Jinnywco

**Name of the Vulnerable Software and Affected Versions** Jeecg-boot version 3.0 **Description** A SQL injection issue was found in Jeecg-boot via the `code` parameter in the "/jeecg-boot/sys/user/queryUserByDepId" API endpoint. **Recommendations** For Jeecg-boot version 3.0, consider restricting access to the "/jeecg-boot/sys/user/queryUserByDepId" API endpoint to minimize the risk of exploitation. Avoid using the `code` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GetSimple CMS version 3.4.0a Description: A stored cross site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Edit Snippets module, specifically targeting the /admin/snippets.php endpoint. The `Edit Snippets` module is vulnerable to this issue, potentially allowing attackers to inject malicious scripts. Recommendations: For GetSimple CMS version 3.4.0a, consider disabling the Edit Snippets module until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to the /admin/snippets.php endpoint to minimize the risk of arbitrary web script execution. Avoid using the Edit Snippets module with untrusted input until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: PopojiCMS version 1.2 Description: An information disclosure issue in the upload.php file of PopojiCMS leads to the physical path disclosure of the host. This occurs when the `name` variable equals `"file"` and is deleted during file uploads, specifically through the "upload.php" endpoint. Recommendations: For PopojiCMS version 1.2, as a temporary workaround, consider restricting access to the upload.php file until a patch is available. Avoid using the `name` variable with the value `"file"` in the upload process to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Wage-CMS version 1.5.x-dev Description: A cross-site request forgery (CSRF) issue allows attackers to arbitrarily add users. This can be exploited by tricking a user into performing unintended actions on the web application. Recommendations: For Wage-CMS version 1.5.x-dev, as a temporary workaround, consider implementing additional validation checks on user requests to prevent unauthorized actions until a patch is available. Restrict access to user management functionality to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: jeecg-boot CMS version 2.3 Description: A SQL injection issue in the "/jeecg boot/sys/dict/loadtreedata" endpoint of jeecg-boot CMS allows attackers to access sensitive database information. Recommendations: For jeecg-boot CMS version 2.3, consider restricting access to the "/jeecg boot/sys/dict/loadtreedata" endpoint until a patch is available. As a temporary workaround, avoid using sensitive database queries in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PopojiCMS version 1.2 **Description** The issue exists due to a lack of protection for the web page structure in the /admin.php?mod=user&act=addnew endpoint of the content management system. This allows a remote attacker to execute arbitrary web or HTML scripts by using a specially crafted payload. The vulnerability can be exploited via the E-Mail field, enabling attackers to execute arbitrary web scripts or HTML. **Recommendations** For PopojiCMS version 1.2, as a temporary workaround, consider disabling the /admin.php?mod=user&act=addnew endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the E-Mail field in the affected endpoint until the issue is resolved.