Puppy

**Name of the Vulnerable Software and Affected Versions** Huaxia ERP versions up to 3.1 **Description** A problematic issue has been found in Huaxia ERP, affecting an unknown function of the file src/main/java/com/jsh/erp/controller/UserController.java. This issue leads to weak password recovery and can be exploited remotely. **Recommendations** For Huaxia ERP versions up to 3.1, upgrade to version 3.2 to address this issue. As a temporary workaround, consider restricting access to the `UserController.java` file until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Huaxia ERP versions up to 3.1 **Description** A problematic issue affects some unknown processing of the file /user/getAllList, leading to information disclosure. The attack may be initiated remotely. **Recommendations** For Huaxia ERP versions up to 3.1, upgrade to version 3.2 to address this issue. As a temporary workaround, consider restricting access to the /user/getAllList file until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** cloudfavorites favorites-web version 1.3.0 **Description** A problematic issue has been found in the Nickname Handler component, leading to cross site scripting. The attack can be launched remotely. The issue affects some unknown functionality of this component. **Recommendations** For cloudfavorites favorites-web version 1.3.0, consider disabling the Nickname Handler component until a patch is available to prevent cross site scripting attacks. Restrict access to the component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Weitong Mall version 1.0.0 **Description** A critical issue was found in Weitong Mall. The vulnerability affects an unknown functionality of the file platform-shopsrcmainresourcescomplatformdaoOrderDao.xml. The manipulation of the argument `sidx/order` leads to sql injection. **Recommendations** For Weitong Mall version 1.0.0, as a temporary workaround, consider restricting access to the `OrderDao.xml` file until a patch is available. Avoid using the `sidx/order` argument in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apollo versions 2.0.0 through 2.0.1 **Description** A vulnerability was found in the Configuration Center component, affecting some unknown functionality of the file /users. This issue leads to improper authorization and can be exploited remotely. The exploit has been disclosed to the public. The existence of this vulnerability is still disputed. The maintainer notes that user data, such as `user id`, `name`, and `email`, are not considered sensitive. **Recommendations** For Apollo versions 2.0.0 through 2.0.1, consider restricting access to the /users file in the Configuration Center component as a temporary workaround until further guidance is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** meetyoucrop big-whale version 1.1 **Description** A critical issue affects some unknown functionality of the file `/auth/user/all.api` of the component Admin Module. The manipulation of the `id` argument leads to improper ownership management. The attack may be launched remotely. **Recommendations** For meetyoucrop big-whale version 1.1, consider disabling access to the `/auth/user/all.api` endpoint until a patch is available. Restrict the manipulation of the `id` argument to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** qkmc-rk redbbs version 1.0 **Description** A problematic issue was found in the Nickname Handler component, leading to cross-site scripting. The attack can be launched remotely. **Recommendations** For qkmc-rk redbbs version 1.0, consider disabling the Nickname Handler component until a patch is available to prevent cross-site scripting attacks.

**Name of the Vulnerable Software and Affected Versions** qkmc-rk redbbs version 1.0 **Description** A problematic vulnerability has been found in the Post Handler component. The manipulation of the `title` argument leads to cross-site scripting. It is possible to launch the attack remotely. **Recommendations** For qkmc-rk redbbs version 1.0, consider disabling the Post Handler component or restricting the use of the `title` argument until a patch is available. As a temporary workaround, avoid using the `title` argument in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Magic-Api versions up to 2.0.1 **Description** A critical vulnerability has been found in Magic-Api, affecting an unknown functionality of the file "/resource/file/api/save?auto=1". The manipulation leads to code injection, and the attack can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Magic-Api versions up to 2.0.1, consider disabling access to the "/resource/file/api/save?auto=1" endpoint until a patch is available. Restricting the use of this endpoint can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** spider-flow version 0.4.3 **Description** A critical vulnerability was found in spider-flow, affecting the `FunctionService.saveFunction` of the file `src/main/java/org/spiderflow/controller/FunctionController.java`. This vulnerability leads to code injection and can be exploited remotely. The exploit has been disclosed to the public. **Recommendations** For spider-flow version 0.4.3, consider disabling the `FunctionService.saveFunction` function until a patch is available to prevent code injection attacks. Restrict access to the vulnerable function to minimize the risk of exploitation. Avoid using the affected function in the API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.