fuyang_lipengjun platform CVE-2025-7935
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as critical, was found in fuyang_lipengjun platform up to ca9aceff6902feb7b0b6bf510842aea88430796a. Affected is the function SysLogController of the file platform-admin/src/main/java/com/platform/controller/SysLogController.java. The manipulation of the argument key leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
AnalysisAI
SQL injection in the SysLogController of fuyang_lipengjun platform allows authenticated remote attackers to execute arbitrary SQL queries via the key parameter, with publicly available exploit code disclosed. Despite a critical classification, the CVSS 4.0 score of 2.1 and low EPSS percentile (22%) indicate limited real-world impact due to requirement for prior authentication and low confidentiality/integrity scope; however, the public exploit and authenticated network access vector warrant monitoring.
Technical ContextAI
The vulnerability exists in the SysLogController class (platform-admin/src/main/java/com/platform/controller/SysLogController.java) of the fuyang_lipengjun platform, a Java-based administrative platform. The flaw is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), specifically SQL injection through insufficient input validation on the key parameter. The affected CPE (cpe:2.3:a:fuyang_lipengjun:platform:*:*:*:*:*:*:*:*) indicates all versions are potentially affected. The platform uses rolling releases with continuous delivery, meaning version tracking is impractical and patches are deployed as commits rather than numbered releases.
RemediationAI
Upgrade to a patched commit after ca9aceff6902feb7b0b6bf510842aea88430796a by pulling the latest changes from the official Gitee repository (https://gitee.com/fuyang_lipengjun/platform). Monitor the issue tracker (https://gitee.com/fuyang_lipengjun/platform/issues/ICLIKX) for confirmation of fix commits. As an interim compensating control, restrict network access to the SysLogController endpoints (typically /api/syslog or /admin/syslog) using a reverse proxy or firewall to allow only trusted administrative IP addresses-note this reduces visibility into logs from remote locations. Additionally, implement parameterized SQL queries or prepared statements in the SysLogController to neutralize the injection vector; a code review of the key parameter handling is recommended before deployment.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today