P1Wy

Name of the Vulnerable Software and Affected Versions: dayrui XunRuiCMS versions up to 4.6.4 Description: A critical issue has been identified, affecting unknown code in the /Control/Api/Api.php file. The manipulation of the `thumb` argument leads to deserialization. This issue can be exploited remotely. The exploit has been publicly disclosed and may be used. Recommendations: For dayrui XunRuiCMS versions up to 4.6.4, consider disabling the deserialization functionality related to the `thumb` argument in the /Control/Api/Api.php file as a temporary workaround until a patch is available. Restrict access to the /Control/Api/Api.php file to minimize the risk of exploitation. Avoid using the `thumb` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ThinkAdmin versions up to 6.1.67 **Description** A critical issue was found in the function script of the file /app/admin/controller/api/Plugs.php, related to deserialization weaknesses. The manipulation of the `uptoken` argument leads to deserialization, allowing a remote attack. The complexity of an attack is rather high, and the exploitability is difficult. The exploit has been disclosed to the public and may be used, potentially impacting the confidentiality, integrity, and availability of protected information. **Recommendations** For ThinkAdmin versions up to 6.1.67, patch immediately or isolate affected systems to prevent exploitation. As a temporary workaround, consider restricting access to the /app/admin/controller/api/Plugs.php file or disabling the vulnerable function script until a patch is available. Avoid using the `uptoken` argument in the affected API endpoint until the issue is resolved.