Wkstestete

**Name of the Vulnerable Software and Affected Versions** EyouCMS versions up to 1.5.4 **Description** A problematic issue has been found in the file login.php, where the manipulation of the `typename` argument leads to cross site scripting. The attack can be launched remotely. **Recommendations** For versions up to 1.5.4, consider disabling the functionality related to the `typename` argument in the login.php file as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EyouCMS versions up to 1.5.4 **Description** A problematic issue was found in EyouCMS, affecting an unknown part of the file login.php. The manipulation of the `tag tag` argument leads to cross-site scripting. It is possible to initiate the attack remotely. **Recommendations** For EyouCMS versions up to 1.5.4, update to a version later than 1.5.4 to resolve the issue. As a temporary workaround, consider restricting access to the login.php file or disabling the `tag tag` argument to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OTCMS version 6.0.1 **Description** A critical vulnerability was found in OTCMS, related to the absence of restrictions on file uploads. This issue affects an unknown functionality of the file sysCheckFile.php, where the `mudi` parameter is set to `sql`. The manipulation leads to unrestricted upload, allowing a remote attacker to upload arbitrary files and potentially execute arbitrary code. The exploit has been disclosed to the public. **Recommendations** For OTCMS version 6.0.1, consider disabling the sysCheckFile.php file or restricting access to it until a patch is available. As a temporary workaround, avoid using the `mudi` parameter in the sysCheckFile.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBOS version 4.5.5 **Description** A critical issue affects some unknown functionality of the file "/?r=report/api/getlist" of the component Report Search, leading to sql injection. The attack may be launched remotely. **Recommendations** For IBOS version 4.5.5, as a temporary workaround, consider restricting access to the "/?r=report/api/getlist" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBOS versions up to 4.5.4 **Description** A critical vulnerability has been found in an unknown functionality of the file /?r=email/api/mark&op=delFromSend. The manipulation of the `emailids` argument leads to sql injection. The attack can be launched remotely. Upgrading to version 4.5.5 is able to address this issue. **Recommendations** For IBOS versions up to 4.5.4, upgrade to version 4.5.5 to address the issue. As a temporary workaround, consider restricting access to the `/?r=email/api/mark&op=delFromSend` endpoint until the upgrade is applied. Avoid using the `emailids` argument in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** HadSky version 7.7.16 **Description** A vulnerability was found in HadSky, affecting an unknown part of the file "upload/index.php?c=app&a=superadmin:index". The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For HadSky version 7.7.16, consider disabling the file upload functionality in "upload/index.php?c=app&a=superadmin:index" until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using this endpoint remotely until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.