Raybye

**Name of the Vulnerable Software and Affected Versions** Alldata version 0.4.6 **Description** A SQL injection issue was discovered via the `tablename` parameter at the "/data/masterdata/datas" API endpoint. This allows for potential exploitation. **Recommendations** For Alldata version 0.4.6, as a temporary workaround, consider restricting access to the `/data/masterdata/datas` API endpoint until a patch is available. Avoid using the `tablename` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alldata version 0.4.6 **Description** The issue allows for command execution, where system commands can be deserialized. **Recommendations** For Alldata version 0.4.6, as a temporary workaround, consider restricting the deserialization of system commands until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alldata version 0.4.6 **Description** The issue allows users, such as `test`, to query information about the users in the system due to insecure permissions. **Recommendations** For Alldata version 0.4.6, restrict access to sensitive user information to prevent unauthorized queries. As a temporary workaround, consider limiting the privileges of the `test` user until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alldata version 0.4.6 **Description** The issue is related to Incorrect Access Control, resulting in the leakage of many modules' interface documents. For example, the "/api/system/v2/api-docs" module is affected. **Recommendations** For Alldata version 0.4.6, consider restricting access to the "/api/system/v2/api-docs" module to minimize the risk of exploitation. Additionally, review and secure all interface documents to prevent further leaks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alldata version 0.4.6 **Description** The issue in the system image upload interface allows attackers to execute a directory traversal when uploading a file. This enables them to access or modify files outside the intended directory, potentially leading to unauthorized data access or system compromise. **Recommendations** For Alldata version 0.4.6, consider restricting access to the system image upload interface until a patch is available. As a temporary workaround, avoid using the file upload feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Alldata version 0.4.6 **Description** An issue in Alldata allows an attacker to run arbitrary commands via the `processId` parameter. **Recommendations** For Alldata version 0.4.6, avoid using the `processId` parameter until a fix is available. As a temporary workaround, consider restricting access to the affected functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Alldata version 0.4.6 **Description** A deserialization vulnerability in the FASTJSON component allows attackers to execute arbitrary commands via supplying crafted data. **Recommendations** For Alldata version 0.4.6, at the moment, there is no information about a newer version that contains a fix for this vulnerability.