CVE-2025-7523

| EUVD-2025-21250 HIGH
2025-07-13 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 09:18 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:18 euvd
EUVD-2025-21250
PoC Detected
Aug 26, 2025 - 12:37 vuln.today
Public exploit code
CVE Published
Jul 13, 2025 - 07:15 nvd
HIGH 7.3

Tags

XXE Jinher Oa

Description

A vulnerability was found in Jinher OA 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Analysis

CVE-2025-7523 is an XML External Entity (XXE) injection vulnerability in Jinher OA 1.0 affecting the /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx endpoint. An unauthenticated remote attacker can exploit this to read sensitive files, modify data, or cause denial of service with low attack complexity. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

Technical Context

The vulnerability is classified as CWE-610 (Externally Controlled Reference to a Resource in Another Sphere), a variant of XXE injection. The affected endpoint (DelTemp.aspx) is an ASP.NET web form component within Jinher OA's messaging module that improperly processes XML input without disabling external entity resolution. Jinher OA is a Chinese office automation platform built on Microsoft .NET/ASP.NET technology. The vulnerability likely exists in XML parsing libraries (System.Xml namespace in .NET) that process untrusted input from client requests without XXE protections such as DTD disabling or entity resolver restrictions. This is a server-side request forgery (SSRF)-adjacent attack class where attackers can reference external XML entities to exfiltrate local files or internal network resources.

Affected Products

Jinher OA version 1.0 and potentially earlier/later versions until patched. Affected component: /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx (part of the messaging module). CPE estimate: cpe:2.3:a:jinher:oa:1.0:*:*:*:*:*:*:*. Vendor: Jinher (金和/金和软件). The vulnerability affects ASP.NET-based installations of Jinher OA on Windows servers with IIS.

Remediation

Immediate actions: (1) Apply vendor patch from Jinher—contact Jinher support for security updates addressing CVE-2025-7523; (2) If patch unavailable, disable or restrict access to /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx via firewall/WAF rules; (3) Implement network segmentation to limit access to Jinher OA from untrusted networks; (4) Apply XXE-specific mitigations in ASP.NET: disable DTD processing, disable external entity resolution in System.Xml.XmlDocument and XmlTextReader (set ProhibitDtd=true, XmlResolver=null). Long-term: upgrade to patched Jinher OA version when released; implement input validation and XML schema enforcement; deploy WAF rules to detect XXE payloads (DOCTYPE detection, entity declarations).

Priority Score

57
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: +20

Share

CVE-2025-7523 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy