📄 Description (English)
A security vulnerability has been detected in jishenghua jshERP up to 3.6. This vulnerability affects the function addAccountHeadAndDetail of the file jshERP-boot/src/main/java/com/jsh/erp/service/AccountHeadService.java of the component addAccountHeadAndDetail Endpoint. Such manipulation of the argument fileName leads to path traversal. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
🤖 AI Executive Summary
A path traversal vulnerability (CWE-22) exists in jishenghua jshERP versions up to 3.6 in the addAccountHeadAndDetail endpoint, allowing remote attackers to manipulate the fileName parameter to access arbitrary files on the system. With a CVSS score of 5.4 (medium) and public exploit disclosure, this poses a moderate risk to organizations using this ERP system. No patch is currently available from the vendor, requiring immediate compensating controls.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 8, 2026 04:54
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using jshERP, particularly in retail, manufacturing, and SME sectors, face risk of unauthorized file access and potential data exfiltration. Government procurement entities and healthcare facilities using this ERP system could experience disruption to financial and operational records. The vulnerability is particularly concerning for organizations handling sensitive financial data subject to SAMA regulations and NCA compliance requirements. Telecom and energy sector subsidiaries using this system may face operational disruption.
🏢 Affected Saudi Sectors
Retail and E-commerce
Manufacturing and Industrial
Small and Medium Enterprises (SMEs)
Government Procurement
Healthcare
Telecom
Energy
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all instances of jshERP versions up to 3.6 in your environment
2. Restrict network access to the addAccountHeadAndDetail endpoint using WAF rules or network segmentation
3. Implement input validation to reject fileName parameters containing path traversal sequences (../, ..\ , encoded variants)
4. Enable detailed logging and monitoring of all requests to this endpoint
Compensating Controls:
5. Deploy Web Application Firewall (WAF) rules to block requests with path traversal patterns
6. Implement strict file access controls and principle of least privilege for application service accounts
7. Monitor file system access logs for suspicious activity from the jshERP application
8. Isolate jshERP systems on separate network segments with restricted outbound access
Detection Rules:
- Alert on fileName parameters containing: ../, ..\ , %2e%2e, %252e, encoded path separators
- Monitor for file access attempts outside intended application directories
- Track failed authentication attempts and unusual file read operations
Long-term:
9. Contact vendor for patch timeline or consider migration to patched version when available
10. Evaluate alternative ERP solutions with active security support
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ jshERP حتى الإصدار 3.6 في بيئتك
2. تقييد الوصول إلى نقطة نهاية addAccountHeadAndDetail باستخدام قواعد WAF أو تقسيم الشبكة
3. تطبيق التحقق من صحة المدخلات لرفض معاملات fileName التي تحتوي على تسلسلات اجتياز المسار
4. تفعيل السجلات المفصلة والمراقبة لجميع الطلبات إلى هذه النقطة النهائية
الضوابط التعويضية:
5. نشر قواعد جدار الحماية (WAF) لحجب الطلبات التي تحتوي على أنماط اجتياز المسار
6. تطبيق ضوابط الوصول الصارمة ومبدأ الامتياز الأقل للحسابات الخدمية
7. مراقبة سجلات الوصول إلى نظام الملفات للنشاط المريب من تطبيق jshERP
8. عزل أنظمة jshERP على شرائح شبكة منفصلة مع وصول خارجي مقيد
قواعد الكشف:
- تنبيهات على معاملات fileName تحتوي على: ../ أو ..\ أو %2e%2e أو %252e أو فواصل مسار مشفرة
- مراقبة محاولات الوصول إلى الملفات خارج الدلائل المقصودة
- تتبع محاولات المصادقة الفاشلة والعمليات غير العادية لقراءة الملفات
المدى الطويل:
9. التواصل مع البائع للحصول على جدول زمني للتصحيح أو النظر في الترقية عند توفر نسخة مصححة
10. تقييم حلول ERP البديلة مع دعم أمان نشط
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements in third-party agreements
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.5 - Addressing information security in supplier relationships
🔵 SAMA CSF
SAMA CSF ID.RA-1 - Asset Management and Risk Assessment
SAMA CSF PR.IP-12 - Information and Communication Technology (ICT) Security
SAMA CSF DE.CM-1 - Detection and Analysis
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.1 - Organizational controls for asset management
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure all system components and software are protected from known vulnerabilities
PCI DSS 6.5.1 - Injection flaws prevention (path traversal is file-based injection)
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/jishenghua/jshERP/
cna@vuldb.com
https://github.com/jishenghua/jshERP/issues/154
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-11467
cna@vuldb.com
https://vuldb.com/submit/833656
cna@vuldb.com
https://vuldb.com/vuln/369087
cna@vuldb.com
https://vuldb.com/vuln/369087/cti
cna@vuldb.com