Tyaooo

**Name of the Vulnerable Software and Affected Versions** crmeb java versions prior to 1.3.4 **Description** The issue allows attackers to execute arbitrary SQL commands by sending a crafted GET request to the "api/front/spread/people" endpoint. This enables attackers to manipulate the database, potentially leading to unauthorized data access or modification. **Recommendations** For versions prior to 1.3.4, update to version 1.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/front/spread/people" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CRMEB crmeb java versions 1.3.4 and earlier **Description** The issue allows a remote attacker to obtain sensitive information via the `latitude` and `longitude` parameters in the "api/front/store/list" component. This enables the attacker to exploit the SQL Injection vulnerability, potentially leading to unauthorized access to sensitive data. **Recommendations** For CRMEB crmeb java versions 1.3.4 and earlier, consider disabling the "api/front/store/list" component or restricting access to it until a patch is available. Additionally, avoid using the `latitude` and `longitude` parameters in this component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xmall version 1.1 **Description** The issue is a SQL injection vulnerability. It occurs via the `orderDir` parameter. **Recommendations** For xmall version 1.1, as a temporary workaround, consider restricting the use of the `orderDir` parameter until a patch is available. Avoid using the `orderDir` parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.