Hjaqiang

**Name of the Vulnerable Software and Affected Versions** wx-shop (affected versions not specified) **Description** A vulnerability has been identified in wx-shop that allows for cross-site request forgery (CSRF). The manipulation can be executed remotely. The exploit for this issue has been publicly disclosed. The product utilizes a rolling release model for continuous delivery, and therefore, specific version details for affected or updated releases are unavailable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wx-shop up to de1b66331368695779cfc6e4d11a64caddf8716e **Description** A vulnerability exists in wx-shop related to the processing of the file `/user/editUI`. This issue allows for cross-site scripting (XSS) attacks, which can be initiated remotely. The exploit for this issue has been publicly disclosed. The software utilizes a rolling release model, and specific version details for affected and updated releases are unavailable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jerryshensjf JPACookieShop 蛋糕商城JPA版 versions up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999 **Description** A cross-site scripting issue exists in the `GoodsController.java` file. The vulnerability is triggered remotely and affects multiple endpoints. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jerryshensjf JPACookieShop 蛋糕商城JPA版 versions up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999 **Description** A cross-site scripting issue exists due to the manipulation of the `keyword` argument within the `goodsSearch` function of the `GoodsCustController.java` file. This allows for remote attacks. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the `keyword` argument in the `goodsSearch` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** jerryshensjf JPACookieShop 蛋糕商城JPA版 (affected versions not specified) **Description** A cross-site request forgery issue exists in the `AdminTypeCustController.java` file. The vulnerability allows for remote attacks. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jerryshensjf JPACookieShop 蛋糕商城JPA版 version 1.0 **Description** A critical issue exists due to an authorization bypass. This is caused by the manipulation of the `updateGoods` function within the `GoodsController.java` file. The attack can be initiated remotely, and the exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jerryshensjf JPACookieShop 蛋糕商城JPA版 version 1.0 **Description** A critical issue exists in the `addGoods` function within the `GoodsController.java` file, allowing for unrestricted file uploads. This issue is remotely exploitable. **Recommendations** As a temporary workaround, consider restricting access to the `addGoods` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** realguoshuai open-video-cms version 1.0 **Description** A critical issue affects the processing of the file "/v1/video/list" API endpoint. The manipulation of the `sort` argument leads to SQL injection. This issue can be exploited remotely. **Recommendations** For realguoshuai open-video-cms version 1.0, as a temporary workaround, consider restricting access to the "/v1/video/list" API endpoint or avoiding the use of the `sort` argument until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.