Mhkd

Name of the Vulnerable Software and Affected Versions: HJSoft HCM Human Resources Management System versions prior to 20250823 Description: A SQL injection issue exists in HJSoft HCM Human Resources Management System. The vulnerability is located in an unknown functionality of the file `/templates/attestation/../../selfservice/lawresource/downlawbase`. Manipulation of the `ID` argument can lead to exploitation. Remote exploitation is possible. The details of the exploit have been publicly disclosed. Recommendations: Prior to 20250823, sanitize or validate the `ID` argument to prevent SQL injection.

**Name of the Vulnerable Software and Affected Versions** Brilliance Golden Link Secondary System up to 20250609 **Description** A critical issue affects some unknown functionality of the file /storagework/rentTakeInfoPage.htm, where the manipulation of the `custTradeName` argument leads to sql injection. The attack may be launched remotely. **Recommendations** For Brilliance Golden Link Secondary System up to 20250609, as a temporary workaround, consider restricting access to the `custTradeName` parameter in the affected file /storagework/rentTakeInfoPage.htm to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Brilliance Golden Link Secondary System up to 20250609 **Description** A critical vulnerability has been found in the Brilliance Golden Link Secondary System. The issue affects an unknown part of the file /storagework/custTakeInfoPage.htm. The manipulation of the `custTradeName` argument leads to SQL injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Brilliance Golden Link Secondary System up to 20250609, as a temporary workaround, consider restricting access to the `/storagework/custTakeInfoPage.htm` file and avoid using the `custTradeName` parameter in the affected endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Golden Link Secondary System up to 20250424 **Description** A critical issue has been found in the Golden Link Secondary System, affecting some unknown processing of the file /reprotframework/tcEntrFlowSelect.htm. The manipulation of the `custTradeId` argument leads to SQL injection. The attack may be initiated remotely. **Recommendations** For Golden Link Secondary System up to 20250424, consider restricting access to the /reprotframework/tcEntrFlowSelect.htm file until a patch is available. As a temporary workaround, avoid using the `custTradeId` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Golden Link Secondary System versions prior to 20250425 **Description** A critical issue exists in Golden Link Secondary System. The manipulation of the `dictCn1` argument in an unknown function within the `/paraframework/queryTsDictionaryType.htm` file leads to a SQL injection. This allows for remote attacks. The exploit for this issue has been publicly disclosed. **Recommendations** Versions prior to 20250425 should be updated. As a temporary workaround, consider restricting access to the `/paraframework/queryTsDictionaryType.htm` file to minimize the risk of exploitation. Avoid using the `dictCn1` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Anhui Xufan Information Technology EasyCVR versions up to 2.7.0 **Description** A vulnerability has been found in the file `/api/v1/getbaseconfig`, affecting unknown code and leading to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For Anhui Xufan Information Technology EasyCVR versions up to 2.7.0, as a temporary workaround, consider restricting access to the `/api/v1/getbaseconfig` API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.