Gaogaostone

**Name of the Vulnerable Software and Affected Versions** didi Super-Jacoco version 1.0 **Description** A critical issue has been found in the software, affecting an unknown functionality of the file /cov/triggerUnitCover. The manipulation of the `uuid` argument leads to os command injection. This issue can be exploited remotely, potentially allowing system takeover. The exploit has been disclosed publicly. **Recommendations** For didi Super-Jacoco version 1.0, patch immediately to prevent os command injection via the `uuid` parameter in the /cov/triggerUnitCover file. As a temporary workaround, consider restricting access to the /cov/triggerUnitCover file until a patch is available. Verify that there has been no unauthorized access to the system.

**Name of the Vulnerable Software and Affected Versions** knightliao Disconf version 2.6.36 **Description** A critical issue has been found, affecting an unknown part of the file `/api/config/list` of the component Configuration Center. This leads to improper authentication and can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For version 2.6.36, consider disabling access to the `/api/config/list` endpoint until a patch is available. Restrict access to the Configuration Center component to minimize the risk of exploitation. Avoid using this version until a fixed version is released. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** didi Super-Jacoco version 1.0 **Description** A critical issue has been identified, affecting unknown code in the file /cov/triggerEnvCov. The manipulation of the `uuid` argument leads to command injection. This issue can be exploited remotely. **Recommendations** For didi Super-Jacoco version 1.0, as a temporary workaround, consider restricting access to the /cov/triggerEnvCov file to minimize the risk of exploitation. Avoid using the `uuid` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** didi DDMQ version 1.0 **Description** A critical vulnerability has been found in the Console Module component of didi DDMQ, affecting an unknown functionality. The manipulation of the input `/;login` leads to improper authentication. This issue can be exploited remotely. The vendor was contacted about this disclosure but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jsbroks COCO Annotator version 0.11.1 **Description** A problematic vulnerability was found in the Session Handler component of jsbroks COCO Annotator. The manipulation of the `SECRET KEY` argument leads to a predictable state from an observable state. This issue can be exploited remotely, with a rather high complexity of attack and difficult exploitability. The exploit has been disclosed to the public and may be used. **Recommendations** For jsbroks COCO Annotator version 0.11.1, as a temporary workaround, consider restricting access to the Session Handler component until a patch is available. Avoid using the `SECRET KEY` argument in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** didi KnowSearch versions 0.3.1.2 through 0.3.2 **Description** A vulnerability was found in didi KnowSearch, affecting some unknown processing of the file "/api/es/admin/v3/security/user/1". This issue leads to unprotected storage of credentials. The attack may be initiated remotely. **Recommendations** For didi KnowSearch versions 0.3.1.2 through 0.3.2, consider restricting access to the "/api/es/admin/v3/security/user/1" API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using sensitive credentials with the affected system until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** KnowStreaming version 3.3.0 **Description** The issue allows unauthorized users to create a new user with an admin role, leading to Escalation of Privileges. **Recommendations** For KnowStreaming version 3.3.0, update to a version that fixes the Escalation of Privileges issue. As a temporary workaround, consider restricting the ability to create new users with admin roles until a patch is available.