Skip to main content

Jsherp CVE-2024-24003

CRITICAL
SQL Injection (CWE-89)
2024-02-08 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Feb 08, 2024 - 02:15 nvd
CRITICAL 9.8

DescriptionNVD

jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount() function of jshERP does not filter column and order parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in safeSqlParse method for sql injection.

AnalysisAI

jshERP v3.3 is vulnerable to SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount() function of jshERP does not filter column and order parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in safeSqlParse method for sql injection. Affected products include: Jishenghua Jsherp.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

More in Jsherp

View all
CVE-2024-24004 CRITICAL POC
9.8 Feb 07

jshERP v3.3 is vulnerable to SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2024-24002 CRITICAL POC
9.8 Feb 07

jshERP v3.3 is vulnerable to SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2024-24001 CRITICAL POC
9.8 Feb 07

jshERP v3.3 is vulnerable to SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab

CVE-2025-55370 HIGH POC
8.8 Aug 21

Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attacke

CVE-2025-55368 HIGH POC
8.8 Aug 21

Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers t

CVE-2023-48894 MEDIUM POC
6.5 Nov 30

Incorrect Access Control vulnerability in jshERP V3.3 allows attackers to obtain sensitive information via the doFilter

CVE-2025-51746 CRITICAL
9.8 Nov 25

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2025-51745 CRITICAL
9.8 Nov 25

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2025-51744 CRITICAL
9.8 Nov 25

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2025-51743 CRITICAL
9.8 Nov 25

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2025-51742 CRITICAL
9.8 Nov 25

An issue was discovered in jishenghua JSH_ERP 2.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2024-24000 CRITICAL
9.8 Feb 06

jshERP v3.3 is vulnerable to Arbitrary File Upload. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

Share

CVE-2024-24003 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy