FAIL › dossier
· dossier confidence 20%
YonBIP is a major Chinese ERP platform with a critical security posture, evidenced by five simultaneous critical vulnerabilities (RCE/SQLi) in version 3_23.05 discovered in January 2024.
Critical vulnerabilities discovered in v3_23.05 within a single day, including multiple RCE and SQLi flaws in core interfaces.
| Date | Event | Sev | Flags | Shame | Summary |
|---|---|---|---|---|---|
| 2024-01-20 | CVE-2023-51924 | critical | ⚡RCE | 50 | An arbitrary file upload vulnerability in the uap.framework.rc.itf.IResourceManager interface of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. |
| 2024-01-20 | CVE-2023-51925 | critical | ⚡RCE | 50 | An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. |
| 2024-01-20 | CVE-2023-51906 | critical | ⚡RCE | 50 | An issue in yonyou YonBIP v3_23.05 allows a remote attacker to execute arbitrary code via a crafted script to the ServiceDispatcherServlet uap.framework.rc.itf.IResourceManager component. |
| 2024-01-20 | CVE-2023-51928 | critical | ⚡RCE | 50 | An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. |
| 2024-01-20 | CVE-2023-51927 | critical | 35 | YonBIP v3_23.05 was discovered to contain a SQL injection vulnerability via the com.yonyou.hrcloud.attend.web.AttendScriptController.runScript() method. |
Open questions: Patch availability timeline for v3_23.05 · Current version status post-patch · Impact on existing CMMC Level 2 systems