Arron-Bit

**Name of the Vulnerable Software and Affected Versions** OpenMRS Core versions prior to 2.7.9 OpenMRS Core versions 2.8.0 through 2.8.5 **Description** The module upload endpoint 'POST /openmrs/ws/rest/v1/module' is susceptible to a Zip Slip path traversal attack. This occurs during the automatic extraction of uploaded .omod archives within the `startModule()` function of `WebModuleUtil`. The system only verifies if the full entry path starts with `..`, failing to normalize the path or perform boundary checks on entries starting with `web/module/`. Consequently, a crafted archive containing entries such as `web/module/../../../../malicious.jsp` can result in files being written outside the intended module directory. An authenticated attacker with module upload permissions can write arbitrary files to locations like the web application root. By uploading a JSP file and requesting it, the attacker can achieve remote code execution. Additionally, the `module.allow web admin` runtime property, intended to restrict web-based module administration, is not enforced in the REST API upload path, allowing the restriction to be bypassed. **Recommendations** Update OpenMRS Core to a version after 2.7.8 in the 2.7.x line. Update OpenMRS Core to version 2.8.6 or later. As a temporary mitigation, restrict access to the 'POST /openmrs/ws/rest/v1/module' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenMRS Core versions prior to 2.7.9 OpenMRS Core versions 2.8.0 through 2.8.5 **Description** The '/openmrs/moduleResources/{moduleid}' endpoint is susceptible to a path traversal attack. This occurs because the `ModuleResourcesServlet` uses the `getFile()` function to construct a filesystem path from user-supplied input without performing path boundary validation or using the `normalize()` method to ensure the result remains within the intended directory. Since this endpoint provides static resources for the login page, it bypasses authentication filters, allowing unauthenticated attackers to read arbitrary files from the server filesystem, such as '/etc/passwd' and configuration files containing database credentials. Successful exploitation depends on the server running Apache Tomcat versions prior to 8.5.31, as later versions (8.5.31+ and 9.0.10+) mitigate the `..;` path parameter bypass at the container level. **Recommendations** Update OpenMRS Core to a version after 2.7.8 within the 2.7.x branch. Update OpenMRS Core to version 2.8.6 or later. As a temporary mitigation, restrict access to the '/openmrs/moduleResources/{moduleid}' endpoint or ensure the application is deployed on Apache Tomcat 8.5.31 or 9.0.10 and later.

**Name of the Vulnerable Software and Affected Versions** JeeSite version 5.15.1 **Description** An issue in the '/a/file/upload' endpoint allows authenticated attackers with file upload permissions to perform path traversal and write arbitrary files with whitelisted suffixes to any location on the filesystem when chunked upload is enabled. This is possible via the `fileMd5` parameter. **Recommendations** As a temporary workaround, restrict access to the '/a/file/upload' endpoint or disable the chunked upload feature to prevent the use of the `fileMd5` parameter for unauthorized file writes.

