CVE-2025-63689

Source
https://cve.org/CVERecord?id=CVE-2025-63689
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63689.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-63689
Published
2025-11-07T16:15:42.503Z
Modified
2026-04-12T18:47:05.670207Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter

References

Affected packages

Git / github.com/ycf1998/money-pos

Affected ranges

Type
GIT
Repo
https://github.com/ycf1998/money-pos
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Database specific

vanir_signatures
[
    {
        "id": "CVE-2025-63689-05c6dedb",
        "target": {
            "function": "getValidationMessage",
            "file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/exception/DefaultExceptionHandler.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Function",
        "digest": {
            "function_hash": "228086862741696953559838389052520549866",
            "length": 628.0
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-12f2cf03",
        "target": {
            "file": "money-pos/qk-money-app/money-app-system/src/main/java/com/money/dto/query/SysUserPageQueryDTO.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "321547480782269289836479958763961979506",
                "76647312312917308443978840480821547374",
                "263108631551618201877485514351069408795",
                "166462509073754279588372514802769708581",
                "52327678186062260331092261404804299129",
                "318884734759837496274707717136144539777",
                "139560958337384048187335783517131127923"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-3633082e",
        "target": {
            "file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/vo/PageVO.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "245790189177944667500972488209310010321",
                "10233803412299253537684298294792622490",
                "292190886556722086470060735038155701701",
                "106576342788568068479424060231913602793",
                "167865695305364483486446272671828220468",
                "142623455465541243474948788935923810752",
                "118385185101668751765680840971021201959",
                "328105055086817776217562542794352669996",
                "314469852241932841173860676034499477909"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-3950dfb0",
        "target": {
            "file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/dto/SortRequest.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "193661711596815119318163289424102965574",
                "168339928387078021213079749727884940279",
                "142430105487037893963764356663161399208",
                "98186780451841574341736608964639088238",
                "231816041565355897208002977707381865781",
                "12527575965143717448767468661338500074"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-5b73f12b",
        "target": {
            "file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/dto/ISortRequest.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "136616512218750444391810850443999049194",
                "277462759207178933409881946634944002817",
                "17822949099843924420645745414938769267",
                "88946906407193037111250661110123459484",
                "302983676890022056096208647026387322112",
                "149958097967634754058087192822969848764",
                "37371004208959745081374910171635185794",
                "235337992171240831683640639897090488858",
                "248165775284151690979510688276780016608",
                "16913227002608739687488305087783322391",
                "273817356009683263096456015845331415199",
                "122450191211446935812515963251522962332",
                "311224720815162043469369566576360225288",
                "5139808565422513434628890652950253574",
                "133396714418317536968452260961274010192",
                "48698456513193568188428655622894040430",
                "55462821670628819234257356407184546692",
                "176684856884815719266209506686959694803",
                "54259396307743781565292063203065125361",
                "298118435941792510071125954274558851650",
                "243479860507914822326792990993024701320",
                "230817032692326022482750100002466787671",
                "133021120830338308568118470475284502677",
                "222336711696653001341692081096186415620",
                "278683805222159754646140792128832942255",
                "12439325354205625100162071330183140350",
                "134346140952587490059838230735717625625",
                "77991498783813569621584561766582222777",
                "77123213183663978202917301991988764296",
                "297319847916865901546473163559836489109",
                "255436254047146785025977765012035655699",
                "215834035431719704413674547855744140359",
                "295799639388060555460894906662833133070",
                "10307913066935329557870634474339702843",
                "291917588815245075903276048468466508685",
                "56676618458611836687837046977571053687",
                "150208457180890300981241782456215180004",
                "334293576462212315307297176181267180585",
                "284169540157116608810138947017832431994",
                "218411249146772384692713205241163521308",
                "129955591345256676419016117170545062444",
                "145419497430333380288912158710483376945"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-6987d7f6",
        "target": {
            "file": "money-pos/qk-money-app/money-app-system/src/main/java/com/money/dto/query/SysRoleQueryDTO.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "321547480782269289836479958763961979506",
                "76647312312917308443978840480821547374",
                "263108631551618201877485514351069408795",
                "166462509073754279588372514802769708581",
                "278910632736528855719841515627603225748",
                "238565514757002436933394971330827191769",
                "272295361882423519905082667261847676632",
                "312376827376357633578480916456070666733",
                "151490907642518490880226681261257785383",
                "124081124651697682815096819539105910120",
                "250165452553818503860986425398169427309",
                "320253621150427754453995827696710913277",
                "55209151323566073746258093717179139936",
                "174060351254539289578292380758520877934"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-6ba7a527",
        "target": {
            "file": "money-pos/qk-money-app/money-app-system/src/main/java/com/money/dto/query/SysTenantQueryDTO.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "321547480782269289836479958763961979506",
