Login Sign Up

CVE-2025-55367

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthorized attackers to modify supplier status information in jshERP v3.5 without proper authentication. It affects all users of jshERP v3.5 who haven't applied the patch. The flaw exists in the SupplierController.java component where access controls are improperly implemented.

💻 Affected Systems

Products:
  • jshERP
Versions: v3.5
Operating Systems: Any OS running jshERP
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of jshERP v3.5 are vulnerable unless patched.

📦 What is this software?

Jsherp by Jishenghua

View all CVEs affecting Jsherp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could disrupt supply chain operations by disabling critical suppliers, causing business disruption and financial loss.

🟠

Likely Case

Unauthorized modification of supplier status data leading to operational confusion and potential data integrity issues.

🟢

If Mitigated

With proper access controls, only authorized users can modify supplier status, maintaining data integrity.

🌐 Internet-Facing: HIGH if the application is exposed to the internet without proper authentication controls.
🏢 Internal Only: MEDIUM as internal attackers could still exploit this to disrupt operations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of the application's API endpoints but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.6 or later

Vendor Advisory: https://github.com/jishenghua/jshERP

Restart Required: No

Instructions:

1. Download latest version from official repository. 2. Backup current installation. 3. Replace affected SupplierController.java with patched version. 4. Verify functionality.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to jshERP application to trusted IPs only

Web Application Firewall Rules

all

Implement WAF rules to block unauthorized supplier status modification requests

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate jshERP from untrusted networks
  • Enable detailed logging and monitoring for supplier status modification attempts

🔍 How to Verify

Check if Vulnerable:

Check if running jshERP v3.5 and review SupplierController.java for missing authentication checks on status modification endpoints.

Check Version:

Check application version in admin panel or review application.properties file

Verify Fix Applied:

Test supplier status modification without authentication - should be denied. Verify version is v3.6 or later.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized POST/PUT requests to supplier status endpoints
  • Multiple failed authentication attempts followed by supplier status changes

Network Indicators:

  • Unusual patterns of supplier status modification requests
  • Requests to supplier endpoints from unexpected IP addresses

SIEM Query:

source="jshERP" AND (uri="/supplier/status" OR uri="/supplier/update") AND NOT user=authenticated_user

📊 Metadata

CVE ID: CVE-2025-55367
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-284
EPSS Score: 0.05% exploit probability (16.2th percentile)
Published: August 21, 2025
Last Updated: September 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55367, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)