Songtancat

**Name of the Vulnerable Software and Affected Versions** WUZHI CMS version 4.1.0 **Description** A SQL injection issue was found in the coreframe/app/coupon/admin/card.php file, specifically via the `groupname` parameter to the "/index.php?m=coupon&f=card&v=detail listing" API endpoint. **Recommendations** For WUZHI CMS version 4.1.0, as a temporary workaround, consider restricting access to the `/index.php?m=coupon&f=card&v=detail listing` API endpoint and avoid using the `groupname` parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** BigTree version 4.2.18 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the `tags` array parameter in the `process.php` file, which is part of the `core/admin/auto-modules/forms` directory. **Recommendations** For BigTree version 4.2.18, update to a version that fixes this issue to prevent the execution of arbitrary SQL commands. At the moment, there is no information about a newer version that contains a fix for this vulnerability.