jshERP jshERP v3.6 SQL Injectionالمعلومات

عنوان	https://github.com/jishenghua/jshERP jshERP v3.6 SQL Injection
الوصف	In MyBatis when accessing interface "com.jsh.erp.datasource.mappers.DepotItemMapperEx#getBillItemByParam", there is direct replacement concatenation using ${}. Construct a special Excel file and place the attack fields into it. By sending the file through request route "/jshERP-boot/depotItem/importItemExcel", the attack fields are injected into the SQL statement without being validated or sanitized, leading to a risk.
المصدر	⚠️ https://github.com/jishenghua/jshERP/issues/145
المستخدم	mukyuuhate (UID 93052)
ارسال	15/01/2026 11:30 AM (5 أشهر منذ)
الاعتدال	28/01/2026 04:26 PM (13 days later)
الحالة	تمت الموافقة
إدخال VulDB	343230 [jishenghua jshERP حتى 3.6 com.jsh.erp.datasource.mappers.DepotItemMapperEx importItemExcel getBillItemByParam barCodes حقن SQL]
النقاط	20

Interested in the pricing of exploits?

See the underground prices here!