Cleverstupiddog

**Name of the Vulnerable Software and Affected Versions** CleverStupidDog yf-exam version 1.8.0 **Description** The issue concerns a lack of restriction on the suffix of uploaded files, allowing any file to be uploaded. **Recommendations** For version 1.8.0, restrict access to the file upload feature until a proper fix is implemented to validate and restrict file types based on their suffix. As a temporary workaround, consider implementing server-side checks to only allow specific, safe file extensions to be uploaded.

**Name of the Vulnerable Software and Affected Versions** CleverStupidDog yf-exam version 1.8.0 **Description** The issue concerns an authentication bypass. It is caused by the program using a fixed JWT key, and the stored key utilizes username format characters. This allows any user who logged in within 24 hours to have a token forged with their username, thereby bypassing authentication. **Recommendations** For CleverStupidDog yf-exam version 1.8.0, consider regenerating the JWT key with a secure, non-fixed value to prevent token forgery. Additionally, restrict the use of username format characters in stored keys to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CleverStupidDog yf-exam version 1.8.0 **Description** The issue is related to Deserialization, which can lead to remote code execution (RCE). **Recommendations** For version 1.8.0, consider disabling deserialization functionality until a patch is available. Restrict access to potentially vulnerable endpoints to minimize the risk of exploitation. Avoid using potentially vulnerable parameters in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CleverStupidDog yf-exam version 1.8.0 **Description** The issue is related to SQL Injection. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For CleverStupidDog yf-exam version 1.8.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.