Submit #606784: jishenghua jshERP v3.5 Path Traversalinfo

Titeljishenghua jshERP v3.5 Path Traversal
BeschreibungIn the jshERP project, the endpoint `/systemConfig/exportExcelByParam` contains the following issue: The external input parameter `title` is used for path concatenation and file creation. Due to the lack of validation on the path's legitimacy, an attacker can craft a malicious path to generate files in arbitrary directories or overwrite existing files in targeted directories. Project Link: https://github.com/jishenghua/jshERP Affected Version: v3.5 Affected API: /systemConfig/exportExcelByParam Code Location: /jshERP-3.5/jshERP-boot/src/main/java/com/jsh/erp/controller/SystemConfigController.java:282
Quelle⚠️ https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250630-01.md
Benutzer
 ShenxiuSecurity (UID 84374)
Einreichung30.06.2025 10:06 (vor 10 Monaten)
Moderieren12.07.2025 23:17 (13 days later)
StatusAkzeptiert
VulDB Eintrag316264 [jshERP bis 3.5 SystemConfigController.java exportExcelByParam Titel Directory Traversal]
Punkte20

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!