Uglory

Name of the Vulnerable Software and Affected Versions: ESAPI esapi-java-legacy versions prior to 2.7.0.0 Description: A vulnerability was found in the interface `Encoder.encodeForSQL` of the SQL Injection Defense, leading to an improper neutralization of special elements. The attack may be initiated remotely. This issue affects the SQL Injection Defense, allowing for potential exploitation. The project handled the issue professionally after being contacted. Recommendations: For versions prior to 2.7.0.0, upgrade to version 2.7.0.0 to address this issue. As a temporary workaround, consider disabling the `Encoder.encodeForSQL` interface until the update is applied.

**Name of the Vulnerable Software and Affected Versions** quequnlong shiyi-blog versions up to 1.2.1 **Description** A vulnerability has been found in quequnlong shiyi-blog, affecting an unknown functionality of the file "/dev-api/api/comment/add". The manipulation of the `content` argument leads to cross-site scripting. The attack can be launched remotely. **Recommendations** For quequnlong shiyi-blog versions up to 1.2.1, as a temporary workaround, consider restricting access to the "/dev-api/api/comment/add" endpoint until a patch is available. Avoid using the `content` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** quequnlong shiyi-blog versions up to 1.2.1 **Description** A critical issue was found in the Administrator Backend component, specifically in the `/api/sys/user/verifyPassword/` endpoint, affecting an unknown function. This leads to improper authentication and can be exploited remotely. The issue has been publicly disclosed. **Recommendations** For quequnlong shiyi-blog versions up to 1.2.1, as a temporary workaround, consider restricting access to the `/api/sys/user/verifyPassword/` endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** quequnlong shiyi-blog versions up to 1.2.1 **Description** A critical issue has been found in quequnlong shiyi-blog, affecting some unknown processing of the file `/dev api/app/album/photos/`. This leads to improper authorization, and the attack may be initiated remotely. **Recommendations** For versions up to 1.2.1, as a temporary workaround, consider restricting access to the `/dev api/app/album/photos/` endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** quequnlong shiyi-blog versions up to 1.2.1 **Description** A critical issue was found in the unknown code of the file /app/sys/article/optimize. The manipulation of the `url` argument leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond. **Recommendations** For quequnlong shiyi-blog versions up to 1.2.1, consider disabling access to the /app/sys/article/optimize file until a patch is available. As a temporary workaround, restrict the manipulation of the `url` argument to minimize the risk of exploitation. Avoid using the `url` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** quequnlong shiyi-blog versions up to 1.2.1 **Description** A critical issue has been discovered, affecting an unknown part of the file /api/file/upload. The manipulation of the `file/source` argument leads to path traversal. This issue can be exploited remotely. The details of the issue have been publicly disclosed. **Recommendations** For quequnlong shiyi-blog versions up to 1.2.1, as a temporary workaround, consider restricting access to the `/api/file/upload` endpoint until a patch is available. Avoid using the `file/source` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ContiNew Admin versions up to 3.6.0 **Description** A vulnerability has been found in ContiNew Admin, allowing for unverified password change. The issue affects an unknown functionality of the file "/dev-api/system/user/1/password". This can be exploited remotely. The vendor was contacted about the disclosure but did not respond. **Recommendations** For ContiNew Admin versions up to 3.6.0, as a temporary workaround, consider restricting access to the "/dev-api/system/user/1/password" endpoint until a patch is available. Avoid using this endpoint for password changes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ContiNew Admin versions up to 3.6.0 **Description** A problematic issue was found in ContiNew Admin, affecting an unknown function of the file /dev-api/common/file. The manipulation of the `File` argument leads to cross-site scripting. It is possible to launch the attack remotely. The issue has been publicly disclosed. **Recommendations** For ContiNew Admin versions up to 3.6.0, as a temporary workaround, consider restricting access to the /dev-api/common/file to minimize the risk of exploitation. Avoid using the `File` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** itwanger paicoding version 1.0.3 **Description** A critical vulnerability was found in itwanger paicoding, affecting an unknown part of the file "/article/api/post" of the component Article Handler. The manipulation of the `articleId` argument leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For itwanger paicoding version 1.0.3, consider disabling the `/article/api/post` endpoint or restricting access to it until a patch is available. As a temporary workaround, avoid using the `articleId` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** itwanger paicoding version 1.0.3 **Description** A vulnerability was found in the Browsing History Handler component, affecting some unknown functionality of the file "/user/home?userId=1&homeSelectType=read". The manipulation of this issue leads to information disclosure. The attack may be launched remotely. **Recommendations** For itwanger paicoding version 1.0.3, consider restricting access to the "/user/home" endpoint to minimize the risk of exploitation. Avoid using the `userId` and `homeSelectType` variables in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** itwanger paicoding version 1.0.3 **Description** A