CVE-2025-25036 (GCVE-0-2025-25036)

Vulnerability from cvelistv5 – Published: 2025-03-21 19:27 – Updated: 2025-11-19 20:26
VLAI?
Title
Jalios JPlatform 10 Authenticated XML External Entity Injection (XXE)
Summary
Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8).
Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
Vendor Product Version
Jalios JPlatform Affected: 0 , < 10.0.8 (custom)
Create a notification for this product.
Credits
Arthur Deloffre (Vozec) Tristan Bizien (Bizi)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25036",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-21T19:49:39.974923Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-21T19:50:06.001Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "JPlatform",
          "vendor": "Jalios",
          "versions": [
            {
              "lessThan": "10.0.8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.8",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Arthur Deloffre (Vozec)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Tristan Bizien (Bizi)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.\u003cp\u003eThis issue affects all versions of JPlatform 10 before 10.0.8 (SP8).\u003c/p\u003e"
            }
          ],
          "value": "Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8)."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-250",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-250 XML Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-19T20:26:50.070Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "url": "https://community.jalios.com/jcms/jc1_893720/en/security-alert-2025-02-19"
        },
        {
          "url": "https://issues.jalios.com/browse/JCMS-11250"
        },
        {
          "url": "https://vulncheck.com/advisories/jalios-jplatform-xxe"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Jalios JPlatform 10 Authenticated XML External Entity Injection (XXE)",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-25036",
    "datePublished": "2025-03-21T19:27:12.472Z",
    "dateReserved": "2025-01-31T18:32:36.214Z",
    "dateUpdated": "2025-11-19T20:26:50.070Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-25036\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-03-21T20:15:15.293\",\"lastModified\":\"2025-03-21T20:15:15.293\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8).\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de restricci\u00f3n incorrecta de referencia de entidad externa XML en Jalios JPlatform permite la inyecci\u00f3n de XML. Este problema afecta a todas las versiones de JPlatform 10 anteriores a 10.0.8 (SP8).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"references\":[{\"url\":\"https://community.jalios.com/jcms/jc1_893720/en/security-alert-2025-02-19\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://issues.jalios.com/browse/JCMS-11250\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://vulncheck.com/advisories/jalios-jplatform-xxe\",\"source\":\"disclosure@vulncheck.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-25036\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-21T19:49:39.974923Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-21T19:49:55.887Z\"}}], \"cna\": {\"title\": \"Jalios JPlatform 10 Authenticated XML External Entity Injection (XXE)\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Arthur Deloffre (Vozec)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Tristan Bizien (Bizi)\"}], \"impacts\": [{\"capecId\": \"CAPEC-250\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-250 XML Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Jalios\", \"product\": \"JPlatform\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"10.0.8\", \"versionType\": \"custom\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://community.jalios.com/jcms/jc1_893720/en/security-alert-2025-02-19\"}, {\"url\": \"https://issues.jalios.com/browse/JCMS-11250\"}, {\"url\": \"https://vulncheck.com/advisories/jalios-jplatform-xxe\"}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.This issue affects all versions of JPlatform 10 before 10.0.8 (SP8).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Restriction of XML External Entity Reference vulnerability in Jalios JPlatform allows XML Injection.\u003cp\u003eThis issue affects all versions of JPlatform 10 before 10.0.8 (SP8).\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611 Improper Restriction of XML External Entity Reference\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:jalios:jcms:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"10.0.8\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-11-19T20:26:50.070Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-25036\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-19T20:26:50.070Z\", \"dateReserved\": \"2025-01-31T18:32:36.214Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2025-03-21T19:27:12.472Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.