Ku4D3

**Name of the Vulnerable Software and Affected Versions** xianrendzw EasyReport versions prior to 2.0.17.0522 Beta **Description** A flaw in the REST Endpoint component allows for remote SQL injection, which is a technique where malicious SQL statements are inserted into entry fields for execution. The issue exists within the `execute()` function when the `reportParams` variable is manipulated. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.