Langyayue

**Name of the Vulnerable Software and Affected Versions** tp5cms versions prior to 2017-05-25 **Description** An issue allows remote attackers to execute arbitrary PHP code by uploading a .php file with the `content type` set to `image/jpeg` to the "admin.php/upload/picture.html" endpoint. **Recommendations** For versions prior to 2017-05-25, consider restricting access to the "admin.php/upload/picture.html" endpoint to prevent uploading of malicious files until a fix is available. Additionally, validate the file type and content of uploaded files to prevent execution of arbitrary PHP code.

**Name of the Vulnerable Software and Affected Versions** tp5cms versions prior to 2017-05-25 **Description** An issue was discovered that allows for XSS via the `title` parameter in the "admin.php/system/set.html" API endpoint. **Recommendations** For versions prior to 2017-05-25, as a temporary workaround, consider restricting access to the "admin.php/system/set.html" endpoint until a patch is available. Avoid using the `title` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ArticleCMS versions prior to 2017-02-19 **Description** The issue allows for XSS attacks via the "/update personal infomation" API endpoint, specifically through the `realname` or `email` parameters. **Recommendations** For ArticleCMS versions prior to 2017-02-19, avoid using the `realname` and `email` parameters in the "/update personal infomation" endpoint until a fix is available. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation.