Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
YOSHOP 2.0 suffers from an unauthenticated SQL injection in the goodsIds parameter of the /api/goods/listByIds endpoint. The getListByIds function concatenates user input into orderRaw('field(goods_id, ...)'), allowing attackers to: (a) enumerate or modify database data, including dumping admin password hashes; (b) write web-shell files or invoke xp_cmdshell, leading to remote code execution on servers configured with sufficient DB privileges.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Yoshop 安全漏洞
Vulnerability Description
Yoshop是中国yiovo开源的一款电商系统。 Yoshop 2.0版本存在安全漏洞,该漏洞源于未经验证的goodsIds参数,可能导致SQL注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A