**Name of the Vulnerable Software and Affected Versions** shopizer version 3.2.5 **Description** A path traversal issue in the '/content/images/add' endpoint allows attackers to write arbitrary files to any writable path using a crafted POST request. Path traversal is a technique that allows an attacker to access or manipulate files and directories outside the intended folder on a server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JeeSite version 5.15.1 **Description** A stored cross-site scripting (XSS) issue exists in the '/msg/msgInner/save' endpoint. This allows attackers to execute arbitrary web scripts or HTML by injecting crafted input into the `msgContent` parameter. Cross-site scripting is a flaw where malicious scripts are injected into otherwise trusted websites. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. Avoid using the `msgContent` parameter in the '/msg/msgInner/save' endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** JeeSite version 5.15.1 **Description** An issue in the '/a/file/upload' endpoint allows authenticated attackers with file upload permissions to perform path traversal. By manipulating the `fileEntityId` parameter, an attacker can write arbitrary files with whitelisted suffixes to arbitrary locations on the filesystem. Path traversal is a technique used to access files and directories that are stored outside the web root folder. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SpringBlade version 4.8.0 **Description** An XML external entity (XXE) flaw in the "/designer/loadReport" endpoint allows authenticated attackers to execute arbitrary code by injecting a crafted payload. XXE is a type of attack where an application processes XML input containing a reference to an external entity, which can lead to unauthorized data access or remote code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the "/designer/loadReport" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** shopizer version 3.2.5 **Description** Multiple authenticated cross-site scripting (XSS) issues exist in the `XssHttpServletRequestWrapper` class. These allow attackers to execute arbitrary web scripts or HTML by injecting crafted payloads into the `getInputStream()` and `getReader()` functions. **Recommendations** As a temporary workaround, consider restricting access to the `XssHttpServletRequestWrapper` class or the `getInputStream()` and `getReader()` functions until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** halo version 2.22.14 **Description** A Server-Side Request Forgery (SSRF) exists in the "/plugins/-/install-from-uri" endpoint. This allows authenticated attackers to scan internal resources by sending a crafted GET request. SSRF is a flaw where an attacker can force a server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the "/plugins/-/install-from-uri" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** halo version 2.22.14 **Description** An authenticated attacker can scan internal resources by sending a crafted GET request to the '/themes/-/install-from-uri' endpoint. This is caused by a Server-Side Request Forgery (SSRF), which occurs when a server is tricked into making requests to an unintended location. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** halo version 2.22.14 **Description** A Server-Side Request Forgery (SSRF) exists in the '/themes/{name}/upgrade-from-uri' endpoint. This allows authenticated attackers to scan internal resources by sending a crafted GET request. SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** halo version 2.22.14 **Description** A Server-Side Request Forgery (SSRF) exists in the '/plugins/{name}/upgrade-from-uri' endpoint. This allows authenticated attackers to scan internal resources by sending a crafted GET request. SSRF is a flaw where an attacker can force a server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SpringBlade version 4.8.0 **Description** A Server-Side Request Forgery (SSRF) exists in the '/ureport/datasource/testConnection' endpoint. This allows authenticated attackers to scan internal resources by sending a crafted GET request. SSRF is a flaw where an attacker can force a server-side application to make requests to an unintended location. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/ureport/datasource/testConnection' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RuoYi versions 4.8.1 and earlier **Description** The software contains a stored cross-site scripting (XSS) issue in the `/system/menu/edit` API endpoint. The existing XSS filter can be bypassed, allowing for exploitation. Because the menu is shared across all users, a user with menu modification permissions can impact all users. The vulnerable parameter is not specified. **Recommendations** Update to a version later than 4.8.1.

**Name of the Vulnerable Software and Affected Versions** jshERP versions prior to 3.5 **Description** The software is susceptible to a stored Cross Site Scripting (XSS) issue. The vulnerability exists through the `/msg/add` API endpoint. An attacker could potentially inject malicious scripts that are then stored and executed when other users access the affected functionality. The vulnerable parameter is not specified. **Recommendations** Update to a version newer than 3.5. As a temporary workaround, consider restricting access to the `/msg/add` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** jshERP versions 3.5 and earlier **Description** The software is susceptible to a stored cross-site scripting (XSS) issue. Attackers can exploit this by uploading PDF files containing malicious XSS payloads. These files are then accessible through static URLs, potentially exposing them to all users. **Recommendations** Versions prior to 3.5 should be updated.

**Name of the Vulnerable Software and Affected Versions** Jeecgboot versions 3.8.2 and earlier **Description** Jeecgboot versions 3.8.2 and earlier are susceptible to a path traversal issue. The `/sys/comment/addFile` API endpoint allows attackers to upload files with system-whitelisted extensions to the `/opt` directory, bypassing the intended upload location of `/opt/upFiles` configured for the web server. The `addFile` function is involved in this issue. **Recommendations** Update Jeecgboot to a version later than 3.8.2.

**Name of the Vulnerable Software and Affected Versions** Jeecgboot versions 3.8.2 and earlier **Description** Jeecgboot versions 3.8.2 and earlier are susceptible to a path traversal issue. This allows attackers to upload files with system-whitelisted extensions to the `/opt` directory, bypassing the intended upload location of `/opt/upFiles` configured by the web server. **Recommendations** Update Jeecgboot to a version later than 3.8.2.