Baoandashuo

**Name of the Vulnerable Software and Affected Versions** HongCMS version 3.0 **Description** The issue allows attackers to run arbitrary code via the `callback` parameter to the "/ajax/myshop" API endpoint. This enables attackers to execute malicious scripts, potentially leading to unauthorized access or data breaches. **Recommendations** For HongCMS version 3.0, consider disabling access to the "/ajax/myshop" API endpoint or restricting the use of the `callback` parameter until a patch is available. Additionally, avoid using the `callback` parameter in the affected API endpoint until the issue is resolved.