Redpomelo

**Name of the Vulnerable Software and Affected Versions** zj1983 zz versions up to 2024-8 **Description** A critical vulnerability was found in the unknown functionality of the file /import data todb. The manipulation of the `url` argument leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** As a temporary workaround, consider disabling the functionality related to the /import data todb file until a patch is available. Restrict access to the /import data todb file to minimize the risk of exploitation. Avoid using the `url` argument in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zj1983 zz versions up to 2024-8 **Description** A critical vulnerability has been found in the affected software. The issue is related to an unknown function of the file /import data check, where the manipulation of the `url` argument leads to server-side request forgery. This can be exploited remotely. The exploit has been disclosed publicly, and the vendor was contacted but did not respond. **Recommendations** For zj1983 zz versions up to 2024-8, as a temporary workaround, consider restricting access to the /import data check file and limiting the manipulation of the `url` argument to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zj1983 zz versions up to 2024-8 **Description** A critical issue was found, affecting an unknown part of the file /resolve. The manipulation of the `file` argument leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For versions up to 2024-8, consider restricting access to the /resolve file to minimize the risk of exploitation. As a temporary workaround, avoid using the `file` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zj1983 zz up to 2024-8 **Description** A critical vulnerability has been found in zj1983 zz, affecting some unknown processing of the file src/main/java/com/futvan/z/system/zfile/ZfileAction.upload. The manipulation of the `file` argument leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** As a temporary workaround, consider disabling the upload functionality in ZfileAction.upload until a patch is available. Restrict access to the src/main/java/com/futvan/z/system/zfile/ZfileAction.upload file to minimize the risk of exploitation. Avoid using the `file` argument in the affected upload functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zj1983 zz up to 2024-08 **Description** A vulnerability was found in zj1983 zz, affecting an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** newbee-mall version 1.0 **Description** A problematic issue has been found in newbee-mall. The `save` function of the `/admin/categories/save` API endpoint in the Add Category Page component is affected. The manipulation of the `categoryName` argument leads to cross-site scripting. This issue can be exploited remotely. **Recommendations** For newbee-mall version 1.0, as a temporary workaround, consider restricting access to the `save` function of the `/admin/categories/save` API endpoint until a fix is available. Avoid using the `categoryName` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** fumiao opencms version 2.2 **Description** A vulnerability was found in the file /admin/model/addOrUpdate of the component Add Model Management Page. The manipulation of the argument `模板前缀` leads to cross-site scripting. The attack can be initiated remotely. **Recommendations** For fumiao opencms version 2.2, as a temporary workaround, consider restricting access to the /admin/model/addOrUpdate endpoint until a patch is available. Avoid using the `模板前缀` argument in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** taisan tarzan-cms version 1.0.0 **Description** A critical issue was found in the Article Management component, specifically affecting the `UploadResponse` function of the `UploadController.java` file. The manipulation of the `file` argument leads to unrestricted upload. This issue can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For taisan tarzan-cms version 1.0.0, consider disabling the `UploadResponse` function until a patch is available to prevent unrestricted file uploads. Restrict access to the `UploadController.java` file to minimize the risk of exploitation. Avoid using the `file` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.