CVE-2024-24001

Name of the Vulnerable Software and Affected Versions jshERP version 3.3

Description The issue allows an attacker to construct a malicious payload to bypass the protection mechanism of jshERP via the com.jsh.erp.controller.DepotHeadController and the findallocationDetail() function of com.jsh.erp.utils.BaseResponseInfo, enabling SQL Injection.

Recommendations For jshERP version 3.3, as a temporary workaround, consider disabling the findallocationDetail() function until a patch is available. Restrict access to the com.jsh.erp.controller.DepotHeadController to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.