CVE-2024-24000 — CRITICAL (9.8)

Vulnerability Description

jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resulting in arbitrary file uploads with controllable paths.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Huaxiaerp	Jsherp	3.3

Related Weaknesses (CWE)

CWE-434

References

https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2Third Party Advisory
https://github.com/jishenghua/jshERPProduct
https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2Third Party Advisory
https://github.com/jishenghua/jshERPProduct

FAQ

What is CVE-2024-24000?

CVE-2024-24000 is a vulnerability with a CVSS score of 9.8 (CRITICAL). jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type, and the biz parameter can be spliced into the upload path, resu...

How severe is CVE-2024-24000?

CVE-2024-24000 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-24000?

Check the references section above for vendor advisories and patch information. Affected products include: Huaxiaerp Jsherp.