A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file…
VulDB·CWE-259·Published 2025-08-14
Davon betroffen ist unbekannter Code der Datei litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java der Komponente JSON Web Token Handler. Mit der Manipulation des Arguments SECRET mit der Eingabe X-Litemall-Token mit unbekannten Daten kann eine hard-coded credentials-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Die Komplexität eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur öffentlichen Verfügung.
A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the argument SECRET with the input X-Litemall-Token leads to hard-coded credentials. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the argument SECRET with the input X-Litemall-Token leads to hard-coded credentials. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
Se detectó una vulnerabilidad en linlinjava litemall hasta la versión 1.8.0. Este problema afecta a una funcionalidad desconocida del archivo litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java del componente JSON Web Token Handler. La manipulación del argumento SECRET con la entrada X-Litemall-Token genera credenciales codificadas de forma rígida. El ataque puede ejecutarse en remoto. Es un ataque de complejidad bastante alta. Parece difícil de explotar. Se ha hecho público el exploit y puede que sea utilizado.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | cve.org | 2.6 | — | — | AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR |
| 2.0 | Primary | cve.org | 2.6 | — | — | AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR |
| 2.0 | Secondary | NVD | 2.6 | 4.9 | 2.9 | AV:N/AC:H/Au:N/C:N/I:P/A:N |
| 3.0 | Primary | cve.org | 3.7 | — | — | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
| 3.0 | Primary | cve.org | 3.7 | — | — | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
| 3.1 | Primary | NVD | 9.8 | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 3.7 | — | — | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
| 3.1 | Primary | cve.org | 3.7 | — | — | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
| 3.1 | Secondary | NVD | 3.7 | 2.2 | 1.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 4.0 | Primary | cve.org | 6.3 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
| 4.0 | Primary | cve.org | 6.3 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
| 4.0 | Secondary | NVD | 2.9 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |