{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9140", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-08-19T05:44:18.399Z", "datePublished": "2025-08-19T13:32:06.591Z", "dateUpdated": "2025-08-19T13:42:35.904Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-08-19T13:32:06.591Z"}, "title": "Shanghai Lingdang Information Technology Lingdang CRM tabdetail_moduleSave.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Shanghai Lingdang Information Technology", "product": "Lingdang CRM", "versions": [{"version": "8.6.4.0", "status": "affected"}, {"version": "8.6.4.1", "status": "affected"}, {"version": "8.6.4.2", "status": "affected"}, {"version": "8.6.4.3", "status": "affected"}, {"version": "8.6.4.4", "status": "affected"}, {"version": "8.6.4.5", "status": "affected"}, {"version": "8.6.4.6", "status": "affected"}, {"version": "8.6.4.7", "status": "affected"}, {"version": "8.6.5.4", "status": "unaffected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_moduleSave.php. The manipulation of the argument getvaluestring leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 8.6.5.4 can resolve this issue. The affected component should be upgraded. The vendor explains: \"All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+.\""}, {"lang": "de", "value": "Eine Schwachstelle wurde in Shanghai Lingdang Information Technology Lingdang CRM bis 8.6.4.7 gefunden. Es geht dabei um eine nicht klar definierte Funktion der Datei /crm/crmapi/erp/tabdetail_moduleSave.php. Durch Manipulation des Arguments getvaluestring mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 8.6.5.4 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2025-08-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-08-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-08-19T07:49:28.000Z", "lang": "en", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.320520", "name": "VDB-320520 | Shanghai Lingdang Information Technology Lingdang CRM tabdetail_moduleSave.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.320520", "name": "VDB-320520 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.628087", "name": "Submit #628087 | Shanghai Lingdang Information Technology Lingdang CRM \u2264V8.6.4.3 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/SQL2-2459bb66b0a5802ba8e9ca5bc775fc7d?source=copy_link", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-19T13:42:04.470487Z", "id": "CVE-2025-9140", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-19T13:42:35.904Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9140", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-19T13:42:04.470487Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-19T13:42:28.692Z"}}], "cna": {"title": "Shanghai Lingdang Information Technology Lingdang CRM tabdetail_moduleSave.php sql injection", "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "Shanghai Lingdang Information Technology", "product": "Lingdang CRM", "versions": [{"status": "affected", "version": "8.6.4.0"}, {"status": "affected", "version": "8.6.4.1"}, {"status": "affected", "version": "8.6.4.2"}, {"status": "affected", "version": "8.6.4.3"}, {"status": "affected", "version": "8.6.4.4"}, {"status": "affected", "version": "8.6.4.5"}, {"status": "affected", "version": "8.6.4.6"}, {"status": "affected", "version": "8.6.4.7"}, {"status": "unaffected", "version": "8.6.5.4"}]}], "timeline": [{"lang": "en", "time": "2025-08-19T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-08-19T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-08-19T07:49:28.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.320520", "name": "VDB-320520 | Shanghai Lingdang Information Technology Lingdang CRM tabdetail_moduleSave.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.320520", "name": "VDB-320520 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.628087", "name": "Submit #628087 | Shanghai Lingdang Information Technology Lingdang CRM \u2264V8.6.4.3 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/SQL2-2459bb66b0a5802ba8e9ca5bc775fc7d?source=copy_link", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_moduleSave.php. The manipulation of the argument getvaluestring leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 8.6.5.4 can resolve this issue. The affected component should be upgraded. The vendor explains: \"All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+.\""}, {"lang": "de", "value": "Eine Schwachstelle wurde in Shanghai Lingdang Information Technology Lingdang CRM bis 8.6.4.7 gefunden. Es geht dabei um eine nicht klar definierte Funktion der Datei /crm/crmapi/erp/tabdetail_moduleSave.php. Durch Manipulation des Arguments getvaluestring mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 8.6.5.4 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-08-19T13:32:06.591Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9140", "state": "PUBLISHED", "dateUpdated": "2025-08-19T13:42:35.904Z", "dateReserved": "2025-08-19T05:44:18.399Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-08-19T13:32:06.591Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_moduleSave.php. The manipulation of the argument getvaluestring leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 8.6.5.4 can resolve this issue. The affected component should be upgraded. The vendor explains: \"All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+.\""}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad en Shanghai Lingdang Information Technology Lingdang CRM (hasta la versi\u00f3n 8.6.4.7). Este problema afecta a una funcionalidad desconocida del archivo /crm/crmapi/erp/tabdetail_moduleSave.php. La manipulaci\u00f3n del argumento getvaluestring provoca una inyecci\u00f3n SQL. El ataque puede ejecutarse en remoto. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Actualizar a la versi\u00f3n 8.6.5.4 puede resolver este problema. El componente afectado debe actualizarse. El proveedor explica: \u00abTodos los vectores de inyecci\u00f3n SQL se corrigieron mediante consultas parametrizadas y depuraci\u00f3n de entrada en la versi\u00f3n 8.6.5+\u00bb."}], "id": "CVE-2025-9140", "lastModified": "2025-08-20T14:40:17.713", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-08-19T14:15:44.460", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.320520"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.320520"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.628087"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/SQL2-2459bb66b0a5802ba8e9ca5bc775fc7d?source=copy_link"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}