CRITICALπŸ‡΅πŸ‡± Wersja polska

CVE-2025-28399

CVSS 9.8v3.1pub. 2025-04-15upd. 2025-04-25

An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class.

πŸ€– AI Analysis
How it works

The vulnerability results from improper privilege management (CWE-269) in the updateAddress method of the Address Controller class. A remote attacker can send a specially crafted request to the mentioned endpoint without needing to have any permissions, resulting in unauthorized privilege escalation in the application.

Impact

An attacker can obtain a higher level of privileges in the application, which in practice may lead to complete system takeover, disclosure of sensitive data, and modification or deletion of application data.

Mitigation & patch

Apply patches available from the vendor according to references. It is recommended to update to a version higher than 1.1, restrict access to the application at the network level, and monitor traffic directed to Address Controller class endpoints.

Who is affected

Exrick Xmall version 1.1 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exrick Xmall

    APP
    Exrick
    1.1
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2025-45612CRITICAL9.8PL βœ“ten sam produkt

ObejΕ›cie uwierzytelnienia w Exrick Xmall v1.1 poprzez crafted GET request

CVE-2024-24112CRITICAL9.8PL βœ“ten sam produkt

SQL Injection w Exrick XMall przez parametr orderDir

CVE-2023-36331HIGH8.2ten sam produkt

Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access oth...

CVE-2025-65540MEDIUM6.1ten sam produkt

Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-suppl...

CVE-2021-43432MEDIUM6.1ten sam produkt

A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET para...

CVE-2025-28399 β€” Exrick β€” Xmall β€” CRITICAL β€” CVSS 9.8 | CVEbaza.pl