Vendor CVEs
Crmeb
All CVEs
38 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-10771 | Hig | 0.47 | 7.3 | 0.00 | Jun 3, 2026 | A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in… | ||
| CVE-2026-1202 | Hig | 0.47 | 7.3 | 0.01 | Jan 20, 2026 | A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to… | ||
| CVE-2025-11288 | Med | 0.41 | 6.3 | 0.00 | Oct 5, 2025 | A security flaw has been discovered in CRMEB up to 5.6. This issue affects some unknown processing of the file /adminapi/product/product of the component GET Parameter Handler. Performing a manipulation of the argument cate_id results in sql injection. Remote exploitation of the… | ||
| CVE-2025-10391 | Med | 0.41 | 6.3 | 0.00 | Sep 14, 2025 | A security vulnerability has been detected in CRMEB up to 5.6.1. The impacted element is the function testOutUrl of the file app/services/out/OutAccountServices.php. The manipulation of the argument push_token_url leads to server-side request forgery. Remote exploitation of the… | ||
| CVE-2025-2365 | Med | 0.41 | 6.3 | 0.00 | Mar 17, 2025 | A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Affected by this issue is the function webHook of the file WeChatMessageController.java. The manipulation leads to xml external entity reference. The attack may be launched remotely.… | ||
| CVE-2026-1203 | Med | 0.36 | 5.6 | 0.01 | Jan 20, 2026 | A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication.… | ||
| CVE-2025-11290 | Med | 0.36 | 5.6 | 0.00 | Oct 5, 2025 | A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack… | ||
| CVE-2025-10390 | Med | 0.35 | 5.4 | 0.00 | Sep 14, 2025 | A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The… | ||
| CVE-2025-10389 | Med | 0.35 | 5.4 | 0.00 | Sep 14, 2025 | A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization.… | ||
| CVE-2025-15443 | Med | 0.31 | 4.7 | 0.00 | Jan 4, 2026 | A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available… | ||
| CVE-2025-15442 | Med | 0.31 | 4.7 | 0.00 | Jan 4, 2026 | A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed… | ||
| CVE-2026-1733 | Med | 0.28 | 4.3 | 0.00 | Feb 1, 2026 | A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be initiated remotely. The… | ||
| CVE-2024-36837 | 0.07 | — | 0.08 | Jun 5, 2024 | SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file. | |||
| CVE-2024-52726 | 0.03 | — | 0.02 | Nov 22, 2024 | CRMEB v5.4.0 is vulnerable to Arbitrary file read in the save_basics function which allows an attacker to obtain sensitive information | |||
| CVE-2024-6944 | 0.02 | — | 0.04 | Jul 21, 2024 | A vulnerability was found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this issue is the function get_image_base64 of the file PublicController.php. The manipulation of the argument file leads to deserialization. The attack may be launched remotely.… | |||
| CVE-2026-1734 | 0.00 | — | 0.00 | Feb 1, 2026 | A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be… | |||
| CVE-2025-25763 | 0.00 | — | 0.01 | Mar 6, 2025 | crmeb CRMEB-KY v5.4.0 and before has a SQL Injection vulnerability at getRead() in /system/SystemDatabackupServices.php | |||
| CVE-2024-50653 | 0.00 | — | 0.01 | Nov 15, 2024 | CRMEB <=5.4.0 is vulnerable to Incorrect Access Control. Users can bypass the front-end restriction of only being able to claim coupons once by capturing packets and sending a large number of data packets for coupon collection, achieving unlimited coupon collection. | |||
| CVE-2024-6943 | 0.00 | — | 0.01 | Jul 21, 2024 | A vulnerability has been found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this vulnerability is the function downloadImage of the file app/services/product/product/CopyTaobaoServices.php. The manipulation leads to deserialization. The attack can… | |||
| CVE-2024-33117 | 0.00 | — | 0.00 | May 6, 2024 | crmeb_java v1.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the mergeList method in class com.zbkj.front.pub.ImageMergeController. | |||
| CVE-2024-28714 | 0.00 | — | 0.01 | Mar 28, 2024 | SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an attacker to execute arbitrary code via the groupid parameter. | |||
| CVE-2024-24110 | 0.00 | — | 0.01 | Feb 29, 2024 | SQL Injection vulnerability in crmeb_java before v1.3.4 allows attackers to run arbitrary SQL commands via crafted GET request to the component /api/front/spread/people. | |||
| CVE-2024-25469 | 0.00 | — | 0.01 | Feb 23, 2024 | SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and before allows a remote attacker to obtain sensitive information via the latitude and longitude parameters in the api/front/store/list component. | |||
| CVE-2024-1704 | 0.00 | — | 0.01 | Feb 21, 2024 | A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been declared as critical. This vulnerability affects the function save/delete of the file /adminapi/system/crud. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be… | |||
| CVE-2024-1703 | 0.00 | — | 0.01 | Feb 21, 2024 | A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been classified as problematic. This affects the function openfile of the file /adminapi/system/file/openfile. The manipulation leads to absolute path traversal. The exploit has been disclosed to the public and may… | |||
| CVE-2023-3234 | 0.00 | — | 0.01 | Jun 14, 2023 | A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been declared as problematic. Affected by this vulnerability is the function put_image of the file api/controller/v1/PublicController.php. The manipulation leads to deserialization. The attack can be launched… | |||
