Guiqizsq

**Name of the Vulnerable Software and Affected Versions** Chengdu Flash Flood Disaster Monitoring and Warning System version 2.0 **Description** A vulnerability was found in the Chengdu Flash Flood Disaster Monitoring and Warning System. It affects some unknown functionality of the file /Controller/Ajaxfileupload.ashx. The manipulation of the `file` argument leads to unrestricted upload. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For Chengdu Flash Flood Disaster Monitoring and Warning System version 2.0, as a temporary workaround, consider disabling the /Controller/Ajaxfileupload.ashx file until a patch is available. Restrict access to this file to minimize the risk of exploitation. Avoid using the `file` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chengdu Flash Flood Disaster Monitoring and Warning System version 2.0 **Description** A problematic vulnerability has been found in the Chengdu Flash Flood Disaster Monitoring and Warning System. This issue affects an unknown part of the file /Service/ImageStationDataService.asmx of the component File Name Handler, leading to insufficiently random values. The complexity of an attack is rather high, and the exploitability is difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xiamen Four Letter Video Surveillance Management System versions up to 20230712 **Description** A critical issue has been found in the library UserInfoAction.class of the component Login, affecting some unknown processing. This leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For Xiamen Four Letter Video Surveillance Management System versions up to 20230712, consider disabling the Login component or restricting access to the UserInfoAction.class library until a patch is available. As a temporary workaround, restrict the use of the Login functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBOS OA version 4.5.5 **Description** A critical issue affects the processing of the file `?r=article/category/del` in the Delete Category Handler component, leading to sql injection. The attack can be initiated remotely. The issue has been publicly disclosed. **Recommendations** For IBOS OA version 4.5.5, as a temporary workaround, consider restricting access to the `?r=article/category/del` file until a patch is available. Avoid using the Delete Category Handler component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.