VYPR
Critical severity9.8NVD Advisory· Published Feb 7, 2024· Updated Jun 17, 2026

CVE-2024-24002

CVE-2024-24002

Description

jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter column and order parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in safeSqlParse method for sql injection.

Affected products

2
  • jshERP/jshERPcpe-rescue2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: =3.3

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.