Red0_Ha1Yu

**Name of the Vulnerable Software and Affected Versions** ketr JEPaaS versions up to 7.2.8 **Description** A SQL injection issue exists in ketr JEPaaS. The `postilService.loadPostils` function, located in the file `/je/postil/postil/loadPostil`, is susceptible to exploitation. Manipulation of the `keyWord` argument can lead to SQL injection. Remote exploitation is possible. **Recommendations** Versions prior to 7.2.8 should be updated. As a temporary workaround, consider restricting access to the `postilService.loadPostils` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** xiweicheng TMS versions prior to 2.28.1 **Description** A security issue exists in xiweicheng TMS. The `createComment` function within the `/admin/blog/comment/create` file is susceptible to cross site scripting. Manipulation of the `content` argument can be leveraged to perform remote attacks. The exploit has been publicly disclosed. **Recommendations** Update to a version prior to 2.28.1. As a temporary workaround, consider restricting access to the `/admin/blog/comment/create` file.

**Name of the Vulnerable Software and Affected Versions** Novel-Plus version 4.3.0-RC1 **Description** A critical issue affects the processing of the file /novel/bookComment/list. The manipulation of the argument `sort` leads to SQL injection. **Recommendations** For Novel-Plus version 4.3.0-RC1, consider restricting access to the /novel/bookComment/list file until a patch is available. As a temporary workaround, avoid using the `sort` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.