Cookie",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T22:02:06.163Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318654 | Exrick xboot getMenuList sensitive information in a cookie",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.318654"
},
{
"name": "VDB-318654 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318654"
},
{
"name": "Submit #622175 | Exrick https://github.com/Exrick/xboot \u003c=3.3.4 User\u0027s Sensitive Information is included in Cookies",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.622175"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/69"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/69#issue-3252177305"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-04T08:56:43.000Z",
"value": "VulDB entry last update"
}
],
"title": "Exrick xboot getMenuList sensitive information in a cookie"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8528",
"datePublished": "2025-08-04T22:02:06.163Z",
"dateReserved": "2025-08-04T06:51:27.628Z",
"dateUpdated": "2025-08-05T13:35:38.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8527 (GCVE-0-2025-8527)
Vulnerability from nvd – Published: 2025-08-04 21:32 – Updated: 2025-08-05 13:38
VLAI
Title
Exrick xboot Swagger SecurityController.java server-side request forgery
Summary
A vulnerability was found in Exrick xboot up to 3.3.4. It has been rated as critical. This issue affects some unknown processing of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java of the component Swagger. The manipulation of the argument loginUrl leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318653 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.318653 | signaturepermissions-required |
| https://vuldb.com/?submit.622174 | third-party-advisory |
| https://github.com/Exrick/xboot/issues/70 | issue-tracking |
| https://github.com/Exrick/xboot/issues/70#issue-3… | exploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8527",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T13:37:59.148036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T13:38:09.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Swagger"
],
"product": "xboot",
"vendor": "Exrick",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Exrick xboot up to 3.3.4. It has been rated as critical. This issue affects some unknown processing of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java of the component Swagger. The manipulation of the argument loginUrl leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Exrick xboot bis 3.3.4 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist ein unbekannter Prozess der Datei xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java der Komponente Swagger. Mittels dem Manipulieren des Arguments loginUrl mit unbekannten Daten kann eine server-side request forgery-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T21:32:06.008Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318653 | Exrick xboot Swagger SecurityController.java server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.318653"
},
{
"name": "VDB-318653 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318653"
},
{
"name": "Submit #622174 | Exrick https://github.com/Exrick/xboot \u003c=3.3.4 SSRF",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.622174"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/70"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/70#issue-3252425972"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-04T08:56:42.000Z",
"value": "VulDB entry last update"
}
],
"title": "Exrick xboot Swagger SecurityController.java server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8527",
"datePublished": "2025-08-04T21:32:06.008Z",
"dateReserved": "2025-08-04T06:51:25.085Z",
"dateUpdated": "2025-08-05T13:38:09.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8526 (GCVE-0-2025-8526)
Vulnerability from nvd – Published: 2025-08-04 21:02 – Updated: 2025-08-05 15:43
VLAI
Title
Exrick xboot UploadController.java upload unrestricted upload
Summary
A vulnerability was found in Exrick xboot up to 3.3.4. It has been declared as critical. This vulnerability affects the function Upload of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318652 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.318652 | signaturepermissions-required |
| https://vuldb.com/?submit.622173 | third-party-advisory |
| https://github.com/Exrick/xboot/issues/71 | issue-tracking |
| https://github.com/Exrick/xboot/issues/71#issue-3… | exploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8526",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T15:43:51.705486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T15:43:54.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Exrick/xboot/issues/71"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Exrick/xboot/issues/71#issue-3252446955"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xboot",
"vendor": "Exrick",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Exrick xboot up to 3.3.4. It has been declared as critical. This vulnerability affects the function Upload of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "In Exrick xboot bis 3.3.4 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion Upload der Datei xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java. Durch Manipulation des Arguments File mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T21:02:05.466Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318652 | Exrick xboot UploadController.java upload unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.318652"
},
{
"name": "VDB-318652 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318652"
},
{
"name": "Submit #622173 | Exrick https://github.com/Exrick/xboot \u003c=3.3.4 Unrestricted Upload of File with Dangerous Type (CWE-434)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.622173"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/71"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/71#issue-3252446955"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-04T08:56:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "Exrick xboot UploadController.java upload unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8526",
"datePublished": "2025-08-04T21:02:05.466Z",
"dateReserved": "2025-08-04T06:51:22.039Z",
"dateUpdated": "2025-08-05T15:43:54.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8525 (GCVE-0-2025-8525)
