fuyang_lipengjun platform CVE-2025-7934
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as critical, has been found in fuyang_lipengjun platform up to ca9aceff6902feb7b0b6bf510842aea88430796a. This issue affects the function queryPage of the file platform-schedule/src/main/java/com/platform/controller/ScheduleJobController.java. The manipulation of the argument beanName leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
AnalysisAI
SQL injection in fuyang_lipengjun platform allows authenticated remote attackers to execute arbitrary SQL queries via the beanName parameter in the queryPage function of ScheduleJobController.java. The CVSS score of 2.1 reflects limited confidentiality and integrity impact with authentication required, though publicly available exploit code exists. EPSS score of 0.07% (percentile 22%) suggests low real-world exploitation probability despite public POC availability.
Technical ContextAI
The vulnerability exists in platform-schedule/src/main/java/com/platform/controller/ScheduleJobController.java, specifically in the queryPage function. The beanName parameter is processed without proper input validation or parameterized query usage, allowing attackers to inject arbitrary SQL commands. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, 'Injection') indicates the root cause is insufficient sanitization of user-supplied input before use in SQL query construction. The fuyang_lipengjun platform is a Java-based application (inferred from file paths) that does not use formal version numbering, instead using git commit identifiers.
RemediationAI
Apply the fix by updating the ScheduleJobController.java queryPage function to use parameterized queries (prepared statements) for all SQL operations involving the beanName parameter. The exact patched version is not available from vendor advisory; instead, commit ca9aceff6902feb7b0b6bf510842aea88430796a marks the last vulnerable state. Users should update to the latest commit after that point by pulling from the fuyang_lipengjun/platform repository on Gitee. As a temporary workaround pending patching, restrict access to the /platform-schedule/queryPage endpoint to trusted internal networks only, or disable the ScheduleJobController functionality entirely if not actively used. Both workarounds require redeployment or network policy changes with potential operational impact. Verify remediation by code review of queryPage to confirm use of parameterized queries and re-testing with the public POC.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today