X1Lys

**Name of the Vulnerable Software and Affected Versions** FOXCMS versions 1.25 and earlier **Description** The issue concerns a time-based blind SQL injection vulnerability in the installdb.php file. The `url prefix`, `domain`, and `my website` POST parameters are directly concatenated into SQL statements without filtering. **Recommendations** For FOXCMS versions 1.25 and earlier, as a temporary workaround, consider filtering or validating the `url prefix`, `domain`, and `my website` parameters to prevent SQL injection attacks. However, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FOXCMS versions prior to V1.25 **Description** The issue allows for SQL Injection via the `title` parameter in the /admin/util/Field.php file. **Recommendations** For versions prior to V1.25, consider restricting access to the `title` parameter in the /admin/util/Field.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Renwoxing Enterprise Intelligent Management System versions prior to 3.0 **Description** The issue is related to a SQL injection vulnerability. It can be exploited via the `parid` parameter at the "/fx/baseinfo/SearchInfo" API endpoint. **Recommendations** For versions prior to 3.0, update to version 3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/fx/baseinfo/SearchInfo" API endpoint or avoiding the use of the `parid` parameter until the issue is resolved.