Xiaobing

**Name of the Vulnerable Software and Affected Versions** TeaCMS versions up to 2.0.2 **Description** A problematic issue was found in TeaCMS, affecting an unknown function of the Article Title Handler component. This issue allows for cross site scripting when an attacker manipulates the input with malicious code, such as `<script>alert(document.cookie)</script>`. The attack can be launched remotely. **Recommendations** For TeaCMS versions up to 2.0.2, consider restricting the input to prevent cross site scripting attacks until a patch is available. As a temporary workaround, restrict access to the Article Title Handler component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XiaoBingBy TeaCMS versions up to 2.0.2 **Description** A critical vulnerability has been found in XiaoBingBy TeaCMS, affecting the file /admin/getallarticleinfo. The manipulation of the `searchInfo` argument leads to sql injection. The attack can be initiated remotely. **Recommendations** For versions up to 2.0.2, consider disabling access to the /admin/getallarticleinfo file until a patch is available. Restrict the use of the `searchInfo` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** XiaoBingBy TeaCMS version 2.0 **Description** A critical vulnerability was found in XiaoBingBy TeaCMS, affecting an unknown functionality of the file /admin/upload. The manipulation leads to path traversal: '../filedir'. The attack can be launched remotely. **Recommendations** For XiaoBingBy TeaCMS version 2.0, consider restricting access to the /admin/upload file until a patch is available. As a temporary workaround, avoid using the '../filedir' path traversal in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.