Qingyunsec

**Name of the Vulnerable Software and Affected Versions** MacCMS Pro versions prior to 2022.1.4 **Description** A flaw in the Plugin Installation Handler component allows for unrestricted file upload. A remote attacker can exploit this by manipulating the `install()` function within the '/admi.php/admin/addon/add.html' endpoint. **Recommendations** Update to a version later than 2022.1.3. As a temporary workaround, restrict access to the '/admi.php/admin/addon/add.html' endpoint or disable the `install()` function in the Plugin Installation Handler.

**Name of the Vulnerable Software and Affected Versions** JiZhiCMS versions prior to 2.5.7 **Description** An issue exists in the `htmlspecialchars decode()` function within the file '/index.php/admins/Sys/addcache.html'. Remote attackers can perform SQL injection by manipulating the `sqls` argument. SQL injection is a technique where malicious SQL statements are inserted into entry fields for execution, potentially allowing unauthorized access to the database. **Recommendations** Update to a version later than 2.5.6. As a temporary workaround, restrict access to the '/index.php/admins/Sys/addcache.html' file or avoid using the `sqls` parameter.

**Name of the Vulnerable Software and Affected Versions** Z-BlogPHP version 1.7.5 **Description** An issue in the ZBA File Handler component allows for unrestricted file upload. This occurs within the `App::UnPack()` function located in the '/zb users/plugin/AppCentre/app upload.php' file and can be triggered remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the '/zb users/plugin/AppCentre/app upload.php' file or disabling the `App::UnPack()` function.