Electron1C

**Name of the Vulnerable Software and Affected Versions** DouPHP versions prior to 1.8 Release 20251022 **Description** A flaw exists in DouPHP that allows for unrestricted file uploads. This issue is related to the file upload component and specifically affects the `file.class.php` file. The `File` argument can be manipulated to achieve this. Remote exploitation is possible, and the exploit details have been publicly disclosed. **Recommendations** Update DouPHP to version 1.8 Release 20251022 or later. As a temporary workaround, restrict access to the file upload functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** YiFang CMS versions up to 2.0.2 **Description** A flaw exists in YiFang CMS that allows for unrestricted file uploads. This is due to manipulation of the `uploadpath` argument within the `webUploader` function located in the `app/app/controller/File.php` file of the Backend component. The attack can be launched remotely. The exploit has been published. **Recommendations** Update to a version later than 2.0.2.

**Name of the Vulnerable Software and Affected Versions** mirweiye wenkucms versions up to 3.4 **Description** A flaw exists that allows for remote operating system command injection. This occurs due to manipulation of the `createPathOne` function within the `app/common/common.php` file. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** enilu web-flash version 1.0 **Description** A problematic vulnerability has been found in the File Upload component of enilu web-flash. This issue affects the `fileService.upload` function, allowing for cross-site scripting through the manipulation of the `File` argument. The attack can be initiated remotely. **Recommendations** For enilu web-flash version 1.0, as a temporary workaround, consider disabling the `fileService.upload` function until a patch is available. Restrict access to the File Upload component to minimize the risk of exploitation. Avoid using the `File` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** XiaoBingby TeaCMS version 2.0.2 **Description** A problematic issue was found in an unknown functionality of the file src/main/java/me/teacms/controller/admin/UserManageController/addUser, leading to cross-site request forgery. The attack can be launched remotely. **Recommendations** For version 2.0.2, consider restricting access to the `addUser` functionality in the `UserManageController` until a patch is available. As a temporary workaround, avoid using the vulnerable functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.