Iej1Ctk1G

**Name of the Vulnerable Software and Affected Versions** jizhiCMS version 1.6.7 **Description** The software contains a file download issue in the admin plugins update endpoint. Authenticated administrators can download arbitrary files. Attackers can exploit this by sending crafted POST requests with malicious `filepath` and `download url` parameters, triggering unauthorized file downloads. The vulnerable API endpoint is '/admin/plugins/update'. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** P5 FNIP-8x16A FNIP-4xSH version 1.0.20 **Description** A cross-site request forgery issue allows attackers to perform administrative actions without user interaction. By tricking authenticated users into loading a specially crafted web page, attackers can add new admin users, change passwords, and modify system configurations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** P5 FNIP-8x16A FNIP-4xSH version 1.0.20 **Description** The software contains a cross-site request forgery issue that enables attackers to execute administrative actions without authorization. An attacker can create malicious web pages to add new administrator accounts, alter passwords, and change system settings by deceiving authenticated users into loading a specially designed form. The attack relies on tricking a user who is already logged in to the application into performing actions they did not intend to. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider implementing CSRF tokens to protect sensitive actions.