7.5

CVE-2025-56161

Exploit

EPSS 0.06%
Veröffentlicht 02.10.2025 16:15:34
Zuletzt bearbeitet 30.10.2025 18:33:14
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Yiovo ≫ Firefly Mall SwEditionopen_source Version >= 2.01

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.185

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://gitee.com/xany/yoshop2.0

Product

https://github.com/ZyWAC/CVE-Disclosures/blob/6b337a44934ffe948275995e9b79158e97c78fc4/2025/YOSHOP2.0/CVE-2025-56161.md

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-56161

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-56161

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-56161

EUVD