Caigo

**Name of the Vulnerable Software and Affected Versions** kefaming mayi versions 1.3.9 and earlier **Description** A critical vulnerability has been found in kefaming mayi, affecting the function Upload of the file app/tools/controller/File.php. The manipulation of the argument `File` leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For versions 1.3.9 and earlier, consider disabling the Upload function in the file app/tools/controller/File.php until a patch is available. Restrict access to the `File` argument to minimize the risk of exploitation. Avoid using the `File` argument in the affected file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** withstars Books-Management-System version 1.0 **Description** A vulnerability was found in the system, affecting an unknown functionality of the file /reader delete.html. This issue leads to cross-site request forgery and can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. **Recommendations** For withstars Books-Management-System version 1.0, as a temporary workaround, consider restricting access to the /reader delete.html file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** withstars Books-Management-System version 1.0 **Description** A vulnerability was found in the withstars Books-Management-System. It has been classified as problematic and affects an unknown function of the file /book edit do.html of the component Book Edit Page. The manipulation of the `Name` argument leads to cross-site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. This vulnerability only affects products that are no longer supported by the maintainer. **Recommendations** As a temporary workaround, consider disabling the unknown function of the file /book edit do.html until a patch is available. Restrict access to the Book Edit Page to minimize the risk of exploitation. Avoid using the `Name` argument in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** panhainan DS-Java version 1.0 **Description** A vulnerability has been found, classified as problematic, affecting an unknown function in the software. This issue leads to cross-site request forgery and can be exploited remotely. The exploit has been publicly disclosed. **Recommendations** For panhainan DS-Java version 1.0, consider implementing additional security measures to prevent cross-site request forgery attacks, such as validating user requests and ensuring proper session management, until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** panhainan DS-Java version 1.0 **Description** A critical issue affects the function `uploadUserPic.action` of the file `src/com/phn/action/FileUpload.java`. The manipulation of the argument `fileUpload` leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For panhainan DS-Java version 1.0, consider disabling the `uploadUserPic.action` function until a patch is available. Restrict access to the `FileUpload.java` file to minimize the risk of exploitation. Avoid using the `fileUpload` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** KuangSimpleBBS version 1.0 **Description** A critical vulnerability has been found in KuangSimpleBBS, affecting the `fileUpload` function in the `QuestionController.java` file. The manipulation of the `editormd-image-file` argument leads to unrestricted file upload. This issue can be exploited remotely. The exploit has been publicly disclosed and may be used. **Recommendations** For KuangSimpleBBS version 1.0, as a temporary workaround, consider disabling the `fileUpload` function until a patch is available. Restrict access to the `QuestionController.java` file to minimize the risk of exploitation. Avoid using the `editormd-image-file` argument in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** zhenfeng13 My-BBS version 1.0 **Description** A critical vulnerability was found in the Upload function of the file src/main/java/com/my/bbs/controller/common/UploadController.java, affecting the Endpoint component. This leads to unrestricted upload and can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For zhenfeng13 My-BBS version 1.0, as a temporary workaround, consider disabling the Upload function in the src/main/java/com/my/bbs/controller/common/UploadController.java file until a patch is available. Restrict access to the vulnerable Endpoint component to minimize the risk of exploitation. Avoid using the Upload function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zhenfeng13 My-BBS version 1.0 **Description** A vulnerability has been found in the software, classified as problematic, affecting unknown code and leading to cross-site request forgery. The attack can be initiated remotely, and the exploit has been disclosed to the public. Multiple endpoints might be affected. **Recommendations** For zhenfeng13 My-BBS version 1.0, consider restricting access to sensitive endpoints to minimize the risk of exploitation. As a temporary workaround, avoid using endpoints that may be vulnerable to cross-site request forgery until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** baseweb JSite version 1.0 **Description** A critical issue has been discovered, affecting the Apache Druid Monitoring Console, specifically the /druid/index.html file. This leads to improper access controls, allowing for remote attacks. The exploit details have been publicly disclosed. **Recommendations** For baseweb JSite version 1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: veal98 小牛肉 Echo 开源社区系统 version 4.2 Description: A critical issue has been found in the function `uploadMdPic` of the file `/discuss/uploadMdPic`. The manipulation of the argument `editormd-image-file` leads to unrestricted upload. The attack may be initiated