CVE-2025-6761 Information

Jun 28, 2025 cve

Description

A vulnerability was found in Kingdee Cloud-Starry-Sky Enterprise Edition 6.x/7.x/8.x/9.0. It has been rated as critical. Affected by this issue is the function plugin.buildMobilePopHtml of the file \k3\o2o\bos\webapp\action\DynamicForm 4 Action.class of the component Freemarker Engine. The manipulation leads to improper neutralization of special elements used in a template engine. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The vendor explains that in the fixed release \Freemarker is set to ‘ALLOWS_NOTHING_RESOLVER’ to not parse any classes.\

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Reference

https://vip.kingdee.com/link/s/ZlWX7 https://vip.kingdee.com/school/detail/713028702245944320 https://vuldb.com/?ctiid.314072 https://vuldb.com/?id.314072 https://vuldb.com/?submit.601207

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

LOW

Base Severity

7.3

CNNVD-202506-3427 (Published: 2025-06-27)

Share on: