Tttlw1024

**Name of the Vulnerable Software and Affected Versions** wgcloud versions prior to 2.3.8 **Description** An issue allows a remote attacker to execute arbitrary code via the test connection function. **Recommendations** Update to a version prior to 2.3.8.

**Name of the Vulnerable Software and Affected Versions** wgcloud version 3.6.3 **Description** The backend database management connection test feature contains a server-side request forgery (SSRF) issue. This allows an attacker to make the server send requests to probe the internal network and remotely download malicious files, among other dangerous operations. The vulnerable feature involves server-side requests. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wgcloud versions prior to 3.6.3 **Description** An arbitrary file read issue exists in the test connection function of the backend database management component. This allows an attacker to read any file on the affected server. **Recommendations** Update to a version later than 3.6.3.

**Name of the Vulnerable Software and Affected Versions** WCMS versions up to 8.3.11 **Description** A critical issue has been found in the Login component, specifically affecting the `getMemberByUid` function. The manipulation of the `uid` argument leads to improper authentication, allowing for remote attacks. The complexity of an attack is rather high, and the exploitation appears to be difficult. The issue has been publicly disclosed, and the vendor was contacted but did not respond. **Recommendations** For WCMS versions up to 8.3.11, as a temporary workaround, consider disabling the `getMemberByUid` function until a patch is available. Restrict access to the `/index.php?articleadmin/getallcon` endpoint to minimize the risk of exploitation. Avoid using the `uid` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** itning Student Homework Management System versions 1.2.7 and earlier **Description** A problem has been identified in the system, affecting an unknown functionality. This issue leads to cross-site request forgery, which can be exploited remotely. Multiple endpoints may be affected by this issue. The exploit has been made public, which may lead to its use. **Recommendations** For itning Student Homework Management System versions 1.2.7 and earlier, consider restricting access to unknown functionalities until a patch is available. As a temporary workaround, restrict access to multiple endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** itning Student Homework Management System versions 1.2.7 and earlier **Description** A problem was found in the itning Student Homework Management System. It affects an unknown function of the file /shw war/fileupload in the Edit Job Page component. The issue is caused by the manipulation of the `Course` argument, leading to cross-site scripting. This can be exploited remotely. The exploit has been made public and may be used. This issue only affects products that are no longer supported by the maintainer. **Recommendations** For itning Student Homework Management System versions 1.2.7 and earlier, as a temporary workaround, consider restricting access to the /shw war/fileupload file and the Edit Job Page component to minimize the risk of exploitation. Avoid using the `Course` argument in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** yzk2356911358 StudentServlet-JSP (affected versions not specified) **Description** A problematic issue was found in the Student Management Handler component, allowing for cross-site scripting through the manipulation of the `Name` argument. This can be initiated remotely. The issue has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** yzk2356911358 StudentServlet-JSP (affected versions not specified) **Description** A vulnerability has been found in the software, classified as problematic, and it affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.