Caichaoxiong

**Name of the Vulnerable Software and Affected Versions** Kingdee Cloud-Starry-Sky Enterprise Edition versions prior to 8.3 **Description** A security issue exists in Kingdee Cloud-Starry-Sky Enterprise Edition. The `BaseServiceFactory.getFileUploadService.deleteFileAction` function within the `K3CloudBBCMallSiteWEB-INFlibKingdee.K3.O2O.Base.WebApp.jar!kingdeek3o2obasewebappactionFileUploadAction.class` file of the `IIS-K3CloudMiniApp` component is affected. Manipulation of the `filePath` argument can lead to a path traversal condition. This issue can be exploited remotely. The exploit has been publicly disclosed and may be used. **Recommendations** Install the security patch provided by the Starry Sky system, with the specific solutions being: i) Adding authentication to the vulnerable `CMKAppWebHandler.ashx` interface; ii) Removing the file reading function. As a short-term measure, temporarily disable external network access to the Kingdee Cloud Galaxy Retail System or set up an IP whitelist for access control.

Name of the Vulnerable Software and Affected Versions: Kingdee Cloud-Starry-Sky Enterprise Edition versions 6.x through 9.0 Description: A critical issue has been found, affecting the function `plugin.buildMobilePopHtml` of the file k3o2oboswebappactionDynamicForm 4 Action.class of the component Freemarker Engine. This issue leads to improper neutralization of special elements used in a template engine, allowing for remote attacks. The exploit has been disclosed publicly. Recommendations: For Kingdee Cloud-Starry-Sky Enterprise Edition versions 6.x through 9.0, it is recommended to upgrade the affected component, as the fixed release sets Freemarker to 'ALLOWS NOTHING RESOLVER' to prevent parsing any classes.

