Cyber-Word

Name of the Vulnerable Software and Affected Versions: ThinkPHP5 versions 5.0.x through 5.1.22 Description: A SQL Injection issue exists via the `parseOrder` function in `Builder.php`. Recommendations: For versions 5.0.x through 5.1.22, consider updating to a version that contains a fix for this issue, as using the `parseOrder` function in `Builder.php` may pose a risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Catfish versions prior to 6.1.* Description: A Cross Site Request Forgery (CSRF) issue exists when uploading an HTML file containing CSRF on a website that uses a Google editor. This allows specifying a malicious URL address in the Add Menu column. Recommendations: For versions prior to 6.1.*, consider disabling the upload feature for HTML files until a patch is available. Restrict access to the Add Menu column to minimize the risk of exploitation. Avoid using the feature to add menu URLs from untrusted sources until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Catfish versions prior to 6.3.1 Description: A Cross Site Scripting (XSS) issue exists, allowing potential exploitation via a Google search in the "url:/catfishcms/index.php/admin/Index/addmenu.html" endpoint. This issue can be triggered on the .html file on the website that uses this editor, as the file suffix is allowed. Recommendations: For versions prior to 6.3.1, update to version 6.3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** KindEditor versions 4.1.x **Description** A Cross Site Scripting (XSS) issue exists in the software, allowing exploitation via a specific Google search and subsequent access to an .html file on a website using the editor, where the file suffix is permitted. **Recommendations** For KindEditor version 4.1.x, consider disabling the editor's upload functionality or restricting access to the uploadbutton.html file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** KindEditor version 4.1.x **Description** A Cross Site Request Forgery (CSRF) issue exists, allowing attackers to trick users into clicking malicious links by uploading an HTML file containing CSRF code on a website using the editor. This can be done by first uploading the malicious file, then using the authority of the website to deceive users into clicking the link. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For KindEditor version 4.1.x, as a temporary workaround, consider restricting access to the `examples/uploadbutton.html` endpoint until a patch is available. Avoid using the editor to upload HTML files containing potentially malicious code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.