Jsherp

jsherp

Vendor: Jishenghua • 26 CVEs

CVEs (26)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-1588 1Jishenghua 1Jsherp Apr 29, 2026 Jan 29, 2026 2.0 LOW· v4 2.7 LOW· v3 3.3 LOW· v2 A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPlugin...Show more A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation of the argument path results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.Show less
CVE-2026-1549 1Jishenghua 1Jsherp Apr 29, 2026 Jan 28, 2026 2.1 LOW· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such man...Show more A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.Show less
CVE-2026-1546 1Jishenghua 1Jsherp Apr 29, 2026 Jan 28, 2026 2.1 LOW· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasourc...Show more A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the argument barCodes leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.Show less
CVE-2025-67344 1Jishenghua 1Jsherp Dec 19, 2025 Dec 12, 2025 N/A· v4 4.6 MEDIUM· v3 N/A· v2 jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.
CVE-2025-67341 1Jishenghua 1Jsherp Dec 19, 2025 Dec 12, 2025 N/A· v4 4.6 MEDIUM· v3 N/A· v2 jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs,...Show more jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users.Show less
CVE-2025-51746 1Jishenghua 1Jsherp Dec 2, 2025 Nov 25, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.
CVE-2025-51745 1Jishenghua 1Jsherp Dec 2, 2025 Nov 25, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks.
CVE-2025-51744 1Jishenghua 1Jsherp Dec 2, 2025 Nov 25, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks.
CVE-2025-51743 1Jishenghua 1Jsherp Dec 2, 2025 Nov 25, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.
CVE-2025-51742 1Jishenghua 1Jsherp Dec 2, 2025 Nov 25, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerabil...Show more An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads.Show less
CVE-2025-60800 1Jishenghua 1Jsherp Nov 6, 2025 Oct 28, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Incorrect access control in the /jshERP-boot/user/info interface of jshERP up to commit 90c411a allows attackers to access sensitive information via a crafted GET request.
CVE-2025-60801 1Jishenghua 1Jsherp Nov 5, 2025 Oct 24, 2025 N/A· v4 8.2 HIGH· v3 N/A· v2 jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function.
CVE-2025-55371 1Jishenghua 1Jsherp Sep 9, 2025 Aug 21, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method.
CVE-2025-55370 1Jishenghua 1Jsherp Sep 9, 2025 Aug 21, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value.
CVE-2025-55368 1Jishenghua 1Jsherp Sep 9, 2025 Aug 21, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
CVE-2025-55367 1Jishenghua 1Jsherp Sep 9, 2025 Aug 21, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account.
CVE-2025-55366 1Jishenghua 1Jsherp Sep 9, 2025 Aug 21, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack.
CVE-2025-8840 1Jishenghua 1Jsherp Apr 29, 2026 Aug 11, 2025 2.1 LOW· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorizatio...Show more A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Different than CVE-2025-7947.Show less
CVE-2025-8839 1Jishenghua 1Jsherp Apr 29, 2026 Aug 11, 2025 2.1 LOW· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may...Show more A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-7948 1Jishenghua 1Jsherp Apr 29, 2026 Jul 22, 2025 2.1 LOW· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recover...Show more A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less

12 Next