CVE-2025-9151

Summary

A security flaw has been discovered in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /web_config/json/name/web. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
LiuYuYang01ThriveX-Blog3.1.0affected
LiuYuYang01ThriveX-Blog3.1.1affected
LiuYuYang01ThriveX-Blog3.1.2affected
LiuYuYang01ThriveX-Blog3.1.3affected
LiuYuYang01ThriveX-Blog3.1.4affected
LiuYuYang01ThriveX-Blog3.1.5affected
LiuYuYang01ThriveX-Blog3.1.6affected
LiuYuYang01ThriveX-Blog3.1.7affected

Weaknesses

  • CWE-285: Improper Authorization
  • CWE-266: Incorrect Privilege Assignment

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References