COOEY // HUBcompliance · community · intelligence

FAIL › dossier

yonyou vendor

· dossier confidence 40%

Yonyou is a public Chinese enterprise software vendor with a critical security track record, evidenced by five critical RCE and SQL injection vulnerabilities in the YonBIP v3_23.05 release.

5
failure events
0
zero-days
4
RCEs
0
on KEV
5
critical
50
worst shame

Profile

Category
Enterprise Software Vendor
What they do
Yonyou Network Technology Co., Ltd. is a Chinese public company specializing in enterprise resource planning (ERP) and business management software, including the YonBIP and NC Cloud platforms.
Ownership
public
Website
https://www.yonyou.com

Security posture

High-risk vendor with a critical concentration of RCE vulnerabilities in the YonBIP v3_23.05 release, indicating a failure to patch known vulnerabilities across multiple interfaces within a single version.

Notable failures
  • CVE-2023-51924: RCE via IResourceManager interface
  • CVE-2023-51925: RCE via ArcpUploadAction.doAction()
  • CVE-2023-51906: RCE via ServiceDispatcherServlet
  • CVE-2023-51928: RCE via ArcpUploadAction.doAction()
  • CVE-2023-51927: SQL Injection via AttendScriptController
Patterns
Multiple critical RCE vulnerabilities in YonBIP v3_23.05; Arbitrary file upload vectors enabling code execution; SQL injection in HR/attendance modules

Failure history 5 events

DateEventSevFlagsShameSummary
2024-01-20 CVE-2023-51924 critical ⚡RCE 50 An arbitrary file upload vulnerability in the uap.framework.rc.itf.IResourceManager interface of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.
2024-01-20 CVE-2023-51925 critical ⚡RCE 50 An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.
2024-01-20 CVE-2023-51906 critical ⚡RCE 50 An issue in yonyou YonBIP v3_23.05 allows a remote attacker to execute arbitrary code via a crafted script to the ServiceDispatcherServlet uap.framework.rc.itf.IResourceManager component.
2024-01-20 CVE-2023-51928 critical ⚡RCE 50 An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.
2024-01-20 CVE-2023-51927 critical 35 YonBIP v3_23.05 was discovered to contain a SQL injection vulnerability via the com.yonyou.hrcloud.attend.web.AttendScriptController.runScript() method.

Dossier sources

Open questions: Patch status of YonBIP v3_23.05 · Current exploitation status of CVE-2023-51924 through 51928