fuyang_lipengjun platform CVE-2025-7936
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in fuyang_lipengjun platform up to ca9aceff6902feb7b0b6bf510842aea88430796a and classified as critical. Affected by this vulnerability is the function queryPage of the file com/platform/controller/ScheduleJobLogController.java. The manipulation of the argument beanName/methodName leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
AnalysisAI
SQL injection in fuyang_lipengjun platform allows authenticated remote attackers to manipulate beanName and methodName parameters in the queryPage function of ScheduleJobLogController.java, resulting in limited confidentiality, integrity, and availability impact. The CVSS score of 2.1 reflects the requirement for prior authentication and the constrained scope of impact; however, exploitation probability is marked as possible (E:P in CVSS v4.0 vector), and publicly available exploit code exists. The rolling-release model means no traditional version numbers are tracked, with the vulnerability confirmed present up to commit ca9aceff6902feb7b0b6bf510842aea88430796a.
Technical ContextAI
The vulnerability exists in the queryPage method of com/platform/controller/ScheduleJobLogController.java within the fuyang_lipengjun platform, a Java-based web application framework using rolling releases. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, i.e., injection flaws), specifically SQL injection. User-supplied input via the beanName and methodName request parameters is passed unsanitized into SQL query construction, allowing an authenticated attacker to inject arbitrary SQL commands. The vulnerability affects the Java Servlet/Spring controller layer, suggesting the application likely uses Spring MVC or similar framework without parameterized query protections on these specific parameters.
RemediationAI
Apply the patch available in the fuyang_lipengjun platform repository by updating to a commit after ca9aceff6902feb7b0b6bf510842aea88430796a. Since the project uses rolling releases without formal version numbering, pull the latest version from the main branch or a committed fix merge. The specific remediation is to parameterize SQL queries in the queryPage method of ScheduleJobLogController.java, replacing string concatenation of beanName and methodName parameters with prepared statement placeholders or ORM framework query builders that automatically escape input. Verify the fix by reviewing the ScheduleJobLogController.java source in the updated commit to confirm beanName and methodName parameters are no longer directly interpolated into SQL strings. Monitor the Gitee repository at https://gitee.com/fuyang_lipengjun/platform for patch releases. As a temporary workaround pending patching, restrict network access to the ScheduleJobLogController queryPage endpoint via reverse proxy or firewall rules to trusted internal networks only; note this does not prevent exploitation by authenticated insiders and should be considered a hold-measure, not a permanent solution.
Share
External POC / Exploit Code
Leaving vuln.today