FAIL › dossier
· dossier confidence 40%
Yonyou is a public Chinese enterprise software vendor with a critical security track record, evidenced by five critical RCE and SQL injection vulnerabilities in the YonBIP v3_23.05 release.
High-risk vendor with a critical concentration of RCE vulnerabilities in the YonBIP v3_23.05 release, indicating a failure to patch known vulnerabilities across multiple interfaces within a single version.
| Date | Event | Sev | Flags | Shame | Summary |
|---|---|---|---|---|---|
| 2024-01-20 | CVE-2023-51924 | critical | ⚡RCE | 50 | An arbitrary file upload vulnerability in the uap.framework.rc.itf.IResourceManager interface of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. |
| 2024-01-20 | CVE-2023-51925 | critical | ⚡RCE | 50 | An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. |
| 2024-01-20 | CVE-2023-51906 | critical | ⚡RCE | 50 | An issue in yonyou YonBIP v3_23.05 allows a remote attacker to execute arbitrary code via a crafted script to the ServiceDispatcherServlet uap.framework.rc.itf.IResourceManager component. |
| 2024-01-20 | CVE-2023-51928 | critical | ⚡RCE | 50 | An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file. |
| 2024-01-20 | CVE-2023-51927 | critical | 35 | YonBIP v3_23.05 was discovered to contain a SQL injection vulnerability via the com.yonyou.hrcloud.attend.web.AttendScriptController.runScript() method. |
Open questions: Patch status of YonBIP v3_23.05 · Current exploitation status of CVE-2023-51924 through 51928