CVE-2025-56161
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-02

Last updated on: 2025-10-30

Assigner: MITRE

Description
YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-02
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-56161
EUVD
EUVD-2025-32592
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yiovo firefly_mall From 2.01 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in YOSHOP 2.0 allows unauthenticated users to access sensitive information through the comment-list API endpoints in the Goods module. The Comment model loads related User data without filtering fields, exposing sensitive user information such as bcrypt password hashes, mobile numbers, and financial data (pay_money, expend_money) in JSON responses.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive user information, including password hashes and financial details. This exposure can increase the risk of account compromise, identity theft, financial fraud, and privacy violations.

Compliance Impact

This vulnerability likely violates data protection regulations such as GDPR and HIPAA by exposing sensitive personal and financial information without proper authorization or consent, potentially leading to non-compliance and legal consequences.

Detection Guidance

You can detect this vulnerability by sending unauthenticated requests to the comment-list API endpoints in the Goods module (e.g., /api/goods.pinglun/list) and inspecting the JSON response for sensitive user information such as bcrypt password hashes, mobile numbers, pay_money, and expend_money fields. Using tools like curl or wget, you can run commands such as: curl -X GET http://your-target/api/goods.pinglun/list and then check the response for exposed sensitive fields.

Mitigation Strategies

Immediate mitigation steps include restricting access to the comment-list API endpoints to authenticated users only, implementing proper field filtering in the User model to hide sensitive attributes (e.g., defining $hidden or $visible properties), and reviewing the API routes to ensure sensitive data is not exposed in JSON responses.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56161. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart