Soumettre #606784: jishenghua jshERP v3.5 Path Traversalinformation

Titrejishenghua jshERP v3.5 Path Traversal
DescriptionIn the jshERP project, the endpoint `/systemConfig/exportExcelByParam` contains the following issue: The external input parameter `title` is used for path concatenation and file creation. Due to the lack of validation on the path's legitimacy, an attacker can craft a malicious path to generate files in arbitrary directories or overwrite existing files in targeted directories. Project Link: https://github.com/jishenghua/jshERP Affected Version: v3.5 Affected API: /systemConfig/exportExcelByParam Code Location: /jshERP-3.5/jshERP-boot/src/main/java/com/jsh/erp/controller/SystemConfigController.java:282
La source⚠️ https://github.com/ShenxiuSec/cve-proofs/blob/main/POC-20250630-01.md
Utilisateur
 ShenxiuSecurity (UID 84374)
Soumission30/06/2025 10:06 (il y a 10 mois)
Modérer12/07/2025 23:17 (13 days later)
StatutAccepté
Entrée VulDB316264 [jshERP jusqu’à 3.5 SystemConfigController.java exportExcelByParam Titre directory traversal]
Points20

PrécédentAperçuSuivant

Do you want to use VulDB in your project?

Use the official API to access entries easily!