Qbz95Aaa

**Name of the Vulnerable Software and Affected Versions** Funadmin version 3.2.0 **Description** The issue is related to a SQL injection vulnerability. It occurs via the `selectFields` parameter at the `controllerauthAuth.php` file. **Recommendations** For Funadmin version 3.2.0, avoid using the `selectFields` parameter in the affected API endpoint until the issue is resolved. Consider restricting access to the `controllerauthAuth.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** onekeyadmin version 1.3.9 **Description** The issue is related to an arbitrary file delete vulnerability. It affects the component `admincontrollerplugins`. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For onekeyadmin version 1.3.9, consider restricting access to the `admincontrollerplugins` component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** onekeyadmin version 1.3.9 **Description** The issue is related to an arbitrary file read vulnerability. This vulnerability can be exploited via the `/admin1/file/download` API endpoint. **Recommendations** For onekeyadmin version 1.3.9, consider restricting access to the `/admin1/file/download` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** onekeyadmin version 1.3.9 **Description** The issue is related to an arbitrary file read vulnerability. It affects the component "/admin1/curd/code". **Recommendations** For onekeyadmin version 1.3.9, consider restricting access to the "/admin1/curd/code" component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** onekeyadmin version 1.3.9 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This vulnerability can be exploited via the `Title` parameter under the Adding Categories module. **Recommendations** For onekeyadmin version 1.3.9, avoid using the `Title` parameter in the Adding Categories module until the issue is resolved. As a temporary workaround, consider restricting access to the Adding Categories module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** onekeyadmin version 1.3.9 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This vulnerability is present in the Add Menu module. **Recommendations** For onekeyadmin version 1.3.9, consider disabling the Add Menu module until a patch is available to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Funadmin version 3.2.0 **Description** The issue is related to a SQL injection vulnerability. It can be exploited via the `id` parameter at the "/databases/table/list" API endpoint. **Recommendations** For Funadmin version 3.2.0, consider restricting access to the "/databases/table/list" API endpoint to minimize the risk of exploitation. Avoid using the `id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Funadmin version 3.2.0 **Description** The issue is a SQL injection vulnerability that can be exploited via the `id` parameter at the "/databases/database/edit" API endpoint. This allows for potential unauthorized access and manipulation of database content. **Recommendations** For Funadmin version 3.2.0, consider restricting access to the "/databases/database/edit" API endpoint until a patch is available, and avoid using the `id` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Funadmin version 3.2.0 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `id` parameter at the "/databases/database/list" API endpoint. **Recommendations** For Funadmin version 3.2.0, consider restricting access to the "/databases/database/list" API endpoint to minimize the risk of exploitation. Avoid using the `id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Funadmin version 3.2.0 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `selectFields` parameter at the `Member.php` file in the `member` directory. **Recommendations** For Funadmin version 3.2.0, consider restricting access to the `selectFields` parameter in the `Member.php` file to minimize the risk of exploitation. Avoid using the `selectFields` parameter until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Funadmin version 3.2.0 **Description** A SQL injection issue was discovered in Funadmin, affecting the `id` parameter at the "/databases/table/columns" API endpoint. This allows for potential SQL injection attacks. **Recommendations** For Funadmin version 3.2.0, consider restricting access to the "/databases/table/columns" API endpoint until a patch is available. As a temporary workaround, avoid using the `id` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Funadmin version 3.2.0 **Description** The issue is related to a SQL injection vulnerability. It occurs via the `selectFields` parameter at the `MemberLevel.php` file. **Recommendations** For Funadmin version 3.2.0, consider restricting access to the `selectFields` parameter in the `MemberLevel.php` file to minimize the risk of exploitation. Avoid using the `selectFields` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** onekeyadmin version 1.3.9 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This vulnerability is present in the Add Administrator module. **Recommendations** For onekeyadmin version 1.3.9, consider disabling the Add Administrator module until a patch is available to prevent potential exploitation of the stored XSS vulnerability.

**Name of the Vulnerable Software and Affected Versions** onekeyadmin version 1.3.9 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This vulnerability is present in the User Group module. **Recommendations** For onekeyadmin version 1.3.9, consider disabling the User Group module until a patch is available to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** onekeyadmin version 1.3.9 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This vulnerability is present in the Admin Group module. **Recommendations** For onekeyadmin version 1.3.9, consider disabling the Admin Group module until a patch is available to prevent potential exploitation of the stored cross-site scripting vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** onekeyadmin version 1.3.9 **Description** The issue is related to an arbitrary file upload vulnerability in the /admin1/config/update component, allowing attackers to execute arbitrary code via a crafted PHP file. **Recommendations** For onekeyadmin version 1.3.9, consider disabling the /admin1/config/update component until a patch is available to prevent arbitrary file uploads. Restrict access to this component to minimize the risk of exploitation. Avoid using this component to upload files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Funadmin version 3.2.0 **Description** The issue is related to a remote code execution (RCE) vulnerability. It affects the `controllerAddon.php` component, allowing for potential exploitation. **Recommendations** For Funadmin version 3.2.0, update to a version that fixes this issue, as the current version contains a remote code execution vulnerability via the `controllerAddon.php` component. At the moment, there is no information about a newer version that contains a fix for this vulnerability.