CVE-2024-24000

Published: Feb 6, 2024Modified: Jun 12, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths.

Affected (1)

Products: Huaxiaerp: Jsherp

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Huaxiaerp Jsherp	Version 3.3

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24000.txt

Source: cve@mitre.org

Third Party Advisory

https://github.com/jishenghua/jshERP

Source: cve@mitre.org

Product

https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24000.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/jishenghua/jshERP

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.