| CVE-2023-3233 | 0.00 | — | 0.01 | Jun 14, 2023 | A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been classified as critical. Affected is the function get_image_base64 of the file api/controller/v1/PublicController.php. The manipulation leads to server-side request forgery. It is possible to launch the attack… | |||
| CVE-2023-3232 | 0.00 | — | 0.01 | Jun 14, 2023 | A vulnerability was found in Zhong Bang CRMEB up to 4.6.0 and classified as critical. This issue affects some unknown processing of the file /api/wechat/app_auth of the component Image Upload. The manipulation leads to deserialization. The exploit has been disclosed to the… | |||
| CVE-2023-30185 | 0.00 | — | 0.01 | May 8, 2023 | CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the component \attachment\SystemAttachmentServices.php. | |||
| CVE-2023-2419 | 0.00 | — | 0.01 | Apr 29, 2023 | A vulnerability was found in Zhong Bang CRMEB 4.6.0. It has been declared as critical. This vulnerability affects the function videoUpload of the file \crmeb\app\services\system\attachment\SystemAttachmentServices.php. The manipulation of the argument filename leads to… | |||
| CVE-2023-1609 | 0.00 | — | 0.01 | Mar 23, 2023 | A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been rated as problematic. This issue affects the function save of the file /api/admin/store/product/save. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has… | |||
| CVE-2023-1608 | 0.00 | — | 0.01 | Mar 23, 2023 | A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been declared as critical. This vulnerability affects the function getAdminList of the file /api/admin/store/product/list. The manipulation of the argument cateId leads to sql injection. The attack can be… | |||
| CVE-2023-25223 | 0.00 | — | 0.01 | Mar 7, 2023 | CRMEB <=1.3.4 is vulnerable to SQL Injection via /api/admin/user/list. | |||
| CVE-2023-1165 | 0.00 | — | 0.01 | Mar 3, 2023 | A vulnerability was found in Zhong Bang CRMEB Java 1.3.4. It has been classified as critical. This affects an unknown part of the file /api/admin/system/store/order/list. The manipulation of the argument keywords leads to sql injection. The exploit has been disclosed to the… | |||
| CVE-2022-44343 | 0.00 | — | 0.01 | Feb 6, 2023 | CRMEB 4.4.4 is vulnerable to Any File download. | |||
| CVE-2020-21787 | 0.00 | — | 0.02 | Jun 24, 2021 | CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php. | |||
| CVE-2020-21788 | 0.00 | — | 0.01 | Jun 24, 2021 | In CRMEB 3.1.0+ strict domain name filtering leads to SSRF(Server-Side Request Forgery). The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php. | |||
| CVE-2020-25466 | 0.00 | — | 0.03 | Oct 23, 2020 | A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code. |
- risk 0.47cvss 7.3epss 0.00
A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in…
- risk 0.47cvss 7.3epss 0.01
A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to…
- risk 0.41cvss 6.3epss 0.00
A security flaw has been discovered in CRMEB up to 5.6. This issue affects some unknown processing of the file /adminapi/product/product of the component GET Parameter Handler. Performing a manipulation of the argument cate_id results in sql injection. Remote exploitation of the…
- risk 0.41cvss 6.3epss 0.00
A security vulnerability has been detected in CRMEB up to 5.6.1. The impacted element is the function testOutUrl of the file app/services/out/OutAccountServices.php. The manipulation of the argument push_token_url leads to server-side request forgery. Remote exploitation of the…
- risk 0.41cvss 6.3epss 0.00
A vulnerability, which was classified as problematic, has been found in crmeb_java up to 1.3.4. Affected by this issue is the function webHook of the file WeChatMessageController.java. The manipulation leads to xml external entity reference. The attack may be launched remotely.…
- risk 0.36cvss 5.6epss 0.01
A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication.…
- risk 0.36cvss 5.6epss 0.00
A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack…
- risk 0.35cvss 5.4epss 0.00
A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The…
- risk 0.35cvss 5.4epss 0.00
A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization.…
- risk 0.31cvss 4.7epss 0.00
A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available…
- risk 0.31cvss 4.7epss 0.00
A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed…
- risk 0.28cvss 4.3epss 0.00
A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be initiated remotely. The…
- CVE-2024-36837Jun 5, 2024risk 0.07cvss —epss 0.08
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
- CVE-2024-52726Nov 22, 2024risk 0.03cvss —epss 0.02
CRMEB v5.4.0 is vulnerable to Arbitrary file read in the save_basics function which allows an attacker to obtain sensitive information
- CVE-2024-6944Jul 21, 2024risk 0.02cvss —epss 0.04
A vulnerability was found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this issue is the function get_image_base64 of the file PublicController.php. The manipulation of the argument file leads to deserialization. The attack may be launched remotely.…
- CVE-2026-1734Feb 1, 2026risk 0.00cvss —epss 0.00
A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be…
- CVE-2025-25763Mar 6, 2025risk 0.00cvss —epss 0.01
crmeb CRMEB-KY v5.4.0 and before has a SQL Injection vulnerability at getRead() in /system/SystemDatabackupServices.php
- CVE-2024-50653Nov 15, 2024risk 0.00cvss —epss 0.01
CRMEB <=5.4.0 is vulnerable to Incorrect Access Control. Users can bypass the front-end restriction of only being able to claim coupons once by capturing packets and sending a large number of data packets for coupon collection, achieving unlimited coupon collection.
