CVE-2025-67344
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-67344, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-12

Last updated on: 2025-12-19

Assigner: MITRE

Description

jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-12
Last Modified
2025-12-19
Generated
2026-07-06
AI Q&A
2025-12-12
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jishenghua jsherp to 3.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross Site Scripting (XSS) issue in jshERP version 3.5 and earlier. It occurs via the /msg/add endpoint, where malicious scripts can be injected and stored, potentially executed later when accessed by users.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of users' browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions affecting users of the affected application.

Detection Guidance

This vulnerability can be detected by testing the /msg/add endpoint for stored Cross-Site Scripting (XSS) by injecting payloads such as `<img src=x onerror="alert('xss')">` into the msgContent field and then verifying if the script executes when the message is viewed. Detection involves sending crafted HTTP POST requests to /msg/add with malicious msgContent and observing if the payload executes in the recipient's browser. Specific commands are not provided in the resources, but using tools like curl or Burp Suite to send such payloads and monitoring the response or client-side execution can help detect the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include: (1) On the frontend, remove the use of the `v-html` directive and replace it with safe text interpolation (`{{ msgContent }}`) or apply whitelist-based sanitization libraries such as DOMPurify to filter out dangerous HTML tags and event handlers. Implement Content Security Policy (CSP) headers to block inline scripts. (2) On the backend, enforce authentication and authorization checks to ensure only authenticated users can insert messages, and apply server-side XSS sanitization using libraries like OWASP Java HTML Sanitizer to clean input before storing it in the database. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67344. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart