Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter
[
{
"id": "CVE-2025-63689-05c6dedb",
"target": {
"function": "getValidationMessage",
"file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/exception/DefaultExceptionHandler.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Function",
"digest": {
"function_hash": "228086862741696953559838389052520549866",
"length": 628.0
},
"deprecated": false
},
{
"id": "CVE-2025-63689-12f2cf03",
"target": {
"file": "money-pos/qk-money-app/money-app-system/src/main/java/com/money/dto/query/SysUserPageQueryDTO.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"321547480782269289836479958763961979506",
"76647312312917308443978840480821547374",
"263108631551618201877485514351069408795",
"166462509073754279588372514802769708581",
"52327678186062260331092261404804299129",
"318884734759837496274707717136144539777",
"139560958337384048187335783517131127923"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-3633082e",
"target": {
"file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/vo/PageVO.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"245790189177944667500972488209310010321",
"10233803412299253537684298294792622490",
"292190886556722086470060735038155701701",
"106576342788568068479424060231913602793",
"167865695305364483486446272671828220468",
"142623455465541243474948788935923810752",
"118385185101668751765680840971021201959",
"328105055086817776217562542794352669996",
"314469852241932841173860676034499477909"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-3950dfb0",
"target": {
"file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/dto/SortRequest.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"193661711596815119318163289424102965574",
"168339928387078021213079749727884940279",
"142430105487037893963764356663161399208",
"98186780451841574341736608964639088238",
"231816041565355897208002977707381865781",
"12527575965143717448767468661338500074"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-5b73f12b",
"target": {
"file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/dto/ISortRequest.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"136616512218750444391810850443999049194",
"277462759207178933409881946634944002817",
"17822949099843924420645745414938769267",
"88946906407193037111250661110123459484",
"302983676890022056096208647026387322112",
"149958097967634754058087192822969848764",
"37371004208959745081374910171635185794",
"235337992171240831683640639897090488858",
"248165775284151690979510688276780016608",
"16913227002608739687488305087783322391",
"273817356009683263096456015845331415199",
"122450191211446935812515963251522962332",
"311224720815162043469369566576360225288",
"5139808565422513434628890652950253574",
"133396714418317536968452260961274010192",
"48698456513193568188428655622894040430",
"55462821670628819234257356407184546692",
"176684856884815719266209506686959694803",
"54259396307743781565292063203065125361",
"298118435941792510071125954274558851650",
"243479860507914822326792990993024701320",
"230817032692326022482750100002466787671",
"133021120830338308568118470475284502677",
"222336711696653001341692081096186415620",
"278683805222159754646140792128832942255",
"12439325354205625100162071330183140350",
"134346140952587490059838230735717625625",
"77991498783813569621584561766582222777",
"77123213183663978202917301991988764296",
"297319847916865901546473163559836489109",
"255436254047146785025977765012035655699",
"215834035431719704413674547855744140359",
"295799639388060555460894906662833133070",
"10307913066935329557870634474339702843",
"291917588815245075903276048468466508685",
"56676618458611836687837046977571053687",
"150208457180890300981241782456215180004",
"334293576462212315307297176181267180585",
"284169540157116608810138947017832431994",
"218411249146772384692713205241163521308",
"129955591345256676419016117170545062444",
"145419497430333380288912158710483376945"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-6987d7f6",
"target": {
"file": "money-pos/qk-money-app/money-app-system/src/main/java/com/money/dto/query/SysRoleQueryDTO.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"321547480782269289836479958763961979506",
"76647312312917308443978840480821547374",
"263108631551618201877485514351069408795",
"166462509073754279588372514802769708581",
"278910632736528855719841515627603225748",
"238565514757002436933394971330827191769",
"272295361882423519905082667261847676632",
"312376827376357633578480916456070666733",
"151490907642518490880226681261257785383",
"124081124651697682815096819539105910120",
"250165452553818503860986425398169427309",
"320253621150427754453995827696710913277",
"55209151323566073746258093717179139936",
"174060351254539289578292380758520877934"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-6ba7a527",
"target": {
"file": "money-pos/qk-money-app/money-app-system/src/main/java/com/money/dto/query/SysTenantQueryDTO.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"321547480782269289836479958763961979506",
"76647312312917308443978840480821547374",
"263108631551618201877485514351069408795",
"166462509073754279588372514802769708581",
"296176557332780258026308316151629408297",
"104735734205681037637219121783351176959",
"15047541153122492098840091252686046415",
"17189657015372541896773933526658160120",
"238598381158333811414319036538348438279",
"122924941275817989031059580852966369100"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-6e568882",
"target": {
"file": "money-pos/qk-money-app/money-app-api/src/main/java/com/money/dto/OmsOrder/OmsOrderQueryDTO.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"154901969831740744992187169580981719649",
"76647312312917308443978840480821547374",
"179124730129134813634721347496626944398",
"20561540008201320181667465703453271766",
"325649763349843499386092095734229785791",
"11033116670530822969809301982278285290",
"240305342800810120264737552802448671213",
"102775770396078179026529538897136977297"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-86e76a3a",
"target": {
"file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/exception/DefaultExceptionHandler.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"240363164458302732082862662635472497498",
"254615032031908509486397275063120748929",
"54109460165245886838659793372851732672",
"176350648459498707708592889380611189341",
"272569018151341209059429380625813401889",
"119246190373680389887531849935884142520",
"74238325523662178088165436716705559530",
"22145097080234898152330127912597202066",
"164567237751186672954043629604919970942",
"177382444726052752301064814448645219533",
"247577643718611864392075668992726566583",
"71952322150363394967361367492119955881",
"212108388042054603809147985645078776036"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-8c23ad7b",
"target": {
"file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/response/R.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"45560151837809287442714030620463378543",
"137373574061109281679005551408943479996",
"206801510137041826437537296381506387148",
"176073303398365370997525581688053688365",
"140888617043039857120078802395923594834",
"134212089798128263008475801309951310705",
"132834923858298044691228366213865986387",
"260227249571969346478813319034689038651",
"86615924040615585505784955194883641572"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-94925142",
"target": {
"file": "money-pos/qk-money-app/money-app-system/src/main/java/com/money/dto/query/SysUserQueryDTO.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"321547480782269289836479958763961979506",
"76647312312917308443978840480821547374",
"263108631551618201877485514351069408795",
"166462509073754279588372514802769708581",
"335194431426290425710125209746442928626",
"313547766105365772164687655283393801256",
"288375376881272880365404188167631695026",
"15231546353895850620142897379727880230",
"183762212731340324165303487821399311141",
"125225944304755131054498035845811579853",
"318884734759837496274707717136144539777",
"139560958337384048187335783517131127923"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-97749b8a",
"target": {
"file": "money-pos/qk-money-app/money-app-api/src/main/java/com/money/dto/GmsGoods/GmsGoodsQueryDTO.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"168846332360242569403218982036648741606",
"76647312312917308443978840480821547374",
"225807951833366177237529597060203348215",
"41665217440912972955064825718395795668",
"39045371834145358404629222995057292385",
"291321677515632635555936207310262605428",
"225980762033106966752638573381653770407"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-b576c077",
"target": {
"file": "money-pos/qk-money-app/money-app-system/src/main/java/com/money/dto/query/SysDictQueryDTO.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"321547480782269289836479958763961979506",
"76647312312917308443978840480821547374",
"263108631551618201877485514351069408795",
"166462509073754279588372514802769708581",
"159507258213350856538819936495868421958",
"19392547750996802260966777751469270888",
"64683450084631445531910010312958726236",
"184552873202065299472251803214611713280"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-d2ad33fd",
"target": {
"file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/dto/PageQueryRequest.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"225807951833366177237529597060203348215",
"41665217440912972955064825718395795668",
"47227745514948991826477805984321584925",
"322306748726009259019834417919756482904",
"180281322020187661540009296565755048565",
"324430365191204245921782483978072659701"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2025-63689-eada8bad",
"target": {
"file": "money-pos/qk-money-app/money-app-api/src/main/java/com/money/dto/UmsMember/UmsMemberQueryDTO.java"
},
"signature_version": "v1",
"source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
"signature_type": "Line",
"digest": {
"line_hashes": [
"315562192317811272010243161468417641203",
"76647312312917308443978840480821547374",
"225807951833366177237529597060203348215",
"41665217440912972955064825718395795668",
"190793795954224905588778567004918363199",
"90435223518615608292124547883646181239",
"305086852557687528342894699319158106830"
],
"threshold": 0.9
},
"deprecated": false
}
]
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63689.json"
"2026-04-12T18:47:05Z"
[
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2025-09-14"
}
]
}
]