Submit #739688: https://github.com/jishenghua/jshERP jshERP v3.6 SQL Injectioninfo

Titelhttps://github.com/jishenghua/jshERP jshERP v3.6 SQL Injection
BeschreibungIn MyBatis when accessing interface "com.jsh.erp.datasource.mappers.DepotItemMapperEx#getBillItemByParam", there is direct replacement concatenation using ${}. Construct a special Excel file and place the attack fields into it. By sending the file through request route "/jshERP-boot/depotItem/importItemExcel", the attack fields are injected into the SQL statement without being validated or sanitized, leading to a risk.
Quelle⚠️ https://github.com/jishenghua/jshERP/issues/145
Benutzer
 mukyuuhate (UID 93052)
Einreichung15.01.2026 11:30 (vor 5 Monaten)
Moderieren28.01.2026 16:26 (13 days later)
StatusAkzeptiert
VulDB Eintrag343230 [jishenghua jshERP bis 3.6 com.jsh.erp.datasource.mappers.DepotItemMapperEx importItemExcel getBillItemByParam barCodes SQL Injection]
Punkte20

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!