C0D1M4X

Name of the Vulnerable Software and Affected Versions: IBOS version 4.5.4 Description: The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability is found in the email function, specifically in the `emailbody[content]` parameter. XSS is a type of attack where an attacker can inject malicious scripts into content from otherwise trusted websites. Recommendations: For IBOS version 4.5.4, consider restricting the use of the email function until a patch is available, specifically avoiding the use of the `emailbody[content]` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IBOS version 4.5.4 Description: The issue is related to a Command Injection Vulnerability in the database backup of IBOS. Recommendations: For IBOS version 4.5.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IBOS version 4.5.4 Description: The issue allows for Arbitrary File Inclusion, which can lead to getshell via the /system/modules/dashboard/controllers/CronController.php endpoint. Recommendations: For IBOS version 4.5.4, consider restricting access to the CronController.php file as a temporary workaround until a patch is available.

Name of the Vulnerable Software and Affected Versions: CRMEB versions 3.1.0 and later Description: The issue concerns a File Upload Getshell vulnerability via the /crmeb/crmeb/services/UploadService.php endpoint. This allows for potential exploitation. Recommendations: For CRMEB versions 3.1.0 and later, as a temporary workaround, consider disabling the file upload functionality in UploadService.php until a patch is available. Restrict access to the /crmeb/crmeb/services/UploadService.php endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CRMEB versions 3.1.0 and later Description: The issue in CRMEB is related to strict domain name filtering, which leads to Server-Side Request Forgery (SSRF). The vulnerable code is located in the file /crmeb/app/admin/controller/store/CopyTaobao.php. Recommendations: For CRMEB versions 3.1.0 and later, consider restricting access to the vulnerable file CopyTaobao.php until a patch is available. As a temporary workaround, review and modify the domain name filtering mechanism to prevent SSRF attacks.