Zhangsan

**Name of the Vulnerable Software and Affected Versions** inxedu version 2.0.6 **Description** The issue allows attackers to execute arbitrary commands via the `functionIds` parameter to the "/saverolefunction" API endpoint. This enables attackers to potentially access and manipulate sensitive data. **Recommendations** For inxedu version 2.0.6, consider restricting access to the "/saverolefunction" API endpoint until a patch is available. As a temporary workaround, avoid using the `functionIds` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** inxedu version 2.0.6 **Description** The issue is related to a SQL Injection vulnerability. It is located in the file /inxedu/demo inxedu open/src/main/resources/mybatis/inxedu/website/WebsiteImagesMapper.xml in inxedu. The vulnerability can be exploited via the `id` value. **Recommendations** For inxedu version 2.0.6, consider restricting access to the vulnerable file WebsiteImagesMapper.xml to minimize the risk of exploitation. As a temporary workaround, avoid using the `id` value in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.