Jishenghua: Security Vulnerabilities
Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-10-28
jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function.
CVSS Score
8.2
EPSS Score
0.002
Published
2025-10-24
Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-08-21
Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-08-21
Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-08-21
Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-08-21
Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-08-21
A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Different than CVE-2025-7947.
CVSS Score
2.1
EPSS Score
0.001
Published
2025-08-11
A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
2.1
EPSS Score
0.001
Published
2025-08-11
A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
2.1
EPSS Score
0.001
Published
2025-07-22