| Название | https://github.com/jishenghua/jshERP jshERP v3.6 SQL Injection |
|---|
| Описание | In MyBatis when accessing interface "com.jsh.erp.datasource.mappers.DepotItemMapperEx#getBillItemByParam", there is direct replacement concatenation using ${}. Construct a special Excel file and place the attack fields into it. By sending the file through request route "/jshERP-boot/depotItem/importItemExcel", the attack fields are injected into the SQL statement without being validated or sanitized, leading to a risk. |
|---|
| Источник | ⚠️ https://github.com/jishenghua/jshERP/issues/145 |
|---|
| Пользователь | mukyuuhate (UID 93052) |
|---|
| Представление | 15.01.2026 11:30 (5 месяцы назад) |
|---|
| Модерация | 28.01.2026 16:26 (13 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 343230 [jishenghua jshERP до 3.6 com.jsh.erp.datasource.mappers.DepotItemMapperEx importItemExcel getBillItemByParam barCodes SQL-инъекция] |
|---|
| Баллы | 20 |
|---|