XML External Entity in ywoa WXCallBack extract leads to remote code exec
CVE-2025-1225 Published on February 12, 2025
ywoa WXCallBack Interface XMLParse.java extract xml external entity reference
A vulnerability, which was classified as problematic, has been found in ywoa up to 2024.07.03. This issue affects the function extract of the file c-main/src/main/java/com/redmoon/weixin/aes/XMLParse.java of the component WXCallBack Interface. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Types
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2025-1225 has been classified to as a XXE vulnerability or weakness.
Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Products Associated with CVE-2025-1225
Want to know whenever a new CVE is published for Yimihome Ywoa? stack.watch will email you.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.