Submeter #726464: https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 SQL Injectioninformação

Títulohttps://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 SQL Injection
DescriçãoWe discovered 32 suspected SQL injection vulnerabilities, all with similar vulnerability patterns, and randomly verified 7 of them. In function co.yixiang.common.service.impl.BaseServiceImpl#getPage. The sort parameter in pageable is ultimately passed to the order parameter in the getPage function within the queryAll function. Take function co.yixiang.modules.system.rest.JobController#getJobs as an example. The process of taine transfer is co.yixiang.modules.system.rest.JobController#getJobs to co.yixiang.modules.system.service.impl.JobServiceImpl#queryAll, then co.yixiang.common.service.impl.BaseServiceImpl#getPage.
Fonte⚠️ https://github.com/guchengwuyue/yshopmall/issues/39#event-21791378521
Utilizador
 mukyuuhate (UID 93052)
Submissão30/12/2025 11h44 (há 4 meses)
Moderação09/01/2026 12h42 (10 days later)
EstadoAceite
Entrada VulDB340274 [guchengwuyue yshopmall até 1.9.1 /api/jobs getPage sort Injeção SQL]
Pontos20

VoltarVisão GeralPróximo