Dycc

**Name of the Vulnerable Software and Affected Versions** Fujifilm Apeos C3070, Apeos C5570, and Apeos C6580 versions up to 24.8.28 **Description** A critical issue has been reported, affecting the Web Interface component of the Fujifilm Apeos devices. The issue is related to improper authorization and can be initiated remotely. It affects unknown code of the file /home/index.html#hashHome. The exploit has been disclosed to the public and may be used. However, the real existence of this issue is still doubted, and the vendor explains that the reported behaviors are intended or not reproduced. **Recommendations** For Fujifilm Apeos C3070, Apeos C5570, and Apeos C6580 versions up to 24.8.28, consider restricting access to the Web Interface component until further clarification or a fix is provided by the vendor. As a temporary workaround, consider disabling remote access to the /home/index.html#hashHome file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Guizhou Xiaoma Technology jpress version 5.1.2 **Description** A problem was found in the Attachment Upload Handler's function `AttachmentUtils.isUnSafe` of the file `/commons/attachment/upload`. The manipulation of the argument `files[]` leads to cross site scripting. It is possible to launch the attack remotely. **Recommendations** For version 5.1.2, consider disabling the `AttachmentUtils.isUnSafe` function until a patch is available. Restrict access to the `/commons/attachment/upload` file to minimize the risk of exploitation. Avoid using the `files[]` argument in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Guangzhou Huayi Intelligent Technology Jeewms version 1.0.0 **Description** A critical issue affects the Druid Monitoring Interface component, specifically the file /jeewms war/webpage/system/druid/index.html, leading to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly, and the vendor was contacted but did not respond. **Recommendations** For version 1.0.0, as a temporary workaround, consider restricting access to the Druid Monitoring Interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Guangzhou Huayi Intelligent Technology Jeewms version 3.7 **Description** A problematic issue affects the function `preHandle` of the file `src/main/java/com/zzjee/wm/controller/WmOmNoticeHController.java`. The manipulation of the argument request leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For Guangzhou Huayi Intelligent Technology Jeewms version 3.7, as a temporary workaround, consider disabling the `preHandle` function until a patch is available. Restrict access to the `WmOmNoticeHController.java` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jpress version 5.1.2 **Description** A problematic issue was found in the Avatar Handler component, affecting an unknown functionality of the file /commons/attachment/upload. The manipulation of the `files` argument leads to cross-site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For version 5.1.2, as a temporary workaround, consider disabling the Avatar Handler component until a patch is available. Restrict access to the /commons/attachment/upload file to minimize the risk of exploitation. Avoid using the `files` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.