Gsbp

**Name of the Vulnerable Software and Affected Versions** xxyopen novel plus versions prior to 4.4.0 **Description** The issue allows a remote attacker to execute arbitrary code via the PageController.java file. **Recommendations** For versions prior to 4.4.0, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the PageController.java file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** xxyopen Novel versions up to 3.4.1 **Description** A critical issue has been found in the software, affecting some unknown functionality of the file "/api/front/search/books". The manipulation of the `sort` argument leads to SQL injection. The attack can be launched remotely. Other parameters might also be affected. **Recommendations** For versions up to 3.4.1, as a temporary workaround, consider restricting access to the "/api/front/search/books" endpoint until a patch is available. Avoid using the `sort` argument in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** y project RuoYi versions up to 4.8.0 **Description** A critical issue has been found in the Whitelist component, specifically affecting the `getBeanName` function. This issue leads to deserialization and can be initiated remotely. The exploit has been publicly disclosed, and the vendor was contacted but did not respond. **Recommendations** y project RuoYi versions up to 4.8.0: Update the Whitelist component to prevent deserialization attacks by fixing the `getBeanName` function.