- CVE-2024-6943Jul 21, 2024risk 0.00cvss —epss 0.01
A vulnerability has been found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this vulnerability is the function downloadImage of the file app/services/product/product/CopyTaobaoServices.php. The manipulation leads to deserialization. The attack can…
- CVE-2024-33117May 6, 2024risk 0.00cvss —epss 0.00
crmeb_java v1.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the mergeList method in class com.zbkj.front.pub.ImageMergeController.
- CVE-2024-28714Mar 28, 2024risk 0.00cvss —epss 0.01
SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an attacker to execute arbitrary code via the groupid parameter.
- CVE-2024-24110Feb 29, 2024risk 0.00cvss —epss 0.01
SQL Injection vulnerability in crmeb_java before v1.3.4 allows attackers to run arbitrary SQL commands via crafted GET request to the component /api/front/spread/people.
- CVE-2024-25469Feb 23, 2024risk 0.00cvss —epss 0.01
SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and before allows a remote attacker to obtain sensitive information via the latitude and longitude parameters in the api/front/store/list component.
- CVE-2024-1704Feb 21, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been declared as critical. This vulnerability affects the function save/delete of the file /adminapi/system/crud. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be…
- CVE-2024-1703Feb 21, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been classified as problematic. This affects the function openfile of the file /adminapi/system/file/openfile. The manipulation leads to absolute path traversal. The exploit has been disclosed to the public and may…
- CVE-2023-3234Jun 14, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been declared as problematic. Affected by this vulnerability is the function put_image of the file api/controller/v1/PublicController.php. The manipulation leads to deserialization. The attack can be launched…
- CVE-2023-3233Jun 14, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been classified as critical. Affected is the function get_image_base64 of the file api/controller/v1/PublicController.php. The manipulation leads to server-side request forgery. It is possible to launch the attack…
- CVE-2023-3232Jun 14, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in Zhong Bang CRMEB up to 4.6.0 and classified as critical. This issue affects some unknown processing of the file /api/wechat/app_auth of the component Image Upload. The manipulation leads to deserialization. The exploit has been disclosed to the…
- CVE-2023-30185May 8, 2023risk 0.00cvss —epss 0.01
CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the component \attachment\SystemAttachmentServices.php.
- CVE-2023-2419Apr 29, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in Zhong Bang CRMEB 4.6.0. It has been declared as critical. This vulnerability affects the function videoUpload of the file \crmeb\app\services\system\attachment\SystemAttachmentServices.php. The manipulation of the argument filename leads to…
- CVE-2023-1609Mar 23, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been rated as problematic. This issue affects the function save of the file /api/admin/store/product/save. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has…
- CVE-2023-1608Mar 23, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in Zhong Bang CRMEB Java up to 1.3.4. It has been declared as critical. This vulnerability affects the function getAdminList of the file /api/admin/store/product/list. The manipulation of the argument cateId leads to sql injection. The attack can be…
- CVE-2023-25223Mar 7, 2023risk 0.00cvss —epss 0.01
CRMEB <=1.3.4 is vulnerable to SQL Injection via /api/admin/user/list.
- CVE-2023-1165Mar 3, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in Zhong Bang CRMEB Java 1.3.4. It has been classified as critical. This affects an unknown part of the file /api/admin/system/store/order/list. The manipulation of the argument keywords leads to sql injection. The exploit has been disclosed to the…
- CVE-2022-44343Feb 6, 2023risk 0.00cvss —epss 0.01
CRMEB 4.4.4 is vulnerable to Any File download.
- CVE-2020-21787Jun 24, 2021risk 0.00cvss —epss 0.02
CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.
- CVE-2020-21788Jun 24, 2021risk 0.00cvss —epss 0.01
In CRMEB 3.1.0+ strict domain name filtering leads to SSRF(Server-Side Request Forgery). The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php.
- CVE-2020-25466Oct 23, 2020risk 0.00cvss —epss 0.03
A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code.