1Y0Ngo

**Name of the Vulnerable Software and Affected Versions** Jizhicms version 2.4.5 **Description** A Cross-Site Request Forgery (CSRF) issue in the /Sys/index.html endpoint of the application allows attackers to make arbitrary configuration changes within the application. This can be exploited by attackers to modify settings without proper authorization. **Recommendations** For Jizhicms version 2.4.5, as a temporary workaround, consider implementing additional validation for requests to the /Sys/index.html endpoint to prevent unauthorized configuration changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jizhicms version 2.4.5 **Description** An arbitrary file upload vulnerability in the `CommonController.php` component allows attackers to execute arbitrary code via a crafted phtml file. This issue is related to the `admincCommonController.php` component. **Recommendations** For Jizhicms version 2.4.5, consider disabling the file upload functionality in the `CommonController.php` component until a patch is available. Restrict access to the `admincCommonController.php` component to minimize the risk of exploitation. Avoid using the file upload feature in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.