Qianan Security

Name of the Vulnerable Software and Affected Versions: Bian Que Feijiu Intelligent Emergency and Quality Control System (affected versions not specified) Description: An unauthenticated SQL injection vulnerability exists in the `GetLyfsByParams` endpoint of the `/AppService/BQMedical/WebServiceForFirstaidApp.asmx` interface. The backend fails to properly sanitize user-supplied input in the `strOpid` parameter, allowing attackers to inject arbitrary SQL statements. This can lead to data exfiltration, authentication bypass, and potentially remote code execution, depending on backend configuration. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Dongsheng Logistics Software (affected versions not specified) Description: Dongsheng Logistics Software exposes an unauthenticated endpoint at `/CommMng/Print/UploadMailFile` that does not enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as `.ashx`, via a crafted `multipart/form-data` POST request. This allows for remote code execution on the server, potentially leading to full system compromise. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.