Qqwp220

#9390of 53,630
29.4Total CVSS
Vulnerabilities · 3
Critical
3
PT-2024-35777
9.8
2024-05-26
Unknown · Anji-Plus Aj-Report · CVE-2024-5356
**Name of the Vulnerable Software and Affected Versions** anji-plus AJ-Report versions up to 1.4.1 **Description** A critical issue was found in the software, affecting an unknown function of the file /dataSet/testTransform;swagger-ui. The manipulation of the `dynSentence` argument leads to SQL injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For anji-plus AJ-Report versions up to 1.4.1, consider restricting access to the `/dataSet/testTransform;swagger-ui` endpoint to minimize the risk of exploitation. Avoid using the `dynSentence` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.
PT-2024-27520
9.8
2024-04-13
Unknown · Cym1102 Nginxwebui · CVE-2024-3740
**Name of the Vulnerable Software and Affected Versions** cym1102 nginxWebUI versions up to 3.9.9 **Description** A critical issue has been found in the function `exec` of the file `/adminPage/conf/reload`. The manipulation of the argument `nginxExe` leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For versions up to 3.9.9, as a temporary workaround, consider disabling the `exec` function of the file `/adminPage/conf/reload` until a patch is available. Restrict access to the `/adminPage/conf/reload` file to minimize the risk of exploitation. Avoid using the argument `nginxExe` in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2024-25419
9.8
2024-04-06
Xuxueli · Xuxueli Xxl-Job · CVE-2024-3366
**Name of the Vulnerable Software and Affected Versions** Xuxueli xxl-job versions 2.4.0 through 2.4.1 **Description** A vulnerability was found in the `deserialize` function of the file `com/xxl/job/core/util/JdkSerializeTool.java` of the component `Template Handler`. This issue leads to injection. The exploit has been disclosed to the public and may be used. **Recommendations** For versions 2.4.0 through 2.4.1, as a temporary workaround, consider disabling the `deserialize` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.