Luelueking

**Name of the Vulnerable Software and Affected Versions** Hertzbeat versions prior to 1.4.1 **Description** Hertzbeat is a real-time monitoring system. In `CalculateAlarm.java`, `AviatorEvaluator` is used to directly execute the expression function, and no security policy is configured, resulting in AviatorScript script injection. This allows the execution of any static method by default. **Recommendations** For versions prior to 1.4.1, update to version 1.4.1 to fix the vulnerability. As a temporary workaround, consider disabling the `AviatorEvaluator` function until a patch is available. Restrict access to the `CalculateAlarm.java` module to minimize the risk of exploitation. Avoid using the `AviatorEvaluator` in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Hertzbeat versions prior to 1.4.1 **Description** Hertzbeat is a real-time monitoring system. In the implementation of `JmxCollectImpl.java`, `JMXConnectorFactory.connect` is vulnerable to JNDI injection. The corresponding interface is "/api/monitor/detect". If there is a URL field, the address will be used by default. When the URL is "service:jmx:rmi:///jndi/rmi://xxxxxxx:1099/localHikari", it can be exploited to cause remote code execution. **Recommendations** For versions prior to 1.4.1, update to version 1.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the `/api/monitor/detect` interface and avoiding the use of the vulnerable `JMXConnectorFactory.connect` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Hertzbeat versions prior to 1.4.1 **Description** Hertzbeat is a real-time monitoring system. At the interface of "/define/yml", SnakeYAML is used as a parser to parse yml content, but no security configuration is used, resulting in a YAML deserialization vulnerability. **Recommendations** For versions prior to 1.4.1, update to version 1.4.1 to fix the vulnerability. As a temporary workaround, consider restricting access to the "/define/yml" interface until the update is applied.

**Name of the Vulnerable Software and Affected Versions** DataEase versions prior to 1.18.7 **Description** A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The issue has been fixed in version 1.18.7. There are no known workarounds aside from upgrading. **Recommendations** For versions prior to 1.18.7, upgrade to version 1.18.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the DataEase datasource until the upgrade can be applied.

**Name of the Vulnerable Software and Affected Versions** beetl version 3.15.0 **Description** An issue in the render function allows attackers to execute server-side template injection (SSTI) via a crafted payload. **Recommendations** For beetl version 3.15.0, consider disabling the render function until a patch is available to prevent server-side template injection (SSTI) attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Databasir version 1.0.7 **Description** The issue is related to a remote code execution (RCE) vulnerability. It can be exploited via the `mockDataScript` parameter. **Recommendations** For Databasir version 1.0.7, consider restricting access to the `mockDataScript` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuoYi versions up to 4.7.5 **Description** The issue is related to a SQL injection vulnerability. It affects the component `/tool/gen/createTable`. **Recommendations** For versions up to 4.7.5, as a temporary workaround, consider restricting access to the `/tool/gen/createTable` component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** y project RuoYi version 4.7.5 **Description** A critical issue has been found in the processing of the file com/ruoyi/generator/controller/GenController, leading to sql injection. **Recommendations** For y project RuoYi version 4.7.5, it is recommended to apply a patch to fix this issue. As a temporary workaround, consider restricting access to the `GenController` until a patch is available.