{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-13249","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-11-15T14:59:10.993Z","datePublished":"2025-11-16T11:32:05.743Z","dateUpdated":"2025-11-17T19:00:38.836Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2025-11-16T11:32:05.743Z"},"title":"Jiusi OA OfficeServer unrestricted upload","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-434","lang":"en","description":"Unrestricted Upload"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-284","lang":"en","description":"Improper Access Controls"}]}],"affected":[{"vendor":"Jiusi","product":"OA","versions":[{"version":"20251102","status":"affected"}],"modules":["OfficeServer Interface"]}],"descriptions":[{"lang":"en","value":"A security vulnerability has been detected in Jiusi OA up to 20251102. This affects an unknown function of the file /OfficeServer?isAjaxDownloadTemplate=false of the component OfficeServer Interface. Such manipulation of the argument FileData leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used."},{"lang":"de","value":"In Jiusi OA up to 20251102 ist eine Schwachstelle entdeckt worden. Betroffen ist eine unbekannte Funktion der Datei /OfficeServer?isAjaxDownloadTemplate=false der Komponente OfficeServer Interface. Die Bearbeitung des Arguments FileData verursacht unrestricted upload. Ein Angriff ist aus der Distanz möglich. Der Exploit ist öffentlich verfügbar und könnte genutzt werden."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":6.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}],"timeline":[{"time":"2025-11-15T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-11-15T01:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-11-15T16:04:15.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"2075463979 (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.332583","name":"VDB-332583 | Jiusi OA OfficeServer unrestricted upload","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.332583","name":"VDB-332583 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.687599","name":"Submit #687599 | http://www.jiusi.net/ jiusiOA n/a Arbitrary file upload vulnerability","tags":["third-party-advisory"]},{"url":"https://github.com/rooboot501/my-project/blob/main/jiousi.md","tags":["exploit"]}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-11-17T19:00:20.743011Z","id":"CVE-2025-13249","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-11-17T19:00:38.836Z"}}]}}