CVE-2025-8852
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in WuKongOpenSource WukongCRM 11.0. This affects an unknown part of the file /adminFile/upload of the component API Response Handler. The manipulation leads to information exposure through error message. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-11
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2025-08-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8852
EUVD
EUVD-2025-24149
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
5kcrm wukongcrm 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-8852 is an information exposure vulnerability in WuKongOpenSource WukongCRM version 11.0, specifically in the /adminFile/upload API endpoint. The backend improperly returns the full entity object, including sensitive internal details such as the absolute file storage path on the server, directly to the frontend without filtering. This allows attackers to gain detailed knowledge of the server's file system structure through error messages or API responses, which can be exploited remotely. [1, 3]


How can this vulnerability impact me? :

This vulnerability can expose sensitive information about the server's file system, such as absolute file paths, which attackers can use to perform further attacks like path traversal, arbitrary file reads, or local file inclusion. It increases the attack surface by aiding attackers in reconnaissance and privilege escalation attempts. The vulnerability can be exploited remotely and has a moderate severity level. [2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending a POST request to the /adminFile/upload endpoint and inspecting the API response for exposure of sensitive information such as the absolute file storage path on the server. For example, using curl: curl -X POST https://<target>/adminFile/upload -F 'file=@testfile' and then checking if the response contains full server file paths or detailed error messages revealing internal server structure. Monitoring for unusual error messages or information disclosures in API responses related to /adminFile/upload can also help detect exploitation attempts. [1, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include implementing a proper Data Transfer Object (DTO) layer in the backend to filter out sensitive fields such as absolute system file paths from API responses. Only necessary information like file IDs or relative URLs should be returned to clients. Since no known countermeasures or patches are currently available, consider restricting access to the /adminFile/upload endpoint, monitoring for suspicious activity, and evaluating replacement of the affected product as a precaution. [2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart