Hadagaga

**Name of the Vulnerable Software and Affected Versions** cjbi wetech-cms versions 1.0 through 1.2 **Description** A critical issue affects the `searchTopicByKeyword` function of the file `wetech-cms-masterwetech-coresrcmainjavatechwetechcmsdaoTopicDao.java`. The manipulation of the `keyword` argument leads to SQL injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For versions 1.0 through 1.2, as a temporary workaround, consider disabling the `searchTopicByKeyword` function until a patch is available. Restrict access to the `TopicDao.java` file to minimize the risk of exploitation. Avoid using the `keyword` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cjbi wetech-cms versions 1.0 through 1.2 **Description** A critical issue has been found, affecting the `searchTopic` function in the `TopicDao.java` file. The manipulation of the `con` argument leads to SQL injection, allowing for remote attacks. The exploit has been publicly disclosed, and the vendor was contacted prior to disclosure but did not respond. **Recommendations** For versions 1.0 through 1.2, as a temporary workaround, consider disabling the `searchTopic` function until a patch is available. Restrict access to the `TopicDao.java` file to minimize the risk of exploitation. Avoid using the `con` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cjbi wetech-cms versions 1.0 through 1.2 **Description** A critical issue has been found, affecting the `findUser` function in the `UserDao.java` file. The manipulation of the `searchValue`, `gId`, or `rId` arguments leads to SQL injection. This issue can be exploited remotely. The exploit has been publicly disclosed, and the vendor was contacted prior to disclosure but did not respond. **Recommendations** For versions 1.0 through 1.2, as a temporary workaround, consider disabling the `findUser` function until a patch is available. Restrict access to the `UserDao.java` file to minimize the risk of exploitation. Avoid using the `searchValue`, `gId`, or `rId` arguments in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** cjbi wetech-cms versions 1.0 through 1.2 **Description** A problem was found in the backup function of the Database Backup Handler component, specifically in the file `BackupFileUtil.java`. This issue allows for path traversal, such as '../filedir', due to the manipulation of the argument name. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For versions 1.0 through 1.2, as a temporary workaround, consider disabling the backup function in the Database Backup Handler component until a patch is available. Restrict access to the `BackupFileUtil.java` file to minimize the risk of exploitation. Avoid using the vulnerable backup function in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JFinalCMS version 1.0 **Description** A critical vulnerability has been found in the function `findPage` of the file `srcmainjavacomcmsentityContentModel.java` of the component File Content Handler. The manipulation of the argument `name` leads to SQL injection. It is possible to initiate the attack remotely. **Recommendations** For JFinalCMS version 1.0, as a temporary workaround, consider disabling the `findPage` function until a patch is available. Restrict access to the File Content Handler component to minimize the risk of exploitation. Avoid using the `name` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JFinalCMS version 1.0 **Description** The issue is related to incorrect code generation management in the Template Handler component of the JFinalCMS system. Exploitation of this issue may allow a remote attacker to execute arbitrary code. The vulnerability affects the update function of the Template Handler component, specifically the manipulation of the `content` argument, leading to command injection. The attack can be launched remotely. **Recommendations** For JFinalCMS version 1.0, as a temporary workaround, consider disabling the update function of the Template Handler component until a patch is available. Restrict access to the Template Handler component to minimize the risk of exploitation. Avoid using the `content` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JFinalCMS version 1.0 **Description** The issue is related to a cross-site request forgery (CSRF) vulnerability in the /admin/tag/save file of the JFinalCMS system. This vulnerability can be exploited remotely, allowing an attacker to perform a CSRF attack. The exploit has been disclosed to the public and may be used. **Recommendations** For JFinalCMS version 1.0, as a temporary workaround, consider disabling access to the /admin/tag/save file until a patch is available. Restrict access to the administrative panel to minimize the risk of exploitation. Avoid using the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.