Jiguangsdf

Name of the Vulnerable Software and Affected Versions: CMSWing version 1.3.8 Description: An issue was found in the CMSWing project where the `rechargeAction` function does not check the `balance` parameter, allowing malicious parameters to execute arbitrary SQL commands. Recommendations: For CMSWing version 1.3.8, consider disabling the `rechargeAction` function until a patch is available to prevent the execution of arbitrary SQL commands. Restrict access to the `balance` parameter in the affected function to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: CMSWing version 1.3.8 Description: An issue was found in the CMSWing project where the log function does not check the log parameter, allowing malicious parameters to execute arbitrary commands. Recommendations: For CMSWing version 1.3.8, consider disabling the log function until a patch is available to prevent the execution of arbitrary commands. Restrict access to the log parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CMSWing version 1.3.8 Description: An issue was found in the CMSWing project where the `updateAction` function does not check the `detail` parameter, allowing malicious parameters to execute arbitrary SQL commands. Recommendations: For CMSWing version 1.3.8, consider disabling the `updateAction` function until a patch is available to prevent exploitation. Restrict access to the `detail` parameter in the affected function to minimize the risk of arbitrary SQL command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WUZHI CMS version 4.1.0 **Description** A SQL injection issue was found in the /coreframe/app/admin/pay/admin/index.php file of WUZHI CMS. The issue is related to the `keyValue` parameter in the "index.php?m=pay&f=index&v=listing" API endpoint. **Recommendations** For WUZHI CMS version 4.1.0, avoid using the `keyValue` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the /coreframe/app/admin/pay/admin/index.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WUZHI CMS version 4.1.0 **Description** A SQL injection issue was found in the /coreframe/app/admin/copyfrom.php file. The issue is related to the `keywords` parameter in the "/coreframe/app/admin/copyfrom.php" endpoint, which is accessible via the "index.php?m=core&f=copyfrom&v=listing" API endpoint. **Recommendations** For WUZHI CMS version 4.1.0, consider restricting access to the `/coreframe/app/admin/copyfrom.php` file and the `keywords` parameter in the affected API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WUZHI CMS version 4.1.0 **Description** A persistent XSS issue allows remote attackers to inject arbitrary web script or HTML via the `form[nickname]` parameter to the "index.php?m=core&f=set&v=sendmail" API endpoint. The XSS payload is triggered when the administrator accesses the system settings - mail server screen. **Recommendations** For WUZHI CMS version 4.1.0, avoid using the `form[nickname]` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the system settings - mail server screen to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WUZHI CMS version 4.1.0 **Description** A SQL injection issue was found that allows remote attackers to inject malicious SQL statements via the "index.php?m=promote&f=index&v=search keywords" parameter. **Recommendations** For WUZHI CMS version 4.1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WUZHI CMS version 4.1.0 **Description** A persistent XSS issue was found, allowing remote attackers to inject arbitrary web script or HTML via the `form[content]` parameter to the "index.php?m=feedback&f=index&v=contact" API endpoint. **Recommendations** For WUZHI CMS version 4.1.0, as a temporary workaround, consider restricting access to the `form[content]` parameter in the "index.php?m=feedback&f=index&v=contact" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: WUZHI CMS version 4.1.0 Description: An issue was discovered that allows for XSS via the `email` parameter to the "index.php?m=member&v=register" URI. Recommendations: For WUZHI CMS version 4.1.0, avoid using the `email` parameter in the "index.php?m=member&v=register" URI until the issue is resolved.