Bacmiao

**Name of the Vulnerable Software and Affected Versions** Jeesite versions before commit 10742d3 **Description** The issue is a SQL injection vulnerability. It occurs via the component `${businessTable}` at the `/act/ActDao.xml` endpoint. **Recommendations** For versions before commit 10742d3, update to a version that includes commit 10742d3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/act/ActDao.xml` endpoint to minimize the risk of exploitation. Avoid using the `${businessTable}` component in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** JeecgBoot versions up to 3.5.1 **Description** The issue is a SQL injection vulnerability. It occurs via the component `queryTableDictItemsByCode` at `org.jeecg.modules.api.controller.SystemApiController`. **Recommendations** For JeecgBoot versions up to 3.5.1, consider disabling the `queryTableDictItemsByCode` component in the `SystemApiController` until a patch is available. Restrict access to this component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JeecgBoot versions up to 3.5.1 **Description** A SQL injection issue was discovered in JeecgBoot via the `queryFilterTableDictInfo` component at `org.jeecg.modules.api.controller.SystemApiController`. This allows for potential SQL injection attacks. **Recommendations** For versions up to 3.5.1, as a temporary workaround, consider disabling the `queryFilterTableDictInfo` component in the `SystemApiController` until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** newbee-mall versions prior to commit 1f2c2dfy **Description** The issue is related to insecure permissions in the `updateUserInfo` function, which allows attackers to obtain user account information. **Recommendations** For versions prior to commit 1f2c2dfy, update to a version that includes commit 1f2c2dfy or later to resolve the issue. As a temporary workaround, consider restricting access to the `updateUserInfo` function until a patch is available.