9Str0Il

**Name of the Vulnerable Software and Affected Versions** YunaiV yudao-cloud versions prior to 2026.01 **Description** A SQL injection issue exists in the `getDataBySQL()` function within the file `yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java`. This flaw allows a remote attacker to execute arbitrary SQL commands by manipulating input. **Recommendations** Update to a version later than 2026.01. As a temporary workaround, restrict access to the `getDataBySQL()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** YunaiV yudao-cloud versions prior to 2026.01 **Description** A security flaw allows remote attackers to perform a manipulation that results in improper authentication. This issue impacts the `getAccessToken()` function within the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. **Recommendations** As a temporary workaround, consider restricting access to the `getAccessToken()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** YunaiV yudao-cloud versions prior to 3.8.1 **Description** An authentication bypass exists in the Ruoyi-Vue-Pro component. Manipulation of the `mock-token` argument within the `doFilterInternal()` function of the JwtAuthenticationTokenFilter.java file allows for improper authentication, which can be exploited remotely. **Recommendations** Update to a version later than 3.8.0. As a temporary workaround, restrict or disable the use of the `mock-token` argument in the affected component.

**Name of the Vulnerable Software and Affected Versions** 1000 Projects Portfolio Management System MCA versions prior to 1.1 **Description** An issue exists in the file '/admin/block status.php' where the manipulation of the `q` argument allows for SQL injection, a technique used to interfere with the queries that an application makes to its database. This attack can be initiated remotely. **Recommendations** Update to a version later than 1.0. As a temporary workaround, restrict access to the '/admin/block status.php' file or avoid using the `q` parameter until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** 1000 Projects Portfolio Management System MCA version 1.0 **Description** An authorization bypass exists in the `update passwd process.php` file. A remote attacker can exploit this by manipulating the `temp user` argument. **Recommendations** Restrict access to the `update passwd process.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.