CVE-2025-2835 MEDIUM

CVE-2025-2835: zhangyd-c OneBlog RestApiController.java autoLink server-side request forgery

Vendor Zhangyd-C

Product OneBlog

Weakness CWE-918 · SSRF

Published March 27, 2025

Last update March 27, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Key dates

Disclosure timeline

March 27, 2025 CVE published

March 27, 2025 Record updated

Identifiers

CVE CVE-2025-2835

CWE CWE-918

CVSS 5.3 / MEDIUM

Affected versions

Vendor Zhangyd-C

Product OneBlog

Affected 2.3.0

Vendor Zhangyd-C

Product OneBlog

Affected 2.3.1

Vendor Zhangyd-C

Product OneBlog

Affected 2.3.2

Vendor Zhangyd-C

Product OneBlog

Affected 2.3.3

Vendor Zhangyd-C

Product OneBlog

Affected 2.3.4

Vendor Zhangyd-C

Product OneBlog

Affected 2.3.5

Vendor Zhangyd-C

Product OneBlog

Affected 2.3.6

Vendor Zhangyd-C

Product OneBlog

Affected 2.3.7

Vendor Zhangyd-C

Product OneBlog

Affected 2.3.8

Vendor Zhangyd-C

Product OneBlog

Affected 2.3.9