CVE-2025-67341 is a stored cross-site scripting (XSS) vulnerability identified in jshERP versions 3.5 and earlier. The vulnerability arises because the application allows uploading PDF files that can embed malicious JavaScript payloads. These PDFs are then served via static URLs accessible to all users, enabling the stored XSS attack vector. When a user accesses the malicious PDF, the embedded script executes in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the ERP system. The vulnerability requires an attacker to have low privileges (PR:L) to upload the malicious PDF and requires user interaction (UI:R) to trigger the payload. The attack vector is network-based (AV:N), meaning the attacker can exploit it remotely. The CVSS 3.1 base score is 4.6, indicating a medium severity level, with impacts primarily on confidentiality and integrity but no direct impact on availability. No patches or known exploits are currently reported, but the vulnerability represents a risk due to the widespread use of ERP systems and the sensitive nature of data handled. The CWE-79 classification confirms this is a classic XSS issue, emphasizing the need for input validation and output encoding. The static URL access to uploaded PDFs increases the attack surface, as any user with the URL can trigger the malicious script. This vulnerability highlights the importance of secure file handling and content sanitization in web applications, especially ERP platforms that manage critical business data.

For European organizations, this vulnerability poses a moderate risk to the confidentiality and integrity of ERP system data. Attackers exploiting this flaw could steal session tokens, impersonate users, or perform unauthorized actions within jshERP, potentially leading to data leakage or manipulation of business-critical information. Since ERP systems often integrate with financial, HR, and operational data, the impact could extend to regulatory compliance issues such as GDPR violations if personal data is exposed. The requirement for low privileges to upload files means insider threats or compromised accounts could be leveraged to exploit this vulnerability. The static URLs make it easier for attackers to share malicious links internally or externally, increasing the likelihood of successful phishing or social engineering campaigns. Although availability is not directly impacted, the trustworthiness and integrity of the ERP system could be undermined, affecting business operations and decision-making. European organizations in manufacturing, logistics, and services sectors that rely on jshERP are particularly at risk, especially if they have not implemented strict file upload controls or content sanitization.

1. Implement strict file upload validation to restrict allowed file types and scan uploaded PDFs for embedded scripts or suspicious content. 2. Sanitize and validate all user inputs related to file uploads and metadata to prevent injection of malicious payloads. 3. Apply output encoding and Content Security Policy (CSP) headers to limit script execution from untrusted sources. 4. Restrict access to uploaded PDF files by implementing authentication and authorization checks rather than serving them via public static URLs. 5. Monitor and log file upload activities to detect anomalous behavior or unauthorized uploads. 6. Educate users about the risks of clicking on untrusted links, especially those pointing to uploaded documents. 7. Regularly update jshERP to the latest versions once patches become available and subscribe to vendor security advisories. 8. Employ web application firewalls (WAFs) with rules to detect and block XSS payloads in file uploads and HTTP requests. 9. Conduct periodic security assessments and penetration testing focusing on file upload functionalities. 10. Isolate ERP systems and limit network exposure to reduce the attack surface.