Jtz-

**Name of the Vulnerable Software and Affected Versions** DedeBIZ version 6.3.0 **Description** A critical vulnerability has been found in DedeBIZ, affecting unknown code in the file /admin/makehtml freelist action.php. The manipulation of the `startid` argument leads to SQL injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For DedeBIZ version 6.3.0, as a temporary workaround, consider restricting access to the /admin/makehtml freelist action.php file until a patch is available. Avoid using the `startid` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DedeBIZ version 6.3.0 **Description** A vulnerability was found in the Website Copyright Setting component, which can be exploited remotely. The manipulation leads to cross site scripting. The vendor was contacted about this disclosure but did not respond. **Recommendations** For DedeBIZ version 6.3.0, as a temporary workaround, consider restricting access to the Website Copyright Setting component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Muyun DedeBIZ versions up to 6.2.12 **Description** A critical issue was found in the component Add Attachment Handler, allowing for unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public. The vendor was contacted about this disclosure but did not respond. **Recommendations** For versions up to 6.2.12, consider disabling the Add Attachment Handler component until a patch is available to prevent unrestricted upload. Restrict access to the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Novel-Plus versions up to 4.2.0 **Description** A vulnerability was found in the component Friendly Link Handler, specifically in the file `novel-admin/src/main/java/com/java2nb/novel/controller/FriendLinkController.java`. The manipulation of an unknown functionality leads to cross-site scripting. The attack can be launched remotely, and the exploit has been disclosed to the public. **Recommendations** For Novel-Plus versions up to 4.2.0, it is recommended to apply a patch to fix this issue. The patch is named `d6093d8182362422370d7eaf6c53afde9ee45215`. As a temporary workaround, consider restricting access to the vulnerable component Friendly Link Handler until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Novel-Plus versions up to 4.2.0 **Description** A problematic vulnerability has been found in Novel-Plus, affecting an unknown part of the file `/user/updateUserInfo` of the component HTTP POST Request Handler. The manipulation of the `nickName` argument leads to cross-site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** To fix this issue, apply a patch to Novel-Plus versions up to 4.2.0. As a temporary workaround, consider restricting access to the `/user/updateUserInfo` endpoint or disabling the manipulation of the `nickName` argument until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Typecho version 1.2.1 **Description** A vulnerability has been found in the Logo Handler component of Typecho, affecting an unknown function of the file /admin/options-theme.php. This issue leads to cross site scripting and can be exploited remotely. The vendor was contacted about this disclosure but did not respond. **Recommendations** For Typecho version 1.2.1, consider disabling access to the /admin/options-theme.php file until a patch is available. Restrict access to the Logo Handler component to minimize the risk of exploitation. Avoid using the affected function in the Logo Handler component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Typecho version 1.2.1 **Description** A problematic issue has been found in Typecho, affecting some unknown functionality of the file /admin/manage-users.php. The manipulation of the `page` argument leads to information disclosure. The issue has been publicly disclosed and may be exploited. **Recommendations** For Typecho version 1.2.1, as a temporary workaround, consider restricting access to the /admin/manage-users.php file until a patch is available. Avoid manipulating the `page` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Typecho version 1.2.1 **Description** A vulnerability was found in the file /admin/manage-pages.php of the component Page Handler, which can lead to a backdoor. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For Typecho version 1.2.1, consider disabling access to the /admin/manage-pages.php file until a patch is available. Restrict access to the Page Handler component to minimize the risk of exploitation. Avoid using the affected functionality of the Page Handler component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.