Mechoy

**Name of the Vulnerable Software and Affected Versions** Rebuild versions up to 3.2.3 **Description** A critical issue has been found in Rebuild, affecting some unknown functionality of the file /project/tasks/list. The manipulation leads to sql injection. The attack may be launched remotely. **Recommendations** For Rebuild versions up to 3.2.3, it is recommended to apply a patch to fix this issue. As a temporary workaround, consider restricting access to the /project/tasks/list file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zhong Bang CRMEB Java versions up to 1.3.4 **Description** A critical issue affects the function getAdminList of the file "/api/admin/store/product/list". The manipulation of the argument `cateId` leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For versions up to 1.3.4, as a temporary workaround, consider disabling the `getAdminList` function until a patch is available. Restrict access to the "/api/admin/store/product/list" endpoint to minimize the risk of exploitation. Avoid using the argument `cateId` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zhong Bang CRMEB Java versions up to 1.3.4 **Description** A issue was found in the function `save` of the file "/api/admin/store/product/save" API endpoint, which leads to cross site scripting. The attack may be initiated remotely. **Recommendations** For versions up to 1.3.4, as a temporary workaround, consider disabling the `save` function in the "/api/admin/store/product/save" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Rebuild versions up to 3.2.3 **Description** A critical issue was found in Rebuild, affecting an unknown part of the file /files/list-file, leading to sql injection. The manipulation can be initiated remotely. **Recommendations** For versions up to 3.2.3, apply a patch to fix this issue.

**Name of the Vulnerable Software and Affected Versions** Rebuild versions up to 3.2.3 **Description** A vulnerability has been found in Rebuild, affecting unknown code of the file /feeds/post/publish, leading to cross site scripting. The attack can be initiated remotely. **Recommendations** For Rebuild versions up to 3.2.3, apply a patch to fix this issue. As a temporary workaround, consider restricting access to the /feeds/post/publish file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Rebuild versions up to 3.2.3 **Description** A critical vulnerability was found in the function `queryListOfConfig` of the file `/admin/robot/approval/list`. The manipulation of the argument `q` leads to sql injection. The attack can be launched remotely. **Recommendations** For Rebuild versions up to 3.2.3, apply a patch to fix this issue. As a temporary workaround, consider restricting access to the `/admin/robot/approval/list` endpoint or disabling the `queryListOfConfig` function until a patch is available. Avoid using the argument `q` in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 4.5.3 **Description** A cross-site scripting (XSS) issue in the Edit Group function allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Edit Group Name` text field. This enables attackers to potentially manipulate the web application's behavior. **Recommendations** For ChurchCRM version 4.5.3, as a temporary workaround, consider restricting access to the Edit Group function until a patch is available. Avoid using the `Edit Group Name` text field with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.