Zsdlove

**Nome do software vulnerável e versões afetadas: ZrLog versão 2.1.0 Descrição: Existe uma vulnerabilidade de Cross Site Scripting, permitindo uma possível exploração por meio dos parâmetros `userName` e `email` no endpoint “post/addComment”. Recomendações: Para o ZrLog versão 2.1.0, considere restringir o acesso ao endpoint “post/addComment” ou evite usar os parâmetros `userName` e `email` até que uma correção esteja disponível.

**Name of the Vulnerable Software and Affected Versions** tianti version 2.3 **Description** The issue allows remote authenticated users to bypass intended permission restrictions. This can be achieved by visiting the "tianti-module-admin/cms/column/list" endpoint directly, which enables the user to read the column list page or edit a column. **Recommendations** For version 2.3, restrict access to the "tianti-module-admin/cms/column/list" endpoint to prevent unauthorized users from reading or editing columns. Consider implementing proper permission checks to ensure that only authorized users can access and modify the column list page.

**Name of the Vulnerable Software and Affected Versions** tianti version 2.3 **Description** The issue allows remote authenticated users to bypass intended permission restrictions. This is possible by visiting the "tianti-module-admin/user/skin/list" endpoint directly. The `UserController.java` maps a `/skin/list` request to the `skinList` function, which lacks an authorization check. **Recommendations** For tianti version 2.3, consider adding an authorization check to the `skinList` function in `UserController.java` to prevent unauthorized access. As a temporary workaround, restrict access to the "tianti-module-admin/user/skin/list" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** tianti version 2.3 **Description** The issue concerns a stored XSS in the userlist module. This occurs via the `name` parameter in the "tianti-module-admin/user/ajax/save role" endpoint, which is mishandled in the tianti-module-adminsrcmainwebappWEB-INFviewsuseruser list.jsp file. **Recommendations** For tianti version 2.3, consider restricting access to the userlist module until a patch is available. As a temporary workaround, avoid using the `name` parameter in the "tianti-module-admin/user/ajax/save role" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** tianti version 2.3 **Description** The issue is related to stored XSS in the article management module. This occurs via an article title, allowing potential exploitation. **Recommendations** For version 2.3, update to a newer version that contains a fix for this issue, or as a temporary workaround, consider validating and sanitizing user input for article titles to prevent XSS attacks.

**Name of the Vulnerable Software and Affected Versions** tianti version 2.3 **Description** The issue is related to reflected XSS in the user management module. It occurs via the `userName` parameter in the "tianti-module-admin/user/list" endpoint. **Recommendations** For version 2.3, consider restricting access to the user management module or avoiding the use of the `userName` parameter in the affected endpoint until a fix is available.