Uzjuo

Name of the Vulnerable Software and Affected Versions: Dify version 1.0 Description: The issue is related to a Server-Side Request Forgery (SSRF) via the component `controllers.console.remote files.RemoteFileUploadApi`. This allows for potential unauthorized access to internal resources. Recommendations: For Dify version 1.0, consider disabling the `RemoteFileUploadApi` component until a patch is available to prevent potential SSRF attacks. Restrict access to the `controllers.console.remote files` module to minimize the risk of exploitation. Avoid using the `RemoteFileUploadApi` endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Yimioa version 6.1 **Description** A SQL injection issue was found in Yimioa via the `orderbyGET` parameter. This allows for potential manipulation of database queries. **Recommendations** For Yimioa version 6.1, consider restricting access to the `orderbyGET` parameter until a patch is available. Avoid using the `orderbyGET` parameter in sensitive queries to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ywoa versions prior to 6.1 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the "/oa/setup/checkPool?database" API endpoint. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 6.1, update to version 6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/oa/setup/checkPool?database" API endpoint until a patch is available. Avoid using the `database` parameter in the affected API endpoint until the issue is resolved.