Vulnerability Description
A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_moduleSave.php. The manipulation of the argument getvaluestring leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 8.6.5.4 can resolve this issue. The affected component should be upgraded. The vendor explains: "All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 51Mis | Lingdang Crm | < 8.6.5.4 |
Related Weaknesses (CWE)
References
- https://vuldb.com/?ctiid.320520Permissions RequiredVDB Entry
- https://vuldb.com/?id.320520Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.628087Third Party AdvisoryVDB Entry
- https://www.notion.so/SQL2-2459bb66b0a5802ba8e9ca5bc775fc7d?source=copy_linkBroken Link
- https://www.exploit-db.com/exploits/52420
FAQ
What is CVE-2025-9140?
CVE-2025-9140 is a vulnerability with a CVSS score of 6.3 (MEDIUM). A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_module...
How severe is CVE-2025-9140?
CVE-2025-9140 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-9140?
Check the references section above for vendor advisories and patch information. Affected products include: 51Mis Lingdang Crm.