J1Rry

**Name of the Vulnerable Software and Affected Versions** PbootCMS versions prior to 5.2.4 **Description** A problem has been found in some unknown functionality of the file apps/home/controller/IndexController.php. The manipulation of the argument tag leads to path traversal. The attack may be launched remotely. **Recommendations** For versions prior to 5.2.4, upgrade to version 5.2.4 to address this issue. As a temporary workaround, consider restricting access to the affected file apps/home/controller/IndexController.php until the update is applied.

**Name of the Vulnerable Software and Affected Versions** PbootCMS versions up to 3.2.3 **Description** A critical issue has been found in PbootCMS, affecting an unknown part of the file apps/home/controller/IndexController.php. The manipulation of the argument tag leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For PbootCMS versions up to 3.2.3, upgrade to version 3.2.4 to address this issue. As a temporary workaround, consider restricting access to the affected component, specifically the IndexController.php file, until the update is applied.

**Name of the Vulnerable Software and Affected Versions** ZhongBangKeJi CRMEB versions up to 5.4.0 **Description** A critical issue was found in the function `get image base64` of the file PublicController.php. The manipulation of the argument `file` leads to deserialization. This issue can be exploited remotely. The exploit has been disclosed to the public. The vendor was contacted about this disclosure but did not respond. **Recommendations** For ZhongBangKeJi CRMEB versions up to 5.4.0, as a temporary workaround, consider disabling the `get image base64` function in the PublicController.php file until a patch is available. Restrict access to the PublicController.php file to minimize the risk of exploitation. Avoid using the `file` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Prain versions up to 1.3.0 **Description** A critical issue has been found in the HTTP POST Request Handler component, specifically affecting some unknown functionality of the file /?import. The manipulation of the `file` argument leads to code injection. This issue can be exploited remotely. **Recommendations** For Prain versions up to 1.3.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZhongBangKeJi CRMEB versions up to 5.4.0 **Description** A critical issue has been found, affecting the function `downloadImage` of the file `app/services/product/product/CopyTaobaoServices.php`. This issue leads to deserialization and can be exploited remotely. The exploit has been disclosed publicly. **Recommendations** For ZhongBangKeJi CRMEB versions up to 5.4.0, as a temporary workaround, consider disabling the `downloadImage` function until a patch is available. Restrict access to the `CopyTaobaoServices.php` file to minimize the risk of exploitation. Avoid using the deserialization functionality in the affected `downloadImage` function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Nanjing Xingyuantu Technology SparkShop versions up to 1.1.6 **Description** A critical issue affects the processing of the file "/api/Common/uploadFile". The manipulation of the `file` argument leads to unrestricted upload. The attack can be initiated remotely. **Recommendations** For versions up to 1.1.6, restrict access to the "/api/Common/uploadFile" endpoint to minimize the risk of exploitation. Avoid using the `file` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ShopXO versions up to 6.1.0 **Description** A critical vulnerability was found in ShopXO, affecting an unknown functionality of the file extend/base/Uploader.php. The manipulation of the `source` argument leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For ShopXO versions up to 6.1.0, consider disabling the `extend/base/Uploader.php` file or restricting access to it until a patch is available. As a temporary workaround, avoid using the `source` argument in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.