jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter column
and order
parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in safeSqlParse
method for sql injection.