Huding

**Name of the Vulnerable Software and Affected Versions** Vitals ESP (affected versions not specified) **Description** A missing authentication issue exists in Vitals ESP, enabling unauthenticated remote attackers to execute functions and potentially obtain sensitive information. The software is developed by Galaxy Software Services. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vitals ESP (affected versions not specified) **Description** An incorrect authorization issue exists in Vitals ESP developed by Galaxy Software Services. This allows authenticated remote attackers to perform administrative functions, leading to privilege escalation. The issue enables attackers to perform actions beyond their authorized access level. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QbiCRMGateway (affected versions not specified) **Description** The QbiCRMGateway developed by Ai3 is susceptible to an arbitrary file reading issue. Unauthenticated remote attackers can exploit a relative path traversal to download arbitrary system files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DVC from TRCore (affected versions not specified) **Description** The issue concerns the use of a hardcoded key for file encryption in the DVC from TRCore. This hardcoded key can be exploited by attackers to decrypt the files and restore their original content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Team+ from TEAMPLUS TECHNOLOGY (affected versions not specified) **Description** The issue concerns a failure to properly validate a specific page parameter, allowing unauthenticated remote attackers to inject arbitrary SQL commands and potentially read, modify, or delete database contents. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Team+ versions (affected versions not specified) **Description** The issue is related to the improper validation of a specific page parameter in Team+ by TEAMPLUS TECHNOLOGY, allowing unauthenticated remote attackers to read arbitrary system files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Team+ versions 13.5.x **Description** The issue arises from the improper validation of a specific page parameter, allowing remote attackers with administrator privileges to move arbitrary system files to the website root directory and access them. This can lead to unauthorized data access. **Recommendations** For version 13.5.x, apply the available patch to fix the issue and monitor for potential exploit development. Assess exposure and apply defense-in-depth measures to minimize the risk of exploitation. As a temporary workaround, consider restricting access to sensitive system files and directories until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Ai3 QbiBot (affected versions not specified) **Description** The password reset feature lacks proper access control, allowing unauthenticated remote attackers to reset any user's password. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ai3 QbiBot versions prior to 8.0.4 **Description** The issue concerns the file upload functionality, which does not properly restrict the types of files that can be uploaded. This allows remote attackers with administrator privileges to upload files containing malicious code. **Recommendations** For Ai3 QbiBot versions prior to 8.0.4, upgrade to a patched version and review uploaded files to mitigate the risk. As a temporary workaround, consider restricting access to the file upload functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Intumit SmartRobot (affected versions not specified) **Description** The issue concerns the use of a fixed encryption key for authentication in Intumit SmartRobot. This allows remote attackers to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** InfoDoc Document On-line Submission and Approval System (affected versions not specified) **Description** The issue arises from insufficient restrictions on available tags within the HTML to PDF conversion function, allowing unauthenticated attackers to load remote or local resources through HTML tags such as `iframe`. This enables unauthenticated remote attackers to perform Server-Side Request Forgery (SSRF) attacks, gaining unauthorized access to arbitrary system files and uncovering the internal network topology. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** InfoDoc Document On-line Submission and Approval System versions 22547, 22567 **Description** The issue is related to an Unrestricted Upload of File with Dangerous Type in the file uploading function. This allows an unauthenticated remote attacker to upload and run arbitrary executable files, which can be used to perform arbitrary system commands or disrupt the service. **Recommendations** For versions 22547 and 22567, consider disabling the file uploading function until a patch is available to prevent exploitation. Restrict access to the file uploading module to minimize the risk of uploading arbitrary executable files. Avoid using the file uploading function in the affected system until the issue is resolved.