6.3 CVE-2025-9151

A security flaw has been discovered in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /web_config/json/name/web. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
https://nvd.nist.gov/vuln/detail/CVE-2025-9151

Categories

CWE-266 : Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. untrusted user placed in unix "wheel" group Product allows users to grant themselves certain rights that can be used to escalate privileges. Product uses group ID of a user instead of the group, causing it to run with different privileges. This is resultant from some other unknown issue. Product mistakenly assigns a particular status to an entity, leading to increased privileges.

References

 

CPE

cpe	start	end

---

REMEDIATION

---

---

EXPLOITS

---

Exploit-db.com

id	description	date
No known exploits

---

POC Github

Url
No known exploits

---

Other Nist (github, ...)

Url
No known exploits

---

CAPEC

---

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

---