A vulnerability was detected in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.5.4. This affects an unknown function of the file crm/WeiXinApp/dingtalk/index_event.php. The manipulation of the argument corpurl results in server-side request forgery. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
| Link | Resource |
|---|---|
| https://github.com/jackyliu666/dingtalk | Exploit |
| https://vuldb.com/?ctiid.323233 | Permissions Required VDB Entry |
| https://vuldb.com/?id.323233 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.636882 | Third Party Advisory VDB Entry |
| https://github.com/jackyliu666/dingtalk | Exploit |
Configurations
History
09 Oct 2025, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
51mis lingdang Crm
51mis |
|
| CPE | cpe:2.3:a:51mis:lingdang_crm:*:*:*:*:*:*:*:* | |
| References | () https://github.com/jackyliu666/dingtalk - Exploit | |
| References | () https://vuldb.com/?ctiid.323233 - Permissions Required, VDB Entry | |
| References | () https://vuldb.com/?id.323233 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?submit.636882 - Third Party Advisory, VDB Entry |
09 Sep 2025, 19:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/jackyliu666/dingtalk - |
09 Sep 2025, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-09 17:16
Updated : 2025-10-09 20:16
NVD link : CVE-2025-5005
Mitre link : CVE-2025-5005
CVE.ORG link : CVE-2025-5005
JSON object : View
Products Affected
51mis
- lingdang_crm
CWE
CWE-918
Server-Side Request Forgery (SSRF)