CVE-2025-67344

Name of the Vulnerable Software and Affected Versions jshERP versions prior to 3.5

Description The software is susceptible to a stored Cross Site Scripting (XSS) issue. The vulnerability exists through the /msg/add API endpoint. An attacker could potentially inject malicious scripts that are then stored and executed when other users access the affected functionality. The vulnerable parameter is not specified.

Recommendations Update to a version newer than 3.5. As a temporary workaround, consider restricting access to the /msg/add endpoint until a patch is available.