CNVD-2020-63964 Scanner

jshERP is a comprehensive enterprise resource planning software utilized by businesses to manage and integrate essential parts of their operations. Developed by Jishenghua, it plays a crucial role in streamlining processes across various departments, such as finance, logistics, and human resources. The software provides organizations with tools to optimize their resource utilization and improve overall efficiency. Due to its extensive capabilities, jshERP is commonly adopted by medium to large enterprises looking to enhance their productivity and operational insight. By centralizing data and providing real-time analytics, it supports management in making informed, strategic decisions. As a widely-used solution, ensuring its security is paramount to protect sensitive business information.

Information Disclosure in jshERP allows unauthorized users access to sensitive data, breaching confidentiality and potentially exposing business-critical or personal information. This vulnerability occurs when the application reveals system credentials without requiring authentication. The risk is heightened due to the nature of data handled within ERP systems, which often includes financial records, employee details, and proprietary business data. Exploiting this flaw can lead to unauthorized data access, misuse of information, or further attacks exploiting revealed credentials. Unresolved, it leaves businesses vulnerable to data breaches, compromising the integrity and reputation of the affected organization.

The Information Disclosure vulnerability in jshERP manifests in its inability to adequately secure API endpoints, allowing access without proper authentication. The vulnerable endpoint is "/jshERP-boot/user/getAllList;.ico", which can return sensitive data such as usernames and passwords. During an attack, an unprotected GET request to this endpoint results in a JSON response, disclosing information like "username", "loginName", and "password". This bypass of security controls demonstrates a critical flaw in the application's data exposure policies. Additionally, the endpoint’s lack of authentication checks exacerbates the problem, making it easily exploitable with minimal technical skills required.

If exploited, the Information Disclosure vulnerability in jshERP can have severe ramifications. Unauthorized access to system credentials could lead to full system compromise, allowing attackers to manipulate or extract confidential data. The impact extends beyond immediate data breaches, as exposed credentials might enable further unauthorized access to interconnected systems or networks. Financial losses, reputational damage, and compliance violations are plausible outcomes as businesses struggle to contain and remediate such breaches. Moreover, failure to address these risks can result in loss of customer trust and legal penalties, especially if sensitive personal information is involved.

REFERENCES

• https://cn-sec.com/archives/1798444.html