Tom0Li

Name of the Vulnerable Software and Affected Versions: QingDao Nature Easy Soft Chanzhi Enterprise Portal System (aka chanzhieps) version pro1.6 Description: The issue allows remote attackers to read arbitrary files via directory traversal sequences in the `pathname` parameter to "www/file.php" API endpoint. Recommendations: For version pro1.6, restrict access to the "www/file.php" endpoint to minimize the risk of exploitation, and avoid using the `pathname` parameter until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Catfish CMS version 4.7.21 Description: The issue allows for XSS via the `pinglun` parameter to the "cat/index/index/pinglun" API endpoint, which is related to an authenticated comment. Recommendations: For Catfish CMS version 4.7.21, avoid using the `pinglun` parameter in the "cat/index/index/pinglun" API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation.