Crmeb vulnerabilities
29 known vulnerabilities affecting crmeb/crmeb.
Total CVEs
29
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH18MEDIUM4
Vulnerabilities
Page 1 of 2
CVE-2024-36837P2HIGHCVSS 7.5PoCv5.2.22024-06-05
CVE-2024-36837 [HIGH] CWE-89 CVE-2024-36837: SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive informatio
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
nvd
CVE-2023-3232P2CRITICALCVSS 9.8≤ 4.6.02023-06-14
CVE-2023-3232 [CRITICAL] CWE-502 CVE-2023-3232: A vulnerability was found in Zhong Bang CRMEB up to 4.6.0 and classified as critical. This issue aff
A vulnerability was found in Zhong Bang CRMEB up to 4.6.0 and classified as critical. This issue affects some unknown processing of the file /api/wechat/app_auth of the component Image Upload. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VD
nvd
CVE-2026-1202P2CRITICALCVSS 9.8≤ 5.6.3v5.6.0+3 more2026-01-20
CVE-2026-1202 [CRITICAL] CWE-287 CVE-2026-1202: A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function apple
A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to be carried out remotely. The exploit has been released to the public and
nvd
CVE-2024-6943P3HIGHCVSS 8.8≤ 5.4.02024-07-21
CVE-2024-6943 [HIGH] CWE-502 CVE-2024-6943: A vulnerability has been found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affect
A vulnerability has been found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this vulnerability is the function downloadImage of the file app/services/product/product/CopyTaobaoServices.php. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be
nvd
CVE-2025-10390P3HIGHCVSS 8.8≤ 5.6.1v5.6.0+1 more2025-09-14
CVE-2025-10390 [HIGH] CWE-266 CVE-2025-10390: A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddres
A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The ven
nvd
CVE-2025-10391P3HIGHCVSS 8.8≤ 5.6.1v5.6.0+1 more2025-09-14
CVE-2025-10391 [HIGH] CWE-918 CVE-2025-10391: A security vulnerability has been detected in CRMEB up to 5.6.1. The impacted element is the functio
A security vulnerability has been detected in CRMEB up to 5.6.1. The impacted element is the function testOutUrl of the file app/services/out/OutAccountServices.php. The manipulation of the argument push_token_url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be use
nvd
CVE-2020-25466P3CRITICALCVSS 9.8v3.02020-10-23
CVE-2020-25466 [CRITICAL] CWE-918 CVE-2020-25466: A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download
A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code.
nvd
CVE-2025-10389P3HIGHCVSS 8.8≤ 5.6.1v5.6.0+1 more2025-09-14
CVE-2025-10389 [HIGH] CWE-266 CVE-2025-10389: A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file
A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization. The attack may be initiated remotely. The exploit has been released to the pu
nvd
CVE-2023-30185P3CRITICALCVSS 9.8≥ 4.4.0, ≤ 4.6.02023-05-08
CVE-2023-30185 [CRITICAL] CWE-434 CVE-2023-30185: CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the componen
CRMEB v4.4 to v4.6 was discovered to contain an arbitrary file upload vulnerability via the component \attachment\SystemAttachmentServices.php.
nvd
CVE-2023-3234P3CRITICALCVSS 9.8≤ 4.6.02023-06-14
CVE-2023-3234 [CRITICAL] CWE-502 CVE-2023-3234: A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been declared as problematic. Affe
A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been declared as problematic. Affected by this vulnerability is the function put_image of the file api/controller/v1/PublicController.php. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The
nvd
CVE-2023-3233P3HIGHCVSS 8.8≤ 4.6.02023-06-14
CVE-2023-3233 [HIGH] CWE-918 CVE-2023-3233: A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been classified as critical. Affec
A vulnerability was found in Zhong Bang CRMEB up to 4.6.0. It has been classified as critical. Affected is the function get_image_base64 of the file api/controller/v1/PublicController.php. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The
nvd
CVE-2020-21787P3CRITICALCVSS 9.8v3.1.0\+2021-06-24
CVE-2020-21787 [CRITICAL] CWE-434 CVE-2020-21787: CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.
CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.
nvd
CVE-2025-11288P3HIGHCVSS 8.8≤ 5.6v5.0+6 more2025-10-05
CVE-2025-11288 [HIGH] CWE-74 CVE-2025-11288: A security flaw has been discovered in CRMEB up to 5.6. This issue affects some unknown processing o
A security flaw has been discovered in CRMEB up to 5.6. This issue affects some unknown processing of the file /adminapi/product/product of the component GET Parameter Handler. Performing a manipulation of the argument cate_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be
nvd
CVE-2024-6944P3HIGHCVSS 7.5≤ 5.4.02024-07-21
CVE-2024-6944 [HIGH] CWE-502 CVE-2024-6944: A vulnerability was found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by
A vulnerability was found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this issue is the function get_image_base64 of the file PublicController.php. The manipulation of the argument file leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-272066 is
nvd
CVE-2026-1203P3HIGHCVSS 8.1≤ 5.6.3v5.6.0+3 more2026-01-20
CVE-2026-1203 [HIGH] CWE-287 CVE-2026-1203: A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegi
A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The attack may be performed from remote. The attack requires a high level of
nvd
CVE-2025-11290P3HIGHCVSS 8.1≤ 5.6.1v5.6.0+1 more2025-10-05
CVE-2025-11290 [HIGH] CWE-320 CVE-2025-11290: A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the compone
A vulnerability was identified in CRMEB up to 5.6.1. This affects an unknown function of the component JWT HMAC Secret Handler. Such manipulation of the argument secret with the input default leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is rep
nvd
CVE-2025-15443P3HIGHCVSS 7.2≤ 5.6.1v5.6.0+1 more2026-01-04
CVE-2025-15443 [HIGH] CWE-74 CVE-2025-15443: A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of t
A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but
nvd
CVE-2025-25763P3CRITICALCVSS 9.8v5.4.02025-03-06
CVE-2025-25763 [CRITICAL] CWE-89 CVE-2025-25763: crmeb CRMEB-KY v5.4.0 and before has a SQL Injection vulnerability at getRead() in /system/SystemDat
crmeb CRMEB-KY v5.4.0 and before has a SQL Injection vulnerability at getRead() in /system/SystemDatabackupServices.php
nvd
CVE-2025-15442P3HIGHCVSS 7.2≤ 5.6.1v5.6.0+1 more2026-01-04
CVE-2025-15442 [HIGH] CWE-74 CVE-2025-15442: A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the
A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but
nvd
CVE-2020-21394P3HIGHCVSS 8.8v2.60v3.12021-06-29
CVE-2020-21394 [HIGH] CWE-89 CVE-2020-21394: SQL Injection vulnerability in Zhong Bang Technology Co., Ltd CRMEB mall system V2.60 and V3.1 via t
SQL Injection vulnerability in Zhong Bang Technology Co., Ltd CRMEB mall system V2.60 and V3.1 via the tablename parameter in SystemDatabackup.php.
nvd
1 / 2Next →