Bigbrother_Man

**Name of the Vulnerable Software and Affected Versions** Das Parking Management System version 6.2.0 **Description** A security flaw in the Search API endpoint allows for remote SQL injection, a technique where malicious SQL statements are inserted into entry fields for execution. This occurs through the manipulation of the `Value` argument. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2 (affected versions not specified) **Description** A remote SQL injection can be triggered via the manipulation of the `sort` argument within the '/SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree' endpoint. SQL injection is a technique where an attacker inserts malicious SQL code into a query, allowing them to manipulate the database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shenzhen Sixun Software Sixun Shanghui Group Business Management System version 10 **Description** A SQL injection issue exists in the '/api/Dinner/PayConfig' endpoint. This occurs when the `tableno` argument is manipulated, allowing a remote attacker to execute arbitrary SQL commands. SQL injection is a technique where an attacker inserts malicious SQL code into a query, potentially allowing them to view, modify, or delete data from the database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform version 1.3.0 **Description** A path traversal issue exists in the '/SubstationWEBV2/app/..;/main/upfile' endpoint. A remote attacker can manipulate the `path` argument to access files and directories outside the intended folder. Path traversal is a technique that allows an attacker to read arbitrary files on the server by using special character sequences like dot-dot-slash (../). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Das Parking Management System version 6.2.0 **Description** Remote SQL injection is possible via the manipulation of the `Value` argument within the `xp cmdshell()` function of the 'ParkingRecord/ExportParkingRecords' API endpoint. SQL injection is a technique where an attacker inserts malicious SQL code into a query, allowing them to manipulate the database. **Recommendations** As a temporary workaround, restrict access to the 'ParkingRecord/ExportParkingRecords' API endpoint or disable the `xp cmdshell()` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tiandy Easy7 Integrated Management Platform version 7.17.0 **Description** An issue exists in the file '/Easy7/apps/WebService/GetDBDataEx.jsp' where manipulation of the `strTBName` argument allows for SQL injection, which is a technique used to execute malicious SQL statements that control a database server. This flaw enables remote exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tiandy Easy7 Integrated Management Platform version 7.17.0 **Description** An issue exists in the API Endpoint component where improper processing of the '/rest/user/updateUserPassword' endpoint allows for remote manipulation. This can lead to weak password recovery. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tiandy Easy7 Integrated Management Platform version 7.17.0 **Description** An OS command injection flaw exists in the '/Easy7/rest/systemInfo/updateDbBackupInfo' endpoint. Remote attackers can exploit this by manipulating the `week` argument, allowing for the execution of arbitrary operating system commands. **Recommendations** Avoid using the `week` argument in the '/Easy7/rest/systemInfo/updateDbBackupInfo' endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform version 1.3.0 **Description** An unrestricted upload issue exists in the file '/SubstationWEBV2/main/uploadH5Files'. Remote attackers can exploit this by manipulating the `File` argument. **Recommendations** Restrict access to the file '/SubstationWEBV2/main/uploadH5Files' to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.