jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter column
and order
parameters well enough, and an attacker can construct malicious payload to bypass jshERPβs protection mechanism in safeSqlParse
method for sql injection.