Description

A vulnerability, which was classified as problematic, has been found in Sichuan Yougou Technology KuERP up to 1.0.4. Affected by this issue is the function del_sn_db of the file /application/index/controller/Service.php. The manipulation of the argument file leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-252254 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Eine problematische Schwachstelle wurde in Sichuan Yougou Technology KuERP bis 1.0.4 entdeckt. Hierbei geht es um die Funktion del_sn_db der Datei /application/index/controller/Service.php. Mit der Manipulation des Arguments file mit unbekannten Daten kann eine path traversal: '../filedir'-Schwachstelle ausgenutzt werden. Der Exploit steht zur öffentlichen Verfügung.

Classification

CVE ID: CVE-2024-0989

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected Products

Vendor: Sichuan Yougou Technology

Product: KuERP

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.11% (probability of being exploited)

EPSS Percentile: 30.55% (scored less or equal to compared to others)

EPSS Date: 2025-06-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0989
https://vuldb.com/?id.252254
https://vuldb.com/?ctiid.252254
https://note.zhaoj.in/share/XKxaJTphW6PB

Timeline