A vulnerability was determined in Bjskzy Zhiyou ERP up to 11.0. Affected is the function uploadStudioFile of the component com.artery.form.services.FormStudioUpdater. This manipulation of the argument filepath causes path traversal. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
References
| Link | Resource |
|---|---|
| https://github.com/FightingLzn9/vul/blob/main/%E6%97%B6%E7%A9%BA%E6%99%BA%E5%8F%8Berp-2.md | Exploit Third Party Advisory |
| https://vuldb.com/?ctiid.326216 | Permissions Required VDB Entry |
| https://vuldb.com/?id.326216 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.658077 | Third Party Advisory VDB Entry |
Configurations
History
03 Oct 2025, 18:19
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/FightingLzn9/vul/blob/main/%E6%97%B6%E7%A9%BA%E6%99%BA%E5%8F%8Berp-2.md - Exploit, Third Party Advisory | |
| References | () https://vuldb.com/?ctiid.326216 - Permissions Required, VDB Entry | |
| References | () https://vuldb.com/?id.326216 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?submit.658077 - Third Party Advisory, VDB Entry | |
| First Time |
Zhiyou-group zhiyou Erp
Zhiyou-group |
|
| CPE | cpe:2.3:a:zhiyou-group:zhiyou_erp:*:*:*:*:*:*:*:* |
29 Sep 2025, 04:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-29 04:15
Updated : 2025-10-03 18:19
NVD link : CVE-2025-11139
Mitre link : CVE-2025-11139
CVE.ORG link : CVE-2025-11139
JSON object : View
Products Affected
zhiyou-group
- zhiyou_erp
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')