CVE-2025-13209 MEDIUM

CVE-2025-13209: bestfeng oa_git_free WorkflowPredefineController.java updateWriteBack xml external entity reference

Vendor Bestfeng

Product oa_git_free

Weakness CWE-611 · XXE

Published November 15, 2025

Last update November 17, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\server\c-flow\src\main\java\com\cloudweb\oa\controller\WorkflowPredefineController.java. This manipulation of the argument writeProp causes xml external entity reference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.

Key dates

Disclosure timeline

November 15, 2025 CVE published

November 17, 2025 Record updated

Identifiers

CVE CVE-2025-13209

CWE CWE-611

CVSS 5.3 / MEDIUM

Affected versions

Vendor Bestfeng

Product oa_git_free

Affected 9.0

Vendor Bestfeng

Product oa_git_free

Affected 9.1

Vendor Bestfeng

Product oa_git_free

Affected 9.2

Vendor Bestfeng

Product oa_git_free

Affected 9.3

Vendor Bestfeng

Product oa_git_free

Affected 9.4

Vendor Bestfeng

Product oa_git_free

Affected 9.5