Sourbyte

**Name of the Vulnerable Software and Affected Versions** Oinone Pamirs versions prior to 7.2.0 **Description** A SQL injection issue exists in the 'queryListByWrapper' interface. This occurs within the `RSQLToSQLNodeConnector.makeVariable()` function, allowing a remote attacker to manipulate SQL queries. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oinone Pamirs versions prior to 7.2.0 **Description** A path traversal flaw exists in the RestController component within the `LocalFileClient.java` file. The issue occurs in the `request.getParameter()` function when the `uniqueFileName` argument is manipulated, allowing an attacker with physical access to the device to perform path traversal. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `uniqueFileName` argument within the `request.getParameter()` function of the RestController component.

**Name of the Vulnerable Software and Affected Versions** Oinone Pamirs versions prior to 7.2.0 **Description** A remote deserialization issue exists in the appConfigQuery Interface component within the file PamirsParserConfig.java. The flaw is located in the `JsonUtils.parseMap()` function, which can be manipulated to trigger deserialization, potentially leading to remote code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `JsonUtils.parseMap()` function within the appConfigQuery Interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ThingsGateway version 12 **Description** A path traversal issue exists in ThingsGateway version 12, specifically affecting an unknown part of the `/api/file/download` file. Manipulation of the `fileName` argument allows for path traversal. Remote exploitation is possible, and an exploit is publicly available. The vendor was contacted regarding this issue but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** O2OA versions prior to 9.0.0 **Description** A flaw exists in O2OA up to version 9.0.0 related to XML external entity reference. The issue is located within the HTTP POST Request Handler component, specifically in the file `/x program center/jaxrs/mpweixin/check`. The manipulation allows for remote initiation of the attack. The exploit is publicly available. **Recommendations** Update O2OA to version 9.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** WuKongOpenSource WukongCRM versions through 11.3.3 **Description** A security flaw exists in WuKongOpenSource WukongCRM, specifically within the URL Handler component. The issue resides in the file `gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java` and results in improper authorization. Remote exploitation is possible through manipulation. The exploit has been publicly released and may be used in attacks. The vendor was notified but did not respond. **Recommendations** Versions prior to 11.3.3 should be updated.

**Name of the Vulnerable Software and Affected Versions** MineAdmin versions 1.x through 2.x **Description** A flaw exists in MineAdmin that allows information disclosure. This occurs due to manipulation of the `ID` argument within the `/system/downloadById` file. The attack can be initiated remotely and is considered to have high complexity, though exploitation is described as difficult. The exploit is publicly available. The vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MineAdmin versions 1.x and 2.x **Description** A security issue exists in MineAdmin that allows information disclosure. The issue is related to manipulating the `ID` argument within an unknown function of the `/system/getFileInfoById` file. This manipulation can be performed remotely. The exploit has been publicly disclosed. The vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MineAdmin versions 1.x and 2.x **Description** A weakness exists in the JWT Token Handler component of MineAdmin. The issue affects the `refresh` function of the `/system/refresh` file and involves insufficient verification of data authenticity. The attack can be initiated remotely and is considered to have high complexity, with difficult exploitability. The exploit has been publicly released. The vendor was notified but did not respond. **Recommendations** Versions prior to 1.x and 2.x should be updated. Consider temporarily disabling the `refresh` function within the JWT Token Handler component. Restrict access to the `/system/refresh` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MineAdmin versions 1.x through 2.x **Description** A security flaw exists in MineAdmin impacting the Swagger component. Manipulation of an unknown function can lead to information disclosure. The exploit is publicly available and may be used in attacks. The vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MineAdmin versions 1.x and 2.x **Description** A security issue exists in MineAdmin that allows for improper authorization. The issue is related to an unknown function within the `/system/cache/view` file of the View Interface component. This issue is potentially exploitable remotely and a public exploit is available. The vendor was notified but did not respond. **Recommendations** Versions prior to 1.x and 2.x should be updated.