CVE-2025-10987
BaseFortify
Publication date: 2025-09-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iocoder | yudao-cloud | to 2025.09 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in YunaiV yudao-cloud up to version 2025.09, specifically in the HTTP Request Handler component related to the /crm/contact/transfer file. It involves manipulation of the argument 'contactId' which leads to improper authorization, allowing an attacker to potentially perform unauthorized actions remotely. The vulnerability has been publicly disclosed and can be exploited.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized remote attackers to manipulate contact transfer functionality due to improper authorization. This could lead to unauthorized access or modification of contact data, potentially compromising confidentiality, integrity, and availability of the affected system.