CVE-2024-24000 Information

Description

jshERP v3.3 is vulnerable to Arbitrary File Upload. The jshERP-boot/systemConfig/upload interface does not check the uploaded file type and the biz parameter can be spliced into the upload path resulting in arbitrary file uploads with controllable paths.

Reference

https://github.com/jishenghua/jshERP https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/24000.txt