CVE-2025-7948 | THREATINT

Description

A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

In jshERP bis 3.5 wurde eine problematische Schwachstelle entdeckt. Hierbei betrifft es unbekannten Programmcode der Datei /jshERP-boot/user/updatePwd. Durch die Manipulation mit unbekannten Daten kann eine weak password recovery-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.

PUBLISHED Reserved 2025-07-21 | Published 2025-07-22 | Updated 2025-07-22 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

MEDIUM: 4.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

4.0AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR

Problem types

Weak Password Recovery

Timeline

2025-07-21:	Advisory disclosed
2025-07-21:	VulDB entry created
2025-07-21:	VulDB entry last update

Credits

ZAST.AI (VulDB User) reporter

References

github.com/jishenghua/jshERP/issues/123 exploit

vuldb.com/?id.317089 (VDB-317089 | jshERP updatePwd password recovery) vdb-entry

vuldb.com/?ctiid.317089 (VDB-317089 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.619277 (Submit #619277 | jishenghua https://github.com/jishenghua/jshERP <=3.5 IDOR (arbitrary password reset)) third-party-advisory

github.com/jishenghua/jshERP/issues/123 exploit issue-tracking

cve.org (CVE-2025-7948)

nvd.nist.gov (CVE-2025-7948)

Download JSON