CVE-2025-56161

Summary of CVE-2025-56161 (YOSHOP 2.0): Unauthenticated information disclosure via the Goods module’s comment-list endpoints. The Comment model eagerly loads the related User model without field filtering, and since User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt pass...

Yoshop 安全漏洞

Yoshop is a Chinese yiovo open source e-commerce system. A security vulnerability exists in Yoshop version 2.0, which originates from unvalidated goodsIds parameter and may lead to SQL injection attack...

Yoshop 安全漏洞

Yoshop is a Chinese yiovo open source e-commerce system. A security vulnerability exists in Yoshop version 2.0, which stems from unauthenticated information leakage from the comment list API endpoint, which may lead to the exposure of sensitive fields...

CVE-2025-56162

YOSHOP 2.0 suffers from an unauthenticated SQL injection in the goodsIds parameter of the /api/goods/listByIds endpoint. The getListByIds function concatenates user input into orderRaw'fieldgoodsid, ...', allowing attackers to: a enumerate or modify database data, including dumping admin password...

CVE-2025-56161

YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields bcrypt password hash, mobile...