Liangyueliangyue

**Name of the Vulnerable Software and Affected Versions** Dataease versions prior to 1.18.15 Dataease versions prior to 2.3.0 **Description** A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is `core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java`. The blacklist of mysql jdbc attacks can be bypassed, allowing attackers to further exploit it for deserialized execution or reading arbitrary files. **Recommendations** For versions prior to 1.18.15, update to version 1.18.15 or later to resolve the issue. For versions prior to 2.3.0, update to version 2.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `Mysql.java` file in the `core/core-backend/src/main/java/io/dataease/datasource/type` directory until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** kkFileView version 4.1.0 **Description** The issue allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the `url` parameter. This is achieved through a Server-Side Request Forgery (SSRF) in the `cn.keking.web.controller.OnlinePreviewController#getCorsFile` component. **Recommendations** For kkFileView version 4.1.0, consider restricting access to the `cn.keking.web.controller.OnlinePreviewController#getCorsFile` component to minimize the risk of exploitation. As a temporary workaround, avoid using the `url` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Taocms version 3.0.2 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability was found in the Management Column component. **Recommendations** For Taocms version 3.0.2, consider disabling the Management Column component until a patch is available. Restrict access to this component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MiniCMS version 1.11 **Description** A cross-site scripting (XSS) issue was found in MiniCMS via the /mc-admin/page-edit.php API endpoint. This allows for potential malicious script execution. **Recommendations** For MiniCMS version 1.11, as a temporary workaround, consider restricting access to the /mc-admin/page-edit.php endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hospital Management System version 4.0 **Description** The issue is related to a SQL injection vulnerability. It affects the /Hospital-Management-System-master/contact.php endpoint via the `txtMsg` parameters. **Recommendations** For Hospital Management System version 4.0, consider restricting access to the /Hospital-Management-System-master/contact.php endpoint until a patch is available. As a temporary workaround, avoid using the `txtMsg` parameters in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cuppa CMS version 1.0 **Description** The issue is related to an arbitrary file deletion vulnerability via the `unlink()` function. **Recommendations** For Cuppa CMS version 1.0, as a temporary workaround, consider restricting the use of the `unlink()` function until a patch is available.