Huanyue

Name of the Vulnerable Software and Affected Versions: yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3 Description: A vulnerability exists in yeqifu carRental related to an unknown functionality within the `/carRental war/druid/login.html` file of the Druid component. This allows for the potential exposure of hard-coded credentials. The attack can be launched remotely, and the exploit has been publicly disclosed. The product operates on a rolling release basis, meaning there are no specific version details for affected or updated releases. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** chshcms mccms version 2.7 **Description** A critical issue affects the function `index` of the file `sys/apps/controllers/api/Gf.php`. The manipulation of the argument `pic` leads to server-side request forgery. It is possible to initiate the attack remotely. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For version 2.7, as a temporary workaround, consider disabling the `index` function in the `Gf.php` file until a patch is available. Restrict access to the `sys/apps/controllers/api/Gf.php` file to minimize the risk of exploitation. Avoid using the argument `pic` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.