jshERP
by jshERP
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-7566 | Med | 0.31 | 4.7 | 0.01 | Jul 14, 2025 | A vulnerability has been found in jshERP up to 3.5 and classified as critical. This vulnerability affects the function exportExcelByParam of the file /src/main/java/com/jsh/erp/controller/SystemConfigController.java. The manipulation of the argument Title leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||
| CVE-2025-67341 | 0.00 | — | 0.00 | Dec 12, 2025 | jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users. | |||
| CVE-2025-67344 | 0.00 | — | 0.00 | Dec 12, 2025 | jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint. | |||
| CVE-2025-60800 | 0.00 | — | 0.00 | Oct 28, 2025 | Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request. | |||
| CVE-2025-55370 | 0.00 | — | 0.00 | Aug 21, 2025 | Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value. | |||
| CVE-2025-55366 | 0.00 | — | 0.00 | Aug 21, 2025 | Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack. | |||
| CVE-2025-55367 | 0.00 | — | 0.00 | Aug 21, 2025 | Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. | |||
| CVE-2025-55368 | 0.00 | — | 0.00 | Aug 21, 2025 | Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. |
- risk 0.31cvss 4.7epss 0.01
A vulnerability has been found in jshERP up to 3.5 and classified as critical. This vulnerability affects the function exportExcelByParam of the file /src/main/java/com/jsh/erp/controller/SystemConfigController.java. The manipulation of the argument Title leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CVE-2025-67341Dec 12, 2025risk 0.00cvss —epss 0.00
jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users.
- CVE-2025-67344Dec 12, 2025risk 0.00cvss —epss 0.00
jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.
- CVE-2025-60800Oct 28, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request.
- CVE-2025-55370Aug 21, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value.
- CVE-2025-55366Aug 21, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack.
- CVE-2025-55367Aug 21, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
- CVE-2025-55368Aug 21, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.