ByteOS Network

NVD Vulnerability Details :

CVE-2025-6761

Awaiting Analysis

Source-cna@vuldb.com

Published At-27 Jun, 2025 | 11:15

Updated At-30 Jun, 2025 | 18:38

A vulnerability was found in Kingdee Cloud-Starry-Sky Enterprise Edition 6.x/7.x/8.x/9.0. It has been rated as critical. Affected by this issue is the function plugin.buildMobilePopHtml of the file \k3\o2o\bos\webapp\action\DynamicForm 4 Action.class of the component Freemarker Engine. The manipulation leads to improper neutralization of special elements used in a template engine. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The vendor explains, that in the fixed release "Freemarker is set to 'ALLOWS_NOTHING_RESOLVER' to not parse any classes."

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	6.9	MEDIUM	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Secondary	2.0	7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P

Weaknesses

CWE ID	Type	Source
CWE-791	Primary	cna@vuldb.com
CWE-1336	Primary	cna@vuldb.com

References

Hyperlink	Source	Resource
https://vip.kingdee.com/link/s/ZlWX7	cna@vuldb.com	N/A
https://vip.kingdee.com/school/detail/713028702245944320	cna@vuldb.com	N/A
https://vuldb.com/?ctiid.314072	cna@vuldb.com	N/A
https://vuldb.com/?id.314072	cna@vuldb.com	N/A
https://vuldb.com/?submit.601207	cna@vuldb.com	N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History