**Name of the Vulnerable Software and Affected Versions** llisoft MTA Maita Training System version 4.5 **Description** A critical issue has been found in the `this.fileService.download` function of the file `comllisoftcontrollerOpenController.java`. The manipulation of the `url` argument leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond. **Recommendations** For llisoft MTA Maita Training System version 4.5, consider disabling the `this.fileService.download` function until a patch is available to prevent unrestricted upload. Restrict access to the `comllisoftcontrollerOpenController.java` file to minimize the risk of exploitation. Avoid using the `url` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** llisoft MTA Maita Training System version 4.5 **Description** A critical vulnerability was found in the llisoft MTA Maita Training System, affecting the `AdminShitiListRequestVo` function of the file `comllisoftcontrolleradminshitiAdminShitiController.java`. The manipulation of the `stTypeIds` argument leads to SQL injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond. **Recommendations** As a temporary workaround, consider disabling the `AdminShitiListRequestVo` function until a patch is available. Restrict access to the `AdminShitiController.java` file to minimize the risk of exploitation. Avoid using the `stTypeIds` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Seeyon Zhiyuan OA Web Application System versions up to 8.1 SP2 **Description** A critical vulnerability has been found in the Seeyon Zhiyuan OA Web Application System. This issue affects the `this.oursNetService.getData` function of the `ThirdMenuController.class` file. The manipulation of the `url` argument leads to server-side request forgery, allowing for remote attacks. The exploit has been publicly disclosed. **Recommendations** For Seeyon Zhiyuan OA Web Application System versions up to 8.1 SP2, as a temporary workaround, consider disabling the `this.oursNetService.getData` function until a patch is available. Restrict access to the `ThirdMenuController.class` file to minimize the risk of exploitation. Avoid using the `url` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kingdee Cloud Galaxy Private Cloud BBC System versions up to 9.0 Patch April 2025 **Description** A critical issue has been found, affecting the `BaseServiceFactory.getFileUploadService.deleteFileAction` function of the `fileUpload/deleteFileAction.jhtml` file in the File Handler component. The manipulation of the `filePath` argument leads to path traversal. This issue can be exploited remotely. **Recommendations** Apply a patch to fix this issue for Kingdee Cloud Galaxy Private Cloud BBC System versions up to 9.0 Patch April 2025. As a temporary workaround, consider restricting access to the `fileUpload/deleteFileAction.jhtml` file or the `BaseServiceFactory.getFileUploadService.deleteFileAction` function to minimize the risk of exploitation. Avoid using the `filePath` argument in the affected component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Seeyon Zhiyuan OA Web Application System version 8.1 SP2 **Description** A critical issue affects the function `postData` of the file `ROOTWEB-INFclassescomourswwwehrsalaryservicedataEhrSalaryPayrollServiceImpl.class` of the component Beetl Template Handler. The manipulation of the argument `payrollId` leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** As a temporary workaround, consider disabling the `postData` function of the `EhrSalaryPayrollServiceImpl.class` file until a patch is available. Restrict access to the Beetl Template Handler component to minimize the risk of exploitation. Avoid using the argument `payrollId` in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Seeyon Zhiyuan OA Web Application System version 8.1 SP2 **Description** A vulnerability was found in the Seeyon Zhiyuan OA Web Application System. It affects the `Download` function of the `M3CoreController` class in the `seeyon-apps-m3.jar` file. The manipulation of the `Name` argument leads to path traversal. This issue can be exploited remotely. **Recommendations** For Seeyon Zhiyuan OA Web Application System version 8.1 SP2, as a temporary workaround, consider restricting access to the `Download` function of the `M3CoreController` class until a patch is available. Avoid using the `Name` argument in the affected ZIP File Handler to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Seeyon Zhiyuan OA Web Application System version 8.1 SP2 **Description** A problem was found in Seeyon Zhiyuan OA Web Application System. The issue affects an unknown function of the file seeyonoptSeeyonA8ApacheJetspeedwebappsseeyonssoproxyjspssoproxy.jsp. The manipulation of the `Name` argument leads to cross-site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** As a temporary workaround, consider restricting access to the `ssoproxy.jsp` file until a patch is available. Avoid using the `Name` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Seeyon Zhiyuan OA Web Application System version 8.1 SP2 **Description** A problematic issue has been found in the Seeyon Zhiyuan OA Web Application System, affecting some unknown processing of the file `seeyonoptSeeyonA8ApacheJetspeedwebappsseeyoncommonjsaddDatedate.jsp` of the component URL Parameter Handler. This manipulation leads to cross-site scripting. The attack may be initiated remotely. **Recommendations** For Seeyon Zhiyuan OA Web Application System version 8.1 SP2, consider disabling the URL Parameter Handler component until a patch is available to prevent cross-site scripting attacks. Restrict access to the `date.jsp` file in the `addDate` directory to minimize the risk of exploitation. Avoid using the vulnerable URL Parameter Handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apereo CAS version 5.2.6 **Description** A critical issue was found, affecting the `saveService` function of the `RegisteredServiceSimpleFormController.java` file in the Groovy Code Handler component. This issue leads to code injection and can be exploited remotely, although the complexity of the attack is considered high and the exploitation is known to be difficult. The exploit has been publicly disclosed. **Recommendations** For Apereo CAS version 5.2.6, as a temporary workaround, consider disabling the `saveService` function until a patch is available. Restrict access to the Groovy Code Handler component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apereo CAS version 5.2.6 **Description** A vulnerability was found in the software, affecting the CasConfigurationMetadataServerController.java file. The manipulation of the `Name` argument leads to inefficient regular expression complexity, allowing for a remote attack. The exploit has been publicly disclosed. **Recommendations** For Apereo CAS version 5.2.6, as a temporary workaround, consider restricting access to the vulnerable `CasConfigurationMetadataServerController.java` file until a patch is available. Avoid using the `Name` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apereo CAS version 5.2.6 **Description** A vulnerability was found in Apereo CAS, affecting the function `ResponseEntity` of the file `ManageRegisteredServicesMultiActionController.java`. The manipulation of the argument `Query` leads to inefficient regular expression complexity, allowing for a remote attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond. **Recommendations** As a temporary workaround, consider restricting access to the `ResponseEntity` function in the `ManageRegisteredServicesMultiActionController.java` file until a patch is available. Avoid using the `Query` argument in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.