CVE-2025-10987

YunaiV yudao-cloud HTTP Request transfer improper authorization

CVSS 5.3 MEDIUMEPSS 0.3%CWE-266 CWE-285

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

26 set 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

A vulnerability was determined in YunaiV yudao-cloud up to 2025.09. Affected by this issue is some unknown functionality of the file /crm/contact/transfer of the component HTTP Request Handler. This manipulation of the argument contactId causes improper authorization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Produtos afetados

YunaiV · yudao-cloud

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://vuldb.com/?ctiid.325910 https://vuldb.com/?id.325910 https://vuldb.com/?submit.653735 https://www.cnblogs.com/aibot/p/19063573