bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference_CVE-2025-13209

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\server\c-flow\src\main\java\com\cloudweb\oa\controller\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

Basic Information

ID CVE-2025-13209

Source VulDB

Published Nov 15, 2025 at 18:32

Affected Product

Vendor bestfeng

Product oa_git_free

Version 9.0

Affected Versions bestfeng oa_git_free 9.0
bestfeng oa_git_free 9.1
bestfeng oa_git_free 9.2
bestfeng oa_git_free 9.3
bestfeng oa_git_free 9.4
bestfeng oa_git_free 9.5

CWE Classification

CWE-611 CWE-610

References

{
    "lastseen": "",
    "description": "A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\\server\\c-flow\\src\\main\\java\\com\\cloudweb\\oa\\controller\\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.",
    "published": "2025-11-15T18:32:06.823Z",
    "modified": "2025-11-15T18:32:06.823Z",
    "type": "cve",
    "title": "bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.332528\nhttps://vuldb.com/?ctiid.332528\nhttps://vuldb.com/?submit.685626\nhttps://github.com/bkglfpp/CVE-md/blob/main/%E4%BA%91%E7%BD%91%E5%8D%8F%E5%90%8C%E5%8A%9E%E5%85%AC%E7%B3%BB%E7%BB%9F/XXE.md",
    "id": "CVE-2025-13209",
    "bulletinFamily": "",
    "cwe": [
        "CWE-611",
        "CWE-610"
    ],
    "cvelist": null,
    "sourceData": "bestfeng oa_git_free 9.0\nbestfeng oa_git_free 9.1\nbestfeng oa_git_free 9.2\nbestfeng oa_git_free 9.3\nbestfeng oa_git_free 9.4\nbestfeng oa_git_free 9.5",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "oa_git_free",
    "version": "9.0",
    "vendor": "bestfeng",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}