W3Bspl01T3R

**Name of the Vulnerable Software and Affected Versions** ShifuML shifu version 0.12.0 **Description** A critical vulnerability has been found in the Java Expression Language Handler component, specifically in the file src/main/java/ml/shifu/shifu/core/DataPurifier.java. The manipulation of the `FilterExpression` argument leads to code injection. The attack can be launched remotely, with a rather high complexity and difficult exploitation. The exploit has been disclosed to the public and may be used. **Recommendations** For ShifuML shifu version 0.12.0, as a temporary workaround, consider restricting access to the `DataPurifier.java` file and the Java Expression Language Handler component to minimize the risk of exploitation. Avoid using the `FilterExpression` argument in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dragon Path 707GR1 up to 20231022 **Description** A vulnerability has been found in the Ping Diagnostics component of Dragon Path 707GR1. The issue arises from the manipulation of the `Host Address` argument with a specific input, `><img/src/onerror=alert(1)>`, leading to cross-site scripting. This can be exploited remotely. The exploit has been publicly disclosed. **Recommendations** For Dragon Path 707GR1 up to 20231022, as a temporary workaround, consider restricting the input for the `Host Address` argument to prevent cross-site scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CodeAstro POS System version 1.0 **Description** A critical issue has been found in the CodeAstro POS System, affecting an unknown functionality of the file `/profil` of the component Profile Picture Handler. This issue leads to unrestricted upload and can be exploited remotely. The exploit has been disclosed to the public. **Recommendations** For CodeAstro POS System version 1.0, consider disabling the Profile Picture Handler component until a patch is available to prevent unrestricted upload. Restrict access to the `/profil` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** CodeAstro POS System version 1.0 **Description** A critical issue affects some unknown functionality of the file /setting of the component Logo Handler, leading to unrestricted upload. The attack can be launched remotely. **Recommendations** For CodeAstro POS System version 1.0, consider restricting access to the Logo Handler component to minimize the risk of exploitation. As a temporary workaround, avoid using the /setting file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.