Vulnerability Details CVE-2024-24004
jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 31.5%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2024-24004
-
cpe:2.3:a:jishenghua:jsherp:3.3