Filtered by vendor Crmeb
Subscriptions
Total
34 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15442 | 1 Crmeb | 1 Crmeb | 2026-01-08 | 4.7 Medium |
| A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-15443 | 1 Crmeb | 1 Crmeb | 2026-01-08 | 4.7 Medium |
| A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10389 | 1 Crmeb | 1 Crmeb | 2025-10-14 | 5.4 Medium |
| A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10390 | 1 Crmeb | 1 Crmeb | 2025-10-14 | 5.4 Medium |
| A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-10391 | 1 Crmeb | 1 Crmeb | 2025-10-14 | 6.3 Medium |
| A security vulnerability has been detected in CRMEB up to 5.6.1. The impacted element is the function testOutUrl of the file app/services/out/OutAccountServices.php. The manipulation of the argument push_token_url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11288 | 1 Crmeb | 1 Crmeb | 2025-10-07 | 6.3 Medium |
| A security flaw has been discovered in CRMEB up to 5.6. This issue affects some unknown processing of the file /adminapi/product/product of the component GET Parameter Handler. Performing manipulation of the argument cate_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-11290 | 1 Crmeb | 1 Crmeb | 2025-10-07 | 5.6 Medium |
| A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2365 | 1 Crmeb | 1 Crmeb Java | 2025-07-12 | 6.3 Medium |
| A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Affected by this issue is the function webHook of the file WeChatMessageController.java. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-25763 | 1 Crmeb | 1 Crmeb | 2025-07-07 | 9.8 Critical |
| crmeb CRMEB-KY v5.4.0 and before has a SQL Injection vulnerability at getRead() in /system/SystemDatabackupServices.php | ||||
| CVE-2024-52726 | 1 Crmeb | 1 Crmeb | 2025-07-07 | 7.5 High |
| CRMEB v5.4.0 is vulnerable to Arbitrary file read in the save_basics function which allows an attacker to obtain sensitive information | ||||
| CVE-2024-33117 | 1 Crmeb | 1 Crmeb Java | 2025-06-11 | 5.3 Medium |
| crmeb_java v1.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the mergeList method in class com.zbkj.front.pub.ImageMergeController. | ||||
| CVE-2024-24110 | 1 Crmeb | 1 Crmeb Java | 2025-06-10 | 6.5 Medium |
| SQL Injection vulnerability in crmeb_java before v1.3.4 allows attackers to run arbitrary SQL commands via crafted GET request to the component /api/front/spread/people. | ||||
| CVE-2024-28714 | 1 Crmeb | 1 Crmeb Java | 2025-06-10 | 8.1 High |
| SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an attacker to execute arbitrary code via the groupid parameter. | ||||
| CVE-2024-25469 | 1 Crmeb | 1 Crmeb Java | 2025-04-25 | 7.5 High |
| SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and before allows a remote attacker to obtain sensitive information via the latitude and longitude parameters in the api/front/store/list component. | ||||
| CVE-2022-44343 | 1 Crmeb | 1 Crmeb | 2025-03-26 | 7.5 High |
| CRMEB 4.4.4 is vulnerable to Any File download. | ||||
| CVE-2024-50653 | 1 Crmeb | 1 Crmeb | 2025-03-13 | 7.5 High |
| CRMEB <=5.4.0 is vulnerable to Incorrect Access Control. Users can bypass the front-end restriction of only being able to claim coupons once by capturing packets and sending a large number of data packets for coupon collection, achieving unlimited coupon collection. | ||||
| CVE-2023-25223 | 1 Crmeb | 1 Crmeb Java | 2025-03-05 | 7.2 High |
| CRMEB <=1.3.4 is vulnerable to SQL Injection via /api/admin/user/list. | ||||
| CVE-2023-30185 | 1 Crmeb | 1 Crmeb | 2025-01-29 | 9.8 Critical |
| CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the component \attachment\SystemAttachmentServices.php. | ||||
| CVE-2024-1703 | 1 Crmeb | 1 Crmeb | 2025-01-03 | 3.5 Low |
| A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been classified as problematic. This affects the function openfile of the file /adminapi/system/file/openfile. The manipulation leads to absolute path traversal. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254391. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-1704 | 1 Crmeb | 1 Crmeb | 2025-01-03 | 5.5 Medium |
| A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been declared as critical. This vulnerability affects the function save/delete of the file /adminapi/system/crud. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254392. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||