Coinismoney

**Name of the Vulnerable Software and Affected Versions** Weaver E-cology versions 9.x **Description** The issue allows attackers to construct special requests to insert remote malicious code and trigger malicious code execution, potentially gaining control of server privileges. It is related to a SQL injection vulnerability. **Recommendations** For versions 9.x, update to a version that includes a fix for the SQL injection vulnerability to prevent malicious code execution and potential privilege escalation.

**Name of the Vulnerable Software and Affected Versions** Weaver Ecology versions 9.* **Description** The issue allows attackers to execute a directory traversal, enabling them to arbitrarily delete files. This can cause the server to permanently deny service. The vulnerability can be exploited through the `/importmould/deletefolder` component. **Recommendations** For Weaver Ecology versions 9.*, consider restricting access to the `/importmould/deletefolder` component until a patch is available. As a temporary workaround, limit the ability of authenticated attackers to execute directory traversal and file deletion operations. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Landray EKP versions up to 16.0 **Description** A critical issue was found in the function `delPreviewFile` of the file "/sys/ui/sys ui component/sysUiComponent.do?method=delPreviewFile". The manipulation of the `directoryPath` argument leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For Landray EKP versions up to 16.0, as a temporary workaround, consider disabling the `delPreviewFile` function until a patch is available. Restrict access to the "/sys/ui/sys ui component/sysUiComponent.do?method=delPreviewFile" endpoint to minimize the risk of exploitation. Avoid using the `directoryPath` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Landray EKP versions up to 16.0 **Description** A critical vulnerability has been found in Landray EKP, affecting the `deleteFile` function of the file `/sys/common/import.do?method=deleteFile` in the API Interface component. The manipulation of the `folder` argument leads to path traversal. This issue can be initiated remotely. The vendor was contacted about this disclosure but did not respond. **Recommendations** For Landray EKP versions up to 16.0, update to the latest patch immediately to mitigate risks. As a temporary workaround, consider restricting access to the `/sys/common/import.do?method=deleteFile` endpoint until a patch is available. Avoid using the `folder` argument in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Landray EKP versions prior to v17 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload. This enables the execution of malicious code on the client-side, potentially leading to unauthorized actions or data theft. **Recommendations** For versions prior to v17, update to version v17 or later to resolve the issue. As a temporary workaround, consider restricting user input to prevent the execution of malicious scripts until a patch is available.