CVE-2025-9140

Summary

A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_moduleSave.php. The manipulation of the argument getvaluestring leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 8.6.5.4 can resolve this issue. The affected component should be upgraded. The vendor explains: "All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+."

Affected Software

VendorProductVersion RangeStatus
Shanghai Lingdang Information TechnologyLingdang CRM8.6.4.0affected
Shanghai Lingdang Information TechnologyLingdang CRM8.6.4.1affected
Shanghai Lingdang Information TechnologyLingdang CRM8.6.4.2affected
Shanghai Lingdang Information TechnologyLingdang CRM8.6.4.3affected
Shanghai Lingdang Information TechnologyLingdang CRM8.6.4.4affected
Shanghai Lingdang Information TechnologyLingdang CRM8.6.4.5affected
Shanghai Lingdang Information TechnologyLingdang CRM8.6.4.6affected
Shanghai Lingdang Information TechnologyLingdang CRM8.6.4.7affected
Shanghai Lingdang Information TechnologyLingdang CRM8.6.5.4unaffected

Weaknesses

  • CWE-89: SQL Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References