Li Jiakun

**Name of the Vulnerable Software and Affected Versions** Apache Kylin versions 2.0.0 through 4.0.3 **Description** The issue concerns the Server Config web interface in Apache Kylin, which displays the content of the `kylin.properties` file. This file may contain server-side credentials. When the Kylin service runs over HTTP or other plain text protocols, it is possible for network sniffers to hijack the HTTP payload and access the content of `kylin.properties`, potentially obtaining the contained credentials. **Recommendations** * For versions 2.0.0 through 4.0.3, always turn on HTTPS to encrypt the network payload. * For versions 2.0.0 through 4.0.3, avoid putting credentials in `kylin.properties`, or at least not in plain text. * For versions 2.0.0 through 4.0.3, use network firewalls to protect the server-side, making it inaccessible to external attackers. * Upgrade to version Apache Kylin 4.0.4, which filters out sensitive content that goes to the Server Config web interface.

**Name of the Vulnerable Software and Affected Versions** isoftforce Dreamer CMS version 4.0.1 **Description** A permissions issue allows local attackers to obtain sensitive information via the `AttachmentController` parameter. This issue can be exploited to gain access to restricted data. **Recommendations** For isoftforce Dreamer CMS version 4.0.1, consider restricting access to the `AttachmentController` parameter until a patch is available. As a temporary workaround, review and limit local access to sensitive information to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.