CVE-2025-10390 – CRMEB versions up to 5.6.1 contain an improper ... (How to Fix)

Q: What is the severity of CVE-2025-10390?

CVE-2025-10390 has a CVSS score of 5.4 (MEDIUM). CRMEB versions up to 5.6.1 contain an improper authorization vulnerability in the editAddress function that allows attackers to manipulate address IDs. This enables unauthorized modification of user address data, potentially affecting all users of vulnerable CRMEB installations. The vulnerability is remotely exploitable and public exploit details exist.

📋 TL;DR

CRMEB versions up to 5.6.1 contain an improper authorization vulnerability in the editAddress function that allows attackers to manipulate address IDs. This enables unauthorized modification of user address data, potentially affecting all users of vulnerable CRMEB installations. The vulnerability is remotely exploitable and public exploit details exist.

💻 Affected Systems

Products:

CRMEB

Versions: up to 5.6.1

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations using vulnerable versions; requires user authentication to exploit but bypasses authorization checks.

📦 What is this software?

Crmeb by Crmeb

View all CVEs affecting Crmeb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify any user's address information, potentially enabling account takeover, data manipulation, or facilitating social engineering attacks.

🟠

Likely Case

Unauthorized modification of user address data, potentially leading to order redirection, data integrity issues, or privacy violations.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, potentially only affecting non-sensitive address fields.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available; requires authenticated user access but bypasses authorization controls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

Upgrade to version 5.6.2 or later if available; otherwise apply manual code fix to UserAddressServices.php to add proper authorization checks.

🔧 Temporary Workarounds

Manual Code Fix

all

Add proper authorization checks to the editAddress function in UserAddressServices.php to verify users can only modify their own addresses.

WAF Rule Implementation

all

Implement web application firewall rules to detect and block suspicious address ID manipulation attempts.

🧯 If You Can't Patch

Implement strict input validation and authorization middleware for all user address operations
Enable detailed logging of address modification attempts and monitor for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check CRMEB version in system configuration; if version is 5.6.1 or earlier, review UserAddressServices.php for missing authorization checks in editAddress function.

Check Version:

Check CRMEB version in admin panel or system configuration files

Verify Fix Applied:

Test that authenticated users cannot modify other users' address data; verify authorization checks are implemented in the editAddress function.

📡 Detection & Monitoring

Log Indicators:

Multiple address modification attempts from single user
Address ID values outside expected range
Rapid sequential address updates

Network Indicators:

Unusual patterns in POST requests to address modification endpoints
Address ID parameter manipulation in requests

SIEM Query:

source="web_logs" AND (uri_path="/user/address/edit" OR uri_path LIKE "%/address/update%") AND (status=200 OR status=302) | stats count by src_ip, user_id

📊 Metadata

CVE ID: CVE-2025-10390

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-266

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: September 14, 2025

Last Updated: October 14, 2025

🔗 References

https://github.com/August829/Yu/blob/main/58ead8e7e08bfb014.md Broken Link
https://vuldb.com/?ctiid.323825 Permissions Required,VDB Entry
https://vuldb.com/?id.323825 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.644578 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10390, you might also want to check these: