Haoran Zhao

**Name of the Vulnerable Software and Affected Versions** Erick xmall versions 1.1 and earlier **Description** An issue in Erick xmall allows a remote attacker to escalate privileges via the `updateAddress` method of the `Address Controller` class. **Recommendations** For Erick xmall versions 1.1 and earlier, consider disabling the `updateAddress` method of the `Address Controller` class as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RUoYi version 4.8.0 **Description** The issue allows a remote attacker to escalate privileges via the `postID` parameter in the `edit` method. **Recommendations** For RUoYi version 4.8.0, avoid using the `postID` parameter in the affected edit method until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** RUoYi version 4.8.0 **Description** The issue allows a remote attacker to escalate privileges via the `jobId` parameter. **Recommendations** For RUoYi version 4.8.0, avoid using the `jobId` parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RUoYi version 4.8.0 **Description** The issue allows a remote attacker to escalate privileges via the `editSave` method, which does not properly validate whether the requesting user has administrative privileges before allowing modifications to system configuration settings. **Recommendations** For RUoYi version 4.8.0, as a temporary workaround, consider disabling the `editSave` method until a patch is available. Restrict access to system configuration settings to minimize the risk of exploitation. Avoid using the `editSave` method for modifications to system configuration settings until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RUoYi version 4.8.0 **Description** The issue allows a remote attacker to escalate privileges via the `changeStatus` method. **Recommendations** For RUoYi version 4.8.0, consider disabling the `changeStatus` method until a patch is available.

**Name of the Vulnerable Software and Affected Versions** RUoYi version 4.8.0 **Description** The issue allows a remote attacker to escalate privileges via the `jobLogId` parameter. **Recommendations** For RUoYi version 4.8.0, avoid using the `jobLogId` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** RUoYi version 4.8.0 **Description** The issue allows a remote attacker to escalate privileges. This is achieved via the `selectDeptTree` method of the "/selectDeptTree/{deptId}" endpoint, which does not properly validate the `deptId` parameter. **Recommendations** For RUoYi version 4.8.0, as a temporary workaround, consider restricting access to the `/selectDeptTree/{deptId}` endpoint until a patch is available. Additionally, avoid using the `deptId` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RUoYi version 4.8.0 **Description** The issue allows a remote attacker to escalate privileges via the `editSave` method in the "/tool/gen/editSave" API endpoint. **Recommendations** For RUoYi version 4.8.0, as a temporary workaround, consider disabling the `editSave` method in the "/tool/gen/editSave" API endpoint until a patch is available. Restrict access to the "/tool/gen/editSave" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RUoYi version 4.8.0 **Description** The issue allows a remote attacker to escalate privileges via the "API Endpoint: /editSave" method in `SysNoticeController`. **Recommendations** For RUoYi version 4.8.0, consider disabling the `/editSave` method in `SysNoticeController` as a temporary workaround until a patch is available. Restrict access to the `SysNoticeController` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RUoYi version 4.8.0 **Description** The issue allows a remote attacker to escalate privileges via the SysDictTypeController component. **Recommendations** For RUoYi version 4.8.0, consider disabling access to the SysDictTypeController component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** RUoYi version 4.8.0 **Description** The issue allows a remote attacker to escalate privileges via the edit method of the "/edit/{dictId}" endpoint, which does not properly validate whether the requesting user has permission to modify the specified `dictId`. **Recommendations** For RUoYi version 4.8.0, as a temporary workaround, consider restricting access to the "/edit/{dictId}" endpoint until a patch is available. Avoid using the `dictId` variable in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via HTTP to compromise the server. Successful attacks can result in the ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. **Recommendations** For versions 12.2.1.4.0 and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.