CVE-2025-10091
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Jinher OA up to 1.2. This affects an unknown function of the file /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add of the component XML Handler. The manipulation leads to xml external entity reference. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10091
EUVD
EUVD-2025-27120
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jinher jinher_oa to 1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CWE-610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10091 is a critical XML External Entity (XXE) vulnerability in Jinher OA version 1.2, specifically in the XML Handler component at the endpoint /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add. The vulnerability occurs because the application improperly processes XML input containing external entity references, allowing attackers to craft malicious XML documents that cause the server to access and embed unauthorized external resources. This can lead to unauthorized data access and manipulation without requiring authentication. [1, 3]

Impact Analysis

This vulnerability can lead to breaches of confidentiality, integrity, and availability. Attackers can remotely exploit it without authentication to perform out-of-band data exfiltration by forcing the server to fetch and disclose sensitive files from its filesystem. It can also enable server-side request forgery (SSRF), internal network scanning, and potentially remote code execution, putting the affected system and its data at significant risk. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for XML payloads containing DOCTYPE declarations or external entity references sent to the affected endpoint `/c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add`. Network detection can involve capturing and inspecting HTTP POST requests for XML data with external entity definitions. Additionally, Web Application Firewall (WAF) rules can be deployed to detect and block XXE attack patterns. Specific commands are not provided in the resources, but using tools like tcpdump or Wireshark to capture traffic and grep or similar tools to search for "<!DOCTYPE" or "ENTITY" in XML payloads can help identify attempts. Also, testing with proof-of-concept XML payloads that include external entity references can confirm the vulnerability. [3]

Mitigation Strategies

Immediate mitigation steps include disabling XML external entity processing in the XML parser configuration (e.g., setting XmlResolver to null in .NET), implementing strict input validation to reject XML documents containing DOCTYPE declarations, and restricting outbound network connections to prevent data exfiltration. Using alternative data formats like JSON where possible is recommended. Applying vendor security patches if available, deploying Web Application Firewall (WAF) rules to detect and block XXE attempts, and conducting regular security audits are also advised. If no patches are available, consider replacing the affected product with a secure alternative. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10091. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart