CVE-2025-13209

Name of the Vulnerable Software and Affected Versions bestfeng oa git free versions up to 9.5

Description A flaw exists in bestfeng oa git free up to version 9.5. The issue is related to the manipulation of the writeProp argument within the updateWriteBack function located in the file yimioa-oa9.5serverc-flowsrcmainjavacomcloudweboacontrollerWorkflowPredefineController.java. This manipulation can lead to XML External Entity (XXE) reference. The attack can be carried out remotely, and an exploit has been publicly released.

Recommendations Versions prior to 9.5 should be updated. As a temporary workaround, consider restricting access to the updateWriteBack function until a patch is available.