                "76647312312917308443978840480821547374",
                "263108631551618201877485514351069408795",
                "166462509073754279588372514802769708581",
                "296176557332780258026308316151629408297",
                "104735734205681037637219121783351176959",
                "15047541153122492098840091252686046415",
                "17189657015372541896773933526658160120",
                "238598381158333811414319036538348438279",
                "122924941275817989031059580852966369100"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-6e568882",
        "target": {
            "file": "money-pos/qk-money-app/money-app-api/src/main/java/com/money/dto/OmsOrder/OmsOrderQueryDTO.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "154901969831740744992187169580981719649",
                "76647312312917308443978840480821547374",
                "179124730129134813634721347496626944398",
                "20561540008201320181667465703453271766",
                "325649763349843499386092095734229785791",
                "11033116670530822969809301982278285290",
                "240305342800810120264737552802448671213",
                "102775770396078179026529538897136977297"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-86e76a3a",
        "target": {
            "file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/exception/DefaultExceptionHandler.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "240363164458302732082862662635472497498",
                "254615032031908509486397275063120748929",
                "54109460165245886838659793372851732672",
                "176350648459498707708592889380611189341",
                "272569018151341209059429380625813401889",
                "119246190373680389887531849935884142520",
                "74238325523662178088165436716705559530",
                "22145097080234898152330127912597202066",
                "164567237751186672954043629604919970942",
                "177382444726052752301064814448645219533",
                "247577643718611864392075668992726566583",
                "71952322150363394967361367492119955881",
                "212108388042054603809147985645078776036"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-8c23ad7b",
        "target": {
            "file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/response/R.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "45560151837809287442714030620463378543",
                "137373574061109281679005551408943479996",
                "206801510137041826437537296381506387148",
                "176073303398365370997525581688053688365",
                "140888617043039857120078802395923594834",
                "134212089798128263008475801309951310705",
                "132834923858298044691228366213865986387",
                "260227249571969346478813319034689038651",
                "86615924040615585505784955194883641572"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-94925142",
        "target": {
            "file": "money-pos/qk-money-app/money-app-system/src/main/java/com/money/dto/query/SysUserQueryDTO.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "321547480782269289836479958763961979506",
                "76647312312917308443978840480821547374",
                "263108631551618201877485514351069408795",
                "166462509073754279588372514802769708581",
                "335194431426290425710125209746442928626",
                "313547766105365772164687655283393801256",
                "288375376881272880365404188167631695026",
                "15231546353895850620142897379727880230",
                "183762212731340324165303487821399311141",
                "125225944304755131054498035845811579853",
                "318884734759837496274707717136144539777",
                "139560958337384048187335783517131127923"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-97749b8a",
        "target": {
            "file": "money-pos/qk-money-app/money-app-api/src/main/java/com/money/dto/GmsGoods/GmsGoodsQueryDTO.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "168846332360242569403218982036648741606",
                "76647312312917308443978840480821547374",
                "225807951833366177237529597060203348215",
                "41665217440912972955064825718395795668",
                "39045371834145358404629222995057292385",
                "291321677515632635555936207310262605428",
                "225980762033106966752638573381653770407"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-b576c077",
        "target": {
            "file": "money-pos/qk-money-app/money-app-system/src/main/java/com/money/dto/query/SysDictQueryDTO.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "321547480782269289836479958763961979506",
                "76647312312917308443978840480821547374",
                "263108631551618201877485514351069408795",
                "166462509073754279588372514802769708581",
                "159507258213350856538819936495868421958",
                "19392547750996802260966777751469270888",
                "64683450084631445531910010312958726236",
                "184552873202065299472251803214611713280"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-d2ad33fd",
        "target": {
            "file": "money-pos/qk-money-common/money-common-web/src/main/java/com/money/web/dto/PageQueryRequest.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "225807951833366177237529597060203348215",
                "41665217440912972955064825718395795668",
                "47227745514948991826477805984321584925",
                "322306748726009259019834417919756482904",
                "180281322020187661540009296565755048565",
                "324430365191204245921782483978072659701"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "id": "CVE-2025-63689-eada8bad",
        "target": {
            "file": "money-pos/qk-money-app/money-app-api/src/main/java/com/money/dto/UmsMember/UmsMemberQueryDTO.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "315562192317811272010243161468417641203",
                "76647312312917308443978840480821547374",
                "225807951833366177237529597060203348215",
                "41665217440912972955064825718395795668",
                "190793795954224905588778567004918363199",
                "90435223518615608292124547883646181239",
                "305086852557687528342894699319158106830"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    }
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63689.json"
vanir_signatures_modified
"2026-04-12T18:47:05Z"
unresolved_ranges
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "2025-09-14"
            }
        ]
    }
]