Description

YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields (bcrypt password hash, mobile number, pay_money, expend_money.) are exposed in JSON responses. Route names vary per deployment (e.g. /api/goods.pinglun/list), but all call the same vulnerable model logic.

INFO

Published Date :

2025-10-02T00:00:00.000Z

Last Modified :

2025-10-02T18:13:36.507Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-56161 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-56161.

URL Resource
https://gitee.com/xany/yoshop2.0 cve-icon cve-icon
https://github.com/ZyWAC/CVE-Disclosures/blob/6b337a44934ffe948275995e9b79158e97c78fc4/2025/YOSHOP2.0/CVE-2025-56161.md cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System