Dptcc

**Name of the Vulnerable Software and Affected Versions** Bjskzy Zhiyou ERP versions prior to 11.0 **Description** A flaw exists in Bjskzy Zhiyou ERP that allows for xml external entity reference manipulation. This issue is present in the `initRCForm` function within the `RichClientService.class` file of the `com.artery.richclient.RichClientService` component. The attack can be carried out remotely. The exploit is publicly available. The vendor was notified but did not respond. **Recommendations** Versions prior to 11.0 should be updated. As a temporary workaround, consider restricting access to the `RichClientService` component to minimize the risk of exploitation.