Bjskzy Zhiyou ERP XML External Entity Injection Vulnerability in RichClientService Component

Vulnerability

A vulnerability allowing XML External Entity (XXE) injection has been identified in Bjskzy Zhiyou ERP versions through 11.0. The issue resides in the RichClientService component, specifically within the initRCForm function of the RichClientService.class file. This vulnerability can be exploited remotely, leading to the manipulation of XML documents in a way that external entities are processed, potentially causing the application to reference and embed unintended documents into its output.

Impact

Exploitation of this vulnerability allows for XML External Entity injection, where an attacker can manipulate XML data to include external entities. This could lead to the application processing sensitive data from external sources or causing denial-of-service conditions.

Added: Jan 20, 2026, 6:21 AM

Updated: Jan 20, 2026, 6:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

8.0

remediation

0.0

relevance

2.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

8.0

remediation

0.0

relevance

2.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Bjskzy Zhiyou ERP XML External Entity Injection Vulnerability in RichClientService Component

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating