Baimao-Box

**Name of the Vulnerable Software and Affected Versions** wangmarket CMS version 4.10 **Description** The issue allows remote attackers to run arbitrary SQL commands via the `TableName` parameter to the "/plugin/dataDictionary/tableView.do" API endpoint. This enables attackers to manipulate database queries, potentially leading to unauthorized data access or modification. **Recommendations** For wangmarket CMS version 4.10, consider disabling the `DataDictionaryPluginController` function until a patch is available to prevent exploitation of the SQL injection vulnerability. Restrict access to the "/plugin/dataDictionary/tableView.do" API endpoint to minimize the risk of exploitation. Avoid using the `TableName` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JFinal CMS version 5.1.0 **Description** The issue is related to a remote code execution (RCE) vulnerability. It is exploited via the `ActionEnter` function. **Recommendations** For JFinal CMS version 5.1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.