vulnerability has been found in the software, classified as problematic. It affects an unknown functionality of the file "/article/app/post". The manipulation of the `content` argument leads to cross-site scripting. The attack can be launched remotely. **Recommendations** For itwanger paicoding version 1.0.3, consider restricting access to the "/article/app/post" file until a patch is available. As a temporary workaround, avoid using the `content` argument in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** iteaj iboot 物联网网关 version 1.1.3 **Description** A issue was found in the File Upload component, affecting the processing of the file `/common/upload/batch`. The manipulation of the `File` argument leads to cross-site scripting. The attack may be initiated remotely. **Recommendations** For iteaj iboot 物联网网关 version 1.1.3, consider restricting access to the `/common/upload/batch` endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `File` argument in the affected File Upload component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** iteaj iboot 物联网网关 version 1.1.3 **Description** A vulnerability has been found in the File Upload component, specifically affecting the /common/upload file. The manipulation of the `File` argument leads to cross-site scripting. The attack can be initiated remotely. **Recommendations** For iteaj iboot 物联网网关 version 1.1.3, consider disabling the File Upload component until a patch is available to prevent cross-site scripting attacks. Restrict access to the /common/upload file to minimize the risk of exploitation. Avoid using the `File` argument in the affected component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** iteaj iboot 物联网网关 version 1.1.3 **Description** A problematic issue was found in the Admin Password Handler component, affecting an unknown part of the file /core/admin/pwd. The manipulation of the `ID` argument leads to improper access controls, allowing for remote attacks. The issue has been publicly disclosed. **Recommendations** For iteaj iboot 物联网网关 version 1.1.3, consider restricting access to the /core/admin/pwd file and the Admin Password Handler component to minimize the risk of exploitation. As a temporary workaround, avoid using the `ID` argument in the affected component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** zhijiantianya ruoyi-vue-pro version 2.4.1 **Description** A critical issue was found in the Material Upload Interface component, specifically affecting an unknown function of the file /admin-api/mp/material/upload-news-image. The manipulation of the `File` argument leads to path traversal. This issue can be exploited remotely. **Recommendations** For version 2.4.1, as a temporary workaround, consider restricting access to the `/admin-api/mp/material/upload-news-image` endpoint to minimize the risk of exploitation. Avoid using the `File` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zhijiantianya ruoyi-vue-pro version 2.4.1 **Description** A problematic issue has been found in the Material Upload Interface component, affecting the processing of the file `/admin-api/mp/material/upload-temporary`. The manipulation of the `File` argument leads to path traversal. This issue can be exploited remotely. **Recommendations** For zhijiantianya ruoyi-vue-pro version 2.4.1, as a temporary workaround, consider restricting access to the `/admin-api/mp/material/upload-temporary` endpoint to minimize the risk of exploitation. Avoid using the `File` argument in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zhijiantianya ruoyi-vue-pro version 2.4.1 **Description** A critical issue exists in zhijiantianya ruoyi-vue-pro 2.4.1 related to path traversal. The issue resides in the file `/admin-api/mp/material/upload-permanent` within the Material Upload Interface component. Manipulation of the `File` argument allows for remote exploitation. The exploit for this issue has been publicly disclosed. **Recommendations** Versions prior to 2.4.1 are potentially affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zhijiantianya ruoyi-vue-pro version 2.4.1 **Description** A critical vulnerability was found in the Backend File Upload Interface of zhijiantianya ruoyi-vue-pro. This affects an unknown part of the file "/admin-api/infra/file/upload" and allows for path traversal through the manipulation of the `path` argument. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond. **Recommendations** As a temporary workaround, consider disabling the file upload functionality in the Backend File Upload Interface until a patch is available. Restrict access to the "/admin-api/infra/file/upload" endpoint to minimize the risk of exploitation. Avoid using the `path` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zhijiantianya ruoyi-vue-pro version 2.4.1 **Description** A critical issue has been found in the file /app-api/infra/file/upload of the component Front-End Store Interface. The manipulation of the `path` argument leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond. **Recommendations** For version 2.4.1, as a temporary workaround, consider restricting access to the `/app-api/infra/file/upload` endpoint until a patch is available. Avoid using the `path` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: aitangbao springboot-manager version 3.0 Description: A problematic vulnerability was found in the code of the file /sys/dept, allowing for cross site scripting attacks through the manipulation of the `name` argument. The attack can be initiated remotely. Other parameters might also be affected. The vendor was contacted about this disclosure but did not respond. Recommendations: For aitangbao springboot-manager version 3.0, as a temporary workaround, consider restricting access to the /sys/dept file until a patch is available. Avoid using the `name` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.