Tmac

**Name of the Vulnerable Software and Affected Versions** Hitout Carsale version 1.0 **Description** A critical issue has been discovered, affecting the OrderController.java file. The manipulation of the `orderBy` argument leads to SQL injection. This issue can be exploited remotely. **Recommendations** For Hitout Carsale version 1.0, consider restricting access to the OrderController.java file or the `orderBy` argument to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** litemall versions up to 1.8.0 **Description** A critical issue was found in the AdminGoodscontroller.java file, where the manipulation of the `goodsId`, `goodsSn`, and `name` arguments leads to SQL injection. This issue can be exploited remotely. **Recommendations** For versions up to 1.8.0, update to a version that fixes this issue to prevent SQL injection attacks. As a temporary workaround, consider restricting access to the `AdminGoodscontroller.java` file or validating user input for the `goodsId`, `goodsSn`, and `name` arguments to minimize the risk of exploitation.