Iej1Ctk1G

**Name of the Vulnerable Software and Affected Versions** jizhiCMS version 1.6.7 **Description** The software contains a file download issue in the admin plugins update endpoint. Authenticated administrators can download arbitrary files. Attackers can exploit this by sending crafted POST requests with malicious `filepath` and `download url` parameters, triggering unauthorized file downloads. The vulnerable API endpoint is '/admin/plugins/update'. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** P5 FNIP-8x16A FNIP-4xSH versão 1.0.20 **Description** Um problema de falsificação de solicitação cross-site permite que atacantes realizem ações administrativas sem a interação do usuário. Ao enganar usuários autenticados para que carreguem uma página web especialmente criada, atacantes podem adicionar novos usuários administradores, alterar senhas e modificar configurações do sistema. **Recommendations** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** P5 FNIP-8x16A FNIP-4xSH version 1.0.20 **Description** The software contains a cross-site request forgery issue that enables attackers to execute administrative actions without authorization. An attacker can create malicious web pages to add new administrator accounts, alter passwords, and change system settings by deceiving authenticated users into loading a specially designed form. The attack relies on tricking a user who is already logged in to the application into performing actions they did not intend to. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider implementing CSRF tokens to protect sensitive actions.