Primary

Context

crmeb_java XML External Entity Injection Vulnerability in WeChatMessageController

Vulnerability

Patched

A XML External Entity (XXE) injection vulnerability has been identified in crmeb_java versions through 1.3.4. The issue arises in the webHook function of the WeChatMessageController.java file, where improper handling of XML input allows for external entities to be referenced and potentially exploited. This vulnerability can be exploited remotely and has been publicly disclosed, with a proof-of-concept exploit available.

Impact

Exploitation of this vulnerability allows for arbitrary file reading and could be used to access internal network information, according to the vulnerability disclosure.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

3.3

exploitability

6.6

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

3.3

exploitability

6.6

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

crmeb_java XML External Entity Injection Vulnerability in WeChatMessageController

Vulnerability

Impact

Affected Products

crmeb_java

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating