Submit #726464: https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 SQL Injectioninfo

Titlehttps://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 SQL Injection
DescriptionWe discovered 32 suspected SQL injection vulnerabilities, all with similar vulnerability patterns, and randomly verified 7 of them. In function co.yixiang.common.service.impl.BaseServiceImpl#getPage. The sort parameter in pageable is ultimately passed to the order parameter in the getPage function within the queryAll function. Take function co.yixiang.modules.system.rest.JobController#getJobs as an example. The process of taine transfer is co.yixiang.modules.system.rest.JobController#getJobs to co.yixiang.modules.system.service.impl.JobServiceImpl#queryAll, then co.yixiang.common.service.impl.BaseServiceImpl#getPage.
Source⚠️ https://github.com/guchengwuyue/yshopmall/issues/39#event-21791378521
User
 mukyuuhate (UID 93052)
Submission12/30/2025 11:44 AM (2 months ago)
Moderation01/09/2026 12:42 PM (10 days later)
StatusAccepted
VulDB entry340274 [guchengwuyue yshopmall up to 1.9.1 /api/jobs getPage sort sql injection]
Points20

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!