CVE-2024-24002

Name of the Vulnerable Software and Affected Versions jshERP version 3.3

Description The issue is related to SQL Injection. The com.jsh.erp.controller.MaterialController, specifically the getListWithStock() function, does not properly filter the column and order parameters, allowing an attacker to construct a malicious payload to bypass the protection mechanism in the safeSqlParse method for SQL injection.

Recommendations For jshERP version 3.3, as a temporary workaround, consider disabling the getListWithStock() function in the MaterialController until a patch is available. Restrict access to the column and order parameters in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.