N0El4Kls

Name of the Vulnerable Software and Affected Versions: linlinjava litemall version 1.8.0 Description: A problematic issue was found in the software, affecting an unknown function of the file /wx/comment/post. The manipulation of the `adminComment` argument leads to improper authorization, allowing for remote attacks. The issue has been publicly disclosed. Recommendations: For linlinjava litemall version 1.8.0, consider restricting access to the /wx/comment/post endpoint until a fix is available. As a temporary workaround, avoid using the `adminComment` argument in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: LoveCards LoveCardsV2 versions up to 2.3.2 Description: A critical vulnerability has been found in the Setting Handler component, affecting unknown code of the file /api/system/other. This leads to improper access controls and can be initiated remotely. The vendor was contacted about the disclosure but did not respond. Recommendations: For LoveCards LoveCardsV2 versions up to 2.3.2, consider restricting access to the /api/system/other endpoint until a patch is available. As a temporary workaround, review and tighten access controls to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SiYuan Note version 3.1.18 **Description** SiYuan Note is self-hosted, open source personal knowledge management software. The software has an arbitrary file deletion vulnerability that exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. The vulnerability can be reproduced by sending a crafted request to the `/api/history/getDocHistoryContent` endpoint, where the `historyPath` parameter in the payload is processed and can lead to file deletion if it does not satisfy certain conditions. **Recommendations** For SiYuan Note version 3.1.18, upgrade to version 3.1.19, which is expected to include the fix for this vulnerability. As a temporary workaround, consider restricting access to the `POST /api/history/getDocHistoryContent` endpoint until the upgrade is applied. Additionally, avoid using the `historyPath` parameter in the affected API endpoint until the issue is resolved.