Bestfeng OA Git Free <=9.5 XML External Entity in updateWriteBack
CVE-2025-13209 Published on November 15, 2025
bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference
A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\server\c-flow\src\main\java\com\cloudweb\oa\controller\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Types
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2025-13209 has been classified to as a XXE vulnerability or weakness.
Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Affected Versions
bestfeng oa_git_free:- Version 9.0 is affected.
- Version 9.1 is affected.
- Version 9.2 is affected.
- Version 9.3 is affected.
- Version 9.4 is affected.
- Version 9.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.