C3P0Ooo_Yiqiyin

**Name of the Vulnerable Software and Affected Versions** ketr JEPaaS versions up to 7.2.8 **Description** A flaw exists in ketr JEPaaS that allows for remote SQL injection. The issue is located in the `readAllPostil` function within the `/je/postil/postil/readAllPostil` file. Manipulation of the `keyWord` argument can trigger the injection. The exploit for this issue has been publicly released, and the vendor was notified but did not respond. **Recommendations** Versions prior to 7.2.8 should be updated. As a temporary workaround, consider restricting access to the `readAllPostil` function until a patch is available. Avoid using the `keyWord` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: JEPaaS version 7.2.8 Description: A security issue has been identified in JEPaaS 7.2.8 affecting the `doFilterInternal` function within the Filter Handler component. This can lead to improper access controls and allows for remote execution of attacks. The exploit for this issue has been publicly disclosed. The vendor was informed of the disclosure but did not respond. Recommendations: As a temporary workaround, consider disabling the `doFilterInternal` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** moxi624 Mogu Blog v2 up to 5.2 **Description** A problematic issue has been found in the software, affecting the function `uploadPictureByUrl` of the file `/mogu-picture/file/uploadPicsByUrl`. The manipulation of the argument `urlList` leads to absolute path traversal. The attack may be initiated remotely. **Recommendations** For moxi624 Mogu Blog v2 up to 5.2, consider disabling the `uploadPictureByUrl` function until a patch is available to prevent absolute path traversal attacks. Restrict access to the `/mogu-picture/file/uploadPicsByUrl` endpoint to minimize the risk of exploitation. Avoid using the `urlList` argument in the affected endpoint until the issue is resolved.