jshERP Endpoint deleteBatch improper authorization_CVE-2025-8840

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Different than CVE-2025-7947.

AI Analysis

A vulnerability in jshERP up to version 3.5 allows improper authorization in the deleteBatch endpoint, enabling remote attackers to exploit the system.

Basic Information

ID CVE-2025-8840

Source VulDB

Published Aug 11, 2025 at 09:32

Affected Product

Vendor n/a

Product jshERP

Version 3.0

Affected Versions n/a jshERP 3.0
n/a jshERP 3.1
n/a jshERP 3.2
n/a jshERP 3.3
n/a jshERP 3.4
n/a jshERP 3.5

CWE Classification

CWE-285 CWE-266

AI Assessment

AI Severity Medium

Vendor jshERP Community

Product jshERP

Version 3.0, 3.1, 3.2, 3.3, 3.4, 3.5

References

{
    "lastseen": "",
    "description": "A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Different than CVE-2025-7947.",
    "published": "2025-08-11T09:32:05.802Z",
    "modified": "2025-08-11T09:32:05.802Z",
    "type": "cve",
    "title": "jshERP Endpoint deleteBatch improper authorization",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.319374\nhttps://vuldb.com/?ctiid.319374\nhttps://vuldb.com/?submit.622573\nhttps://vuldb.com/?submit.622621\nhttps://github.com/jishenghua/jshERP/issues/126",
    "id": "CVE-2025-8840",
    "bulletinFamily": "",
    "cwe": [
        "CWE-285",
        "CWE-266"
    ],
    "cvelist": null,
    "sourceData": "n/a jshERP 3.0\nn/a jshERP 3.1\nn/a jshERP 3.2\nn/a jshERP 3.3\nn/a jshERP 3.4\nn/a jshERP 3.5",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "jshERP",
    "version": "3.0",
    "vendor": "n/a",
    "ai_description": "A vulnerability in jshERP up to version 3.5 allows improper authorization in the deleteBatch endpoint, enabling remote attackers to exploit the system.",
    "ai_severity": "Medium",
    "ai_vendor": "jshERP Community",
    "ai_product": "jshERP",
    "ai_version": "3.0, 3.1, 3.2, 3.3, 3.4, 3.5",
    "ai_score": 0
}