Novysodopeo

#7440of 53,625
36.9Total CVSS
Vulnerabilities · 4
High
1
Critical
3
PT-2023-27030
7.5
2023-09-08
Hexo · Hexo · CVE-2023-39584
**Name of the Vulnerable Software and Affected Versions** Hexo versions up to 7.0.0 (RC2) **Description** Hexo was discovered to contain an arbitrary file read issue. This allows for the reading of arbitrary files, potentially leading to sensitive information disclosure. **Recommendations** For versions up to 7.0.0 (RC2), update to a version later than 7.0.0 (RC2) to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2023-19483
9.8
2023-02-17
Unknown · Luckyframeweb · CVE-2023-24219
**Name of the Vulnerable Software and Affected Versions** LuckyframeWEB version 3.5 **Description** A SQL injection issue was found in LuckyframeWEB via the `dataScope` parameter at the "/system/UserMapper.xml" API endpoint. This allows for potential exploitation. **Recommendations** For LuckyframeWEB version 3.5, consider restricting access to the `/system/UserMapper.xml` API endpoint until a patch is available. As a temporary workaround, avoid using the `dataScope` parameter in this endpoint to minimize the risk of exploitation.
PT-2023-19484
9.8
2023-02-17
Unknown · Luckyframeweb · CVE-2023-24220
**Name of the Vulnerable Software and Affected Versions** LuckyframeWEB version 3.5 **Description** A SQL injection issue was found in LuckyframeWEB via the `dataScope` parameter at the "/system/RoleMapper.xml" API endpoint. This allows for potential exploitation. **Recommendations** For LuckyframeWEB version 3.5, consider restricting access to the `/system/RoleMapper.xml` API endpoint until a patch is available. As a temporary workaround, avoid using the `dataScope` parameter in this endpoint to minimize the risk of exploitation.
PT-2023-19485
9.8
2023-02-17
Unknown · Luckyframeweb · CVE-2023-24221
**Name of the Vulnerable Software and Affected Versions** LuckyframeWEB version 3.5 **Description** A SQL injection issue was found in LuckyframeWEB via the `dataScope` parameter at the "/system/DeptMapper.xml" API endpoint. This allows for potential SQL injection attacks. **Recommendations** For LuckyframeWEB version 3.5, consider restricting access to the `/system/DeptMapper.xml` API endpoint until a patch is available. As a temporary workaround, avoid using the `dataScope` parameter in this endpoint to minimize the risk of exploitation.