CVE-2025-56162

Name of the Vulnerable Software and Affected Versions YOSHOP version 2.0

Description The software is susceptible to an unauthenticated SQL injection through the goodsIds parameter of the /api/goods/listByIds API endpoint. The getListByIds function improperly concatenates user-supplied input into a database query, specifically within orderRaw('field(goods id, ...)'). This allows attackers to potentially enumerate or modify database data, including obtaining admin password hashes. Exploitation may also enable writing web-shell files or invoking xp cmdshell, potentially leading to remote code execution on servers with elevated database privileges.

Recommendations Apply a fix to properly sanitize user input for the goodsIds parameter in the /api/goods/listByIds endpoint. Address the improper concatenation of user input within the getListByIds function. Review and restrict database privileges to minimize the impact of potential exploitation.