| Titel | https://github.com/sfturing/hosp_order hosp_order latest SQL Injection |
|---|
| Beschreibung | Hosporder is an open-source hospital appointment registration system that contains unchecked controllable input, which is directly concatenated into the LIKE keyword in SQL statements, leading to SQL injection vulnerabilities.
Under function cn.sfturing.dao.HospitalDao#findOrderHosNum. findOrderHosNum has unverified risk points '%${hospitalAddress}%' and '%${hospitalName}%'. From source 'Hospital hosp' which in function 'cn.sfturing.web.HospitalController#orderHos'. Then propagate to function 'cn.sfturing.service.impl.HospitalServiceImpl#findOrderHosNum'. Finally arrived at the taint sink 'cn.sfturing.dao.HospitalDao#findOrderHosNum'. |
|---|
| Quelle | ⚠️ https://github.com/sfturing/hosp_order/issues/111 |
|---|
| Benutzer | mukyuuhate (UID 93052) |
|---|
| Einreichung | 24.12.2025 14:22 (vor 4 Monaten) |
|---|
| Moderieren | 04.01.2026 09:42 (11 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 339483 [sfturing hosp_order bis 627f426331da8086ce8fff2017d65b1ddef384f8 /ssm_pro/orderHos/ findOrderHosNum hospitalAddress/hospitalName SQL Injection] |
|---|
| Punkte | 20 |
|---|