Peng Wu

Name of the Vulnerable Software and Affected Versions DedeCMS version 5.7.118 Description The software contains a Cross-Site Request Forgery (CSRF) issue in the `/sys task add.php` file. A Cross-Site Request Forgery attack allows an attacker to induce a user to perform unwanted actions on a web application in which they’re currently authenticated. The vulnerable file is `/sys task add.php`. Recommendations Update to a newer version of DedeCMS that addresses this issue. As a temporary workaround, consider implementing CSRF protection mechanisms for the `/sys task add.php` endpoint.

**Name of the Vulnerable Software and Affected Versions** JiZhiCMS versions 2.5.6 and earlier **Description** The software contains a Stored Cross-Site Scripting (XSS) issue in the `release` function within the `app/home/c/UserController.php` file. The application attempts to sanitize input by filtering `<script>` tags, but it does not recursively remove dangerous event handlers in other HTML tags, such as `onerror` in `<img>` tags. This allows a remote attacker with authentication to inject arbitrary web script or HTML through the `body` parameter in a POST request to the `/user/release.html` API endpoint. **Recommendations** Versions prior to 2.5.6 should be updated.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A refcount leak issue has been identified in the Linux kernel, specifically in the powerpc/iommu component. The problem arises from the `of find compatible node` function, which returns a `device node` pointer with an incremented refcount. To prevent this leak, it is necessary to use the `of node put()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.