CVE-2024-24003

Name of the Vulnerable Software and Affected Versions jshERP version 3.3

Description The issue concerns a SQL Injection vulnerability. Specifically, the findInOutMaterialCount() function in com.jsh.erp.controller.DepotHeadController does not adequately filter the column and order parameters, allowing an attacker to construct a malicious payload to bypass the protection mechanism in the safeSqlParse method for SQL injection.

Recommendations For jshERP version 3.3, as a temporary workaround, consider disabling the findInOutMaterialCount() function until a patch is available. Restrict access to the com.jsh.erp.controller.DepotHeadController to minimize the risk of exploitation. Avoid using the parameters column and order in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.