Rainmanzzz

Name of the Vulnerable Software and Affected Versions: Metersphere version 1.15.4 Description: Time-based SQL Injection vulnerabilities were found via the `orders` parameter. Recommendations: For Metersphere version 1.15.4, avoid using the `orders` parameter until a fix is available. Consider restricting access to the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Metersphere version 1.15.4 Description: An arbitrary file read issue was found, allowing authenticated users to read any file on the server via the file download function. Recommendations: For Metersphere version 1.15.4, consider restricting access to the file download function until a patch is available. As a temporary workaround, limit the files that can be downloaded through this function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Metersphere version 1.15.4 Description: An arbitrary file upload issue was discovered, allowing unauthenticated users to upload files to any directory. This could enable attackers to write a cron job for command execution. Recommendations: For Metersphere version 1.15.4, consider restricting file upload capabilities to authenticated users only, and limit the directories where files can be uploaded to prevent arbitrary file writing. As a temporary workaround, monitor cron jobs closely for suspicious activity and restrict access to sensitive directories until a patch is available.