Enenen

**Name of the Vulnerable Software and Affected Versions** IdeaCMS versions up to 1.6 **Description** A critical vulnerability was found in IdeaCMS, affecting the `saveUpload` function. This vulnerability allows for unrestricted upload and can be exploited remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For IdeaCMS versions up to 1.6, consider disabling the `saveUpload` function as a temporary workaround until a patch is available. Restrict access to the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sayski ForestBlog up to 20250321 **Description** A vulnerability was found in the component Friend Link Handler of Sayski ForestBlog, which can lead to cross-site scripting. The manipulation can be done remotely. **Recommendations** For Sayski ForestBlog up to 20250321, consider restricting access to the Friend Link Handler component until a fix is available. As a temporary workaround, avoid using the unknown functionality of the Friend Link Handler component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sayski ForestBlog versions up to 20250321 **Description** A vulnerability has been found in Sayski ForestBlog, affecting an unknown functionality of the file /search. The manipulation of the `keywords` argument leads to cross-site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Sayski ForestBlog versions up to 20250321, as a temporary workaround, consider disabling the functionality related to the /search file until a patch is available. Restrict access to the /search file to minimize the risk of exploitation. Avoid using the `keywords` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mingyuefusu tushuguanlixitong versions up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 **Description** A critical vulnerability has been found in the mingyuefusu tushuguanlixitong system, affecting the `getBookList` function of the file `/admin/bookList?page=1&limit=10`. The manipulation of the `condition` argument leads to SQL injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** As a temporary workaround, consider disabling the `getBookList` function until a patch is available. Restrict access to the `/admin/bookList` API endpoint to minimize the risk of exploitation. Avoid using the `condition` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mingyuefusu 图书管理系统 up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 **Description** The issue affects some unknown processing, leading to cross-site request forgery. The attack may be initiated remotely. **Recommendations** For versions up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694, consider implementing additional security measures to prevent cross-site request forgery attacks, such as validating user requests and ensuring proper session management. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mingyuefusu tushuguanlixitong versions up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 **Description** A critical vulnerability has been found in the mingyuefusu tushuguanlixitong system, affecting the function `doFilter` of the file `/admin/` in the Backend component. The manipulation of the `Request` argument leads to improper access controls, allowing for remote attacks. The exploit has been disclosed to the public and may be used. **Recommendations** As a temporary workaround, consider disabling the `doFilter` function in the `/admin/` file of the Backend component until a patch is available. Restrict access to the `/admin/` file to minimize the risk of exploitation. Avoid using the `Request` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** yangyouwang 杨有旺 crud 简约后台管理系统 version 1.0.0 **Description** A vulnerability has been found in the Role Management Page component of the affected software, leading to cross-site scripting. The manipulation can be launched remotely, and the exploit has been disclosed to the public. **Recommendations** For version 1.0.0, consider disabling the Role Management Page component until a patch is available. Restrict access to this component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 猫宁i Morning up to bc782730c74ff080494f145cc363a0b4f43f7d3e **Description** A vulnerability was found in 猫宁i Morning, affecting an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continuous delivery. Therefore, version details for affected and updated releases are not available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LinZhaoguan pb-cms version 2.0 **Description** A vulnerability has been found in the Logout component, which can lead to cross-site request forgery. The attack can be initiated remotely. **Recommendations** For version 2.0, update to a version that fixes the cross-site request forgery issue in the Logout component, or consider disabling the Logout functionality until a patch is available.