Blackspdier

**Name of the Vulnerable Software and Affected Versions** Xinhu Rainrock RockOA versions up to 2.7.1 **Description** A security flaw exists in Xinhu Rainrock RockOA. The issue affects an unknown function within the `rock page gong.php` file of the Cover Image Handler component. Manipulation of the `fengmian` argument can lead to cross site scripting. The attack can be initiated remotely. The exploit for this issue has been publicly released. The vendor was notified but did not respond. **Recommendations** Versions prior to 2.7.1 should be updated. As a temporary workaround, consider restricting access to the `rock page gong.php` file.

**Name of the Vulnerable Software and Affected Versions** Xinhu Rainrock RockOA versions up to 2.7.1 **Description** A security issue exists in Xinhu Rainrock RockOA. The issue involves cross site scripting, potentially allowing remote attacks. The issue is related to the manipulation of the `callback` argument within an unknown functionality of the `rockfun.php` file in the API component. The exploit for this issue has been publicly released. The vendor was notified but did not respond. **Recommendations** Versions prior to 2.7.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** aaPanel BaoTa versions prior to 11.1.1 **Description** A SQL injection issue exists in aaPanel BaoTa. The issue is located in the Backend component, specifically within the `/database?action=GetDatabaseAccess` endpoint. Manipulation of the `Name` parameter can lead to SQL injection. The exploit has been publicly disclosed. The vendor was notified but did not respond. **Recommendations** Update aaPanel BaoTa to version 11.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** qianfox FoxCMS versions up to 1.2 **Description** A cross site scripting issue exists in the Search Page component of qianfox FoxCMS. The issue is located in the `/index.php/Search` file and involves manipulation of the `keyword` argument. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CRMEB versions prior to 5.6.2 **Description** A security issue exists in CRMEB related to the JWT HMAC Secret Handler component. Manipulation of the `secret` argument with the input `default` leads to the use of a hard-coded cryptographic key within an unknown function. This issue is remotely exploitable, though exploitation is considered difficult. The exploit is publicly available. The vendor was contacted but did not respond. **Recommendations** Update CRMEB to version 5.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** Rebuild versions up to 4.1.3 **Description** A security flaw exists in Rebuild’s Comment/Guestbook component, potentially allowing for cross site scripting. Remote manipulation of an unknown functionality within the component can trigger this issue. **Recommendations** Upgrade to version 4.1.4 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** CRMEB versions prior to 5.7 **Description** A security flaw exists in CRMEB that allows for SQL injection. The issue is related to the processing of the `cate id` argument within the GET Parameter Handler component, specifically in the file '/adminapi/product/product'. Remote exploitation is possible through manipulation of this parameter. The exploit has been publicly released. The vendor was notified but did not respond. **Recommendations** Update CRMEB to version 5.7 or later.

**Name of the Vulnerable Software and Affected Versions** GstarCAD versions prior to 9.4.0 **Description** A flaw exists in Gstarsoft GstarCAD related to the File Renaming Handler component. This issue allows for cross site scripting, potentially enabling remote attacks. The exploit for this issue has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SeaCMS versions up to 13.3 **Description** A SQL injection issue exists in SeaCMS due to manipulation of the `ID` argument in the file `/admin members.php?ac=editsave`. This allows for remote exploitation. The exploit has been publicly disclosed. **Recommendations** SeaCMS versions prior to 13.3: Address the SQL injection issue by sanitizing the `ID` argument in the `/admin members.php?ac=editsave` file.