Yangyanglo

**Name of the Vulnerable Software and Affected Versions** DataGear versions up to 4.7.0/5.1.0 **Description** A problematic issue has been found in the JDBC Server Handler component of DataGear, allowing for deserialization through manipulation. This issue can be exploited remotely. The vendor was contacted about the disclosure but did not respond. **Recommendations** For versions up to 4.7.0/5.1.0, consider disabling the JDBC Server Handler component until a patch is available. Restrict access to the component to minimize the risk of exploitation. Avoid using the affected functionality of the JDBC Server Handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** sjqzhang go-fastdfs versions up to 1.4.3 **Description** The issue is related to a path traversal vulnerability in the file upload function of the sjqzhang go-fastdfs distributed file system. This vulnerability can be exploited by a