Vulnerability from nvd – Published: 2025-08-04 20:32 – Updated: 2025-08-05 15:44
VLAI
Title
Exrick xboot Spring Boot Admin/Spring Actuator information disclosure
Summary
A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318651 | vdb-entry |
| https://vuldb.com/?ctiid.318651 | signaturepermissions-required |
| https://vuldb.com/?submit.622172 | third-party-advisory |
| https://github.com/Exrick/xboot/issues/72 | issue-tracking |
| https://github.com/Exrick/xboot/issues/72#issue-3… | exploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8525",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-05T15:44:40.501207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T15:44:45.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Exrick/xboot/issues/72"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Exrick/xboot/issues/72#issue-3252465914"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Spring Boot Admin/Spring Actuator"
],
"product": "xboot",
"vendor": "Exrick",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Exrick xboot bis 3.3.4 ausgemacht. Sie wurde als problematisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Spring Boot Admin/Spring Actuator. Durch die Manipulation mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T20:32:05.870Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318651 | Exrick xboot Spring Boot Admin/Spring Actuator information disclosure",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.318651"
},
{
"name": "VDB-318651 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318651"
},
{
"name": "Submit #622172 | Exrick https://github.com/Exrick/xboot \u003c=3.3.4 Sensitive Info Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.622172"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/72"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/Exrick/xboot/issues/72#issue-3252465914"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-04T08:56:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "Exrick xboot Spring Boot Admin/Spring Actuator information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8525",
"datePublished": "2025-08-04T20:32:05.870Z",
"dateReserved": "2025-08-04T06:51:12.095Z",
"dateUpdated": "2025-08-05T15:44:45.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-45612 (GCVE-0-2025-45612)
Vulnerability from nvd – Published: 2025-05-05 00:00 – Updated: 2025-05-06 13:51
VLAI
Summary
Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-284 - Improper Access Control
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-45612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T13:50:48.823231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T13:51:22.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in xmall v1.1 allows attackers to bypass authentication via a crafted GET request to /index."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T19:14:04.321Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Exrick/xmall/issues/96"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-45612",
"datePublished": "2025-05-05T00:00:00.000Z",
"dateReserved": "2025-04-22T00:00:00.000Z",
"dateUpdated": "2025-05-06T13:51:22.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-28399 (GCVE-0-2025-28399)
Vulnerability from nvd – Published: 2025-04-15 00:00 – Updated: 2025-04-16 14:17
VLAI
Summary
An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-28399",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T14:16:13.679106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T14:17:36.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T18:54:05.972Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/20210607/cve_public/blob/main/CVE-2025-28399.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-28399",
"datePublished": "2025-04-15T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-04-16T14:17:36.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24112 (GCVE-0-2024-24112)
Vulnerability from nvd – Published: 2024-02-06 00:00 – Updated: 2025-05-08 19:09
VLAI
Summary
xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:19:51.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Exrick/xmall/issues/78"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24112",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T19:08:31.731336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T19:09:05.103Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-06T00:34:14.691Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Exrick/xmall/issues/78"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-24112",
"datePublished": "2024-02-06T00:00:00.000Z",
"dateReserved": "2024-01-25T00:00:00.000Z",
"dateUpdated": "2025-05-08T19:09:05.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43432 (GCVE-0-2021-43432)
Vulnerability from nvd – Published: 2022-04-07 18:09 – Updated: 2024-08-04 03:55
VLAI
Summary
A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://exrick.com | x_refsource_MISC |
| https://github.com/Exrick/xmall | x_refsource_MISC |
| https://github.com/Exrick/xmall/blob/b146cceb21ca… | x_refsource_MISC |
| https://github.com/Exrick/xmall/blob/b146cceb21ca… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://exrick.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Exrick/xmall"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L38"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-07T18:09:44.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://exrick.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Exrick/xmall"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L38"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43432",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://exrick.com",
"refsource": "MISC",
"url": "http://exrick.com"
},
{
"name": "https://github.com/Exrick/xmall",
"refsource": "MISC",
"url": "https://github.com/Exrick/xmall"
},
{
"name": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L38",
"refsource": "MISC",
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L38"
},
{
"name": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L4",
"refsource": "MISC",
"url": "https://github.com/Exrick/xmall/blob/b146cceb21ca42d4237f31dbd7af5ced49048a56/xmall-manager-web/src/main/webapp/WEB-INF/jsp/product-add.jsp#L4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43432",
"datePublished": "2022-04-07T18:09:44.000Z",
"dateReserved": "2021-11-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:55:28.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}