Xin-Yue Song

**Name of the Vulnerable Software and Affected Versions** IDExpert versions up to 2.8 **Description** The issue concerns a lack of validation in the administrator interface of IDExpert, allowing remote attackers with administrative privileges to inject and execute OS commands on the server. This can be exploited by injecting a specific parameter. **Recommendations** For versions up to 2.8, patch immediately and restrict admin access to minimize the risk of exploitation. Additionally, validate input/output to prevent OS command injection. As a temporary workaround, consider restricting access to the administrator interface until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Administrative Management System from Wellchoose (affected versions not specified) **Description** The Administrative Management System from Wellchoose has a Path Traversal issue, allowing unauthenticated remote attackers to exploit this vulnerability to download arbitrary files on the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Administrative Management System from Wellchoose (affected versions not specified) **Description** The Administrative Management System from Wellchoose does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload and execute webshells. This issue can be exploited by attackers to gain unauthorized access to the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Administrative Management System from Wellchoose (affected versions not specified) **Description** The Administrative Management System from Wellchoose has an OS Command Injection issue, allowing remote attackers with regular privileges to inject and execute arbitrary OS commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AIM LINE Marketing Platform from Esi Technology (affected versions not specified) **Description** The AIM LINE Marketing Platform from Esi Technology does not properly validate a specific query parameter. When the LINE Campaign Module is enabled, unauthenticated remote attackers can inject arbitrary FetchXml commands to read, modify, and delete database content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the LINE Campaign Module until a patch is available. Restrict access to the vulnerable query parameter to minimize the risk of exploitation. Avoid using the vulnerable query parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NCSIST ManageEngine Mobile Device Manager(MDM) APP (affected versions not specified) **Description** The issue is related to a path traversal vulnerability in a special function of the NCSIST ManageEngine Mobile Device Manager(MDM) APP. This vulnerability can be exploited by an unauthenticated remote attacker to bypass authentication and read arbitrary system files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.