Shodan
Vulnerabilities
Vulnerable Software
Jishenghua:  Security Vulnerabilities
CVE-2025-67341
jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users.
CVSS Score
4.6
EPSS Score
0.0
Published
2025-12-12
CVE-2025-67344
jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.
CVSS Score
4.6
EPSS Score
0.0
Published
2025-12-12
CVE-2025-51744
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-11-25
CVE-2025-51745
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-11-25
CVE-2025-51746
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-11-25
CVE-2025-51743
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-11-25
CVE-2025-51742
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-11-25
CVE-2025-60800
Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-10-28
CVE-2025-60801
jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function.
CVSS Score
8.2
EPSS Score
0.002
Published
2025-10-24
CVE-2025-55371
Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-08-21


Products
Pricing
Contact Us

Shodan ® - All rights reserved