COOEY // HUBcompliance · community · intelligence

FAIL › dossier

yonbip product

· dossier confidence 20%

YonBIP is a major Chinese ERP platform with a critical security posture, evidenced by five simultaneous critical vulnerabilities (RCE/SQLi) in version 3_23.05 discovered in January 2024.

5
failure events
0
zero-days
4
RCEs
0
on KEV
5
critical
50
worst shame

Profile

Category
Enterprise ERP Software
What they do
YonBIP is a cloud-based enterprise resource planning (ERP) solution developed by Yonyou, providing supply chain, finance, and HR management capabilities for large enterprises.
Website
https://www.yonyou.com

Security posture

Critical vulnerabilities discovered in v3_23.05 within a single day, including multiple RCE and SQLi flaws in core interfaces.

Notable failures
  • CVE-2023-51924: RCE via IResourceManager interface
  • CVE-2023-51925: RCE via ArcpUploadAction method
  • CVE-2023-51906: RCE via ServiceDispatcherServlet
  • CVE-2023-51928: RCE via ArcpUploadAction method
  • CVE-2023-51927: SQL Injection via AttendScriptController
Patterns
Multiple critical RCE vulnerabilities in v3_23.05; Arbitrary file upload vectors in core task monitoring; SQL injection in HR cloud interfaces

Failure history 5 events

DateEventSevFlagsShameSummary
2024-01-20 CVE-2023-51924 critical ⚡RCE 50 An arbitrary file upload vulnerability in the uap.framework.rc.itf.IResourceManager interface of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.
2024-01-20 CVE-2023-51925 critical ⚡RCE 50 An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.
2024-01-20 CVE-2023-51906 critical ⚡RCE 50 An issue in yonyou YonBIP v3_23.05 allows a remote attacker to execute arbitrary code via a crafted script to the ServiceDispatcherServlet uap.framework.rc.itf.IResourceManager component.
2024-01-20 CVE-2023-51928 critical ⚡RCE 50 An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.
2024-01-20 CVE-2023-51927 critical 35 YonBIP v3_23.05 was discovered to contain a SQL injection vulnerability via the com.yonyou.hrcloud.attend.web.AttendScriptController.runScript() method.

Dossier sources

Open questions: Patch availability timeline for v3_23.05 · Current version status post-patch · Impact on existing CMMC Level 2 systems