T4Rnrookie

**Name of the Vulnerable Software and Affected Versions** Dataease versions prior to 2.10.13 **Description** Dataease is an open source data analytics and visualization platform. The H2 data source implementation (H2.java) lacks validation to ensure that a provided JDBC URL begins with `jdbc:h2`. This allows a crafted JDBC configuration to substitute the Amazon Redshift driver and utilize the `socketFactory` and `socketFactoryArg` parameters to invoke `org.springframework.context.support.FileSystemXmlApplicationContext` or `ClassPathXmlApplicationContext` with a remote XML resource controlled by an attacker, potentially leading to remote code execution. **Recommendations** Update to Dataease version 2.10.13 or later.

**Name of the Vulnerable Software and Affected Versions** Phpok version 6.1 **Description** The issue is related to a deserialization vulnerability. It affects the framework/phpok call.php file. **Recommendations** For Phpok version 6.1, consider restricting access to the framework/phpok call.php file until a patch is available. As a temporary workaround, avoid using deserialization functions in the affected file to minimize the risk of exploitation.