Impact
An XML Parser used by ADP Application Developer Platform processes user supplied XML documents via the /adpweb/a/base/barcodeDetail/import endpoint. Because the parser accepts XML external entity references, an attacker can supply a crafted XML payload that causes the server to access arbitrary resources or trigger resource exhaustion. This flaw is identified as External Entity Injection (CWE-611) and can lead to the disclosure of internal files, denial of service, or other side‑channel attacks. The vulnerability is publicly known and can be triggered remotely through normal HTTP requests to the vulnerable endpoint.
Affected Systems
The affected product is zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 version 1.0.0. No additional vendor product versions were specified. Any deployment of this platform that includes the /adpweb/a/base/barcodeDetail/import XML parser is susceptible.
Risk and Exploitability
The CVSS score of 5.3 indicates a medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited remotely over the network by sending a malicious XML payload to the exposed endpoint. Because the issue resides in parsing code that runs with application privileges, a successful exploitation could enable an attacker to read sensitive files or induce denial of service. The typical attack vector is over HTTP or HTTPS to the web application. The overall risk is moderate, but the lack of immediate remediation from the vendor heightens the urgency of applying mitigations.
OpenCVE Enrichment