remotely. Recommendations: For version 4.2, as a temporary workaround, consider disabling the `uploadMdPic` function until a patch is available. Restrict access to the `/discuss/uploadMdPic` endpoint to minimize the risk of exploitation. Avoid using the `editormd-image-file` argument in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: veal98 小牛肉 Echo 开源社区系统 version 4.2 Description: A vulnerability was found in the function `preHandle` of the file `src/main/java/com/greate/community/controller/interceptor/LoginTicketInterceptor.java` of the component Ticket Handler. The manipulation leads to improper authorization. It is possible to launch the attack remotely. Recommendations: For version 4.2, consider disabling the `preHandle` function of the `LoginTicketInterceptor` until a patch is available. Restrict access to the `LoginTicketInterceptor` component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** xujiangfei admintwo version 1.0 **Description** A problematic issue was found in xujiangfei admintwo, affecting an unknown part of the file /user/updateSet. The manipulation of the `motto` argument leads to cross-site scripting. It is possible to initiate the attack remotely. **Recommendations** For xujiangfei admintwo version 1.0, as a temporary workaround, consider restricting access to the `/user/updateSet` endpoint or avoiding the use of the `motto` argument until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** xujiangfei admintwo version 1.0 **Description** A vulnerability has been found in xujiangfei admintwo, classified as problematic. This issue affects the file /resource/add and is related to the manipulation of the `Name` argument, leading to cross-site scripting. The attack can be initiated remotely. **Recommendations** For xujiangfei admintwo version 1.0, consider restricting access to the `/resource/add` endpoint until a fix is available, and avoid using the `Name` parameter in this context to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xujiangfei admintwo version 1.0 **Description** A vulnerability was found in the processing of the file /ztree/insertTree, where the manipulation of the `Name` argument leads to cross-site scripting. The attack may be initiated remotely. **Recommendations** For xujiangfei admintwo version 1.0, consider restricting access to the /ztree/insertTree endpoint until a fix is available. As a temporary workaround, avoid using the `Name` argument in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** xujiangfei admintwo version 1.0 **Description** A critical issue has been found, allowing for server-side request forgery. This is achieved through the manipulation of the `description` argument in an unknown function of the file /resource/add, which can be launched remotely. **Recommendations** For xujiangfei admintwo version 1.0, as a temporary workaround, consider restricting access to the /resource/add file until a patch is available. Avoid using the `description` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xujiangfei admintwo version 1.0 **Description** A vulnerability was found in an unknown functionality of the file /user/home, where the manipulation of the `ID` argument leads to improper access controls. The attack can be launched remotely. **Recommendations** For xujiangfei admintwo version 1.0, as a temporary workaround, consider restricting access to the `/user/home` file until a patch is available. Avoid using the `ID` argument in affected functionalities to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xujiangfei admintwo version 1.0 **Description** A critical issue affects some unknown functionality of the file /user/updateSet, where the manipulation of the `email` argument leads to improper access controls. This issue can be exploited remotely. **Recommendations** For xujiangfei admintwo version 1.0, as a temporary workaround, consider restricting access to the /user/updateSet file until a patch is available. Avoid using the `email` argument in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** xujiangfei admintwo version 1.0 **Description** A problematic issue has been found in xujiangfei admintwo, affecting an unknown part of the file /user/updateSet. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. **Recommendations** For xujiangfei admintwo version 1.0, consider restricting access to the /user/updateSet file to minimize the risk of exploitation. As a temporary workaround, avoid using the `updateSet` functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WCMS version 11 **Description** A problematic issue has been found in the Registration component, specifically affecting the /index.php?anonymous/setregister file. The manipulation of the `Username` argument leads to cross-site scripting. This issue can be initiated remotely. **Recommendations** For WCMS version 11, consider disabling the Registration component or restricting access to the /index.php?anonymous/setregister file until a fix is available. Avoid using the `Username` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WCMS version 11 **Description** A critical issue affects some unknown functionality of the file "/index.php?articleadmin/upload/?&CKEditor=container&CKEditorFuncNum=1" of the component Article Publishing Page. The manipulation of the `Upload` argument leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For version 11, as a temporary workaround, consider disabling the upload functionality in the Article Publishing Page until a patch is available. Restrict access to the "/index.php?articleadmin/upload/" endpoint to minimize the risk of exploitation. Avoid using the `Upload` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.