CVE-2025-67344
📋 TL;DR
jshERP v3.5 and earlier contains a stored XSS vulnerability in the /msg/add endpoint that allows attackers to inject malicious scripts. When exploited, these scripts execute in victims' browsers, potentially stealing session cookies or performing unauthorized actions. This affects all users of vulnerable jshERP installations.
💻 Affected Systems
- jshERP
📦 What is this software?
Jsherp by Jishenghua
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system access, exfiltrate sensitive business data, and compromise user accounts through credential theft.
Likely Case
Attackers steal user session cookies to hijack accounts, perform unauthorized actions within the ERP system, and potentially access sensitive business information.
If Mitigated
Script execution is blocked by CSP headers or browser protections, limiting impact to minor UI disruption or failed attack attempts.
🎯 Exploit Status
The GitHub issue shows proof of concept. XSS payloads are simple to craft and execute once an attacker can access the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://github.com/jishenghua/jshERP/issues/140
Restart Required: No
Instructions:
1. Monitor the GitHub repository for updates. 2. Apply any security patches when released. 3. Test in development environment before production deployment.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side input validation and output encoding for the /msg/add endpoint parameters.
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources.
Add header: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Disable or restrict access to the /msg/add endpoint using web application firewall rules.
- Implement network segmentation to isolate jshERP from sensitive systems and limit lateral movement potential.
🔍 How to Verify
Check if Vulnerable:
Test the /msg/add endpoint with XSS payloads like <script>alert('XSS')</script> and check if script executes when viewing messages.Check Version:
Check jshERP version in admin panel or configuration files.Verify Fix Applied:
Retest with same XSS payloads after applying fixes; scripts should be properly sanitized and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /msg/add with script tags or JavaScript code
- Multiple failed login attempts followed by message creation
Network Indicators:
- HTTP requests containing script tags or JavaScript in POST body to /msg/add endpoint
SIEM Query:
source="web_logs" AND uri_path="/msg/add" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:")