N1Eco

**Name of the Vulnerable Software and Affected Versions** Mingfei Content Management System (MCMS) versions prior to 5.2.11 `net.mingsoft:ms-basic` versions prior to 2.1.16 **Description** The issue allows for arbitrary file deletion. This can be achieved via the `oldFileName` parameter in POST requests to the "/template/writeFileContent" API endpoint. **Recommendations** For `net.mingsoft:ms-basic` versions prior to 2.1.16, update to version 2.1.16 or later. For MCMS versions prior to 5.2.11, update to version 5.2.11 or later. As a temporary workaround, consider restricting access to the "/template/writeFileContent" API endpoint to minimize the risk of exploitation. Avoid using the `oldFileName` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MCMS version 5.2.5 **Description** A Server Side Template Injection (SSTI) issue was found in the Template Management module. **Recommendations** For MCMS version 5.2.5, at the moment, there is no information about a newer version that contains a fix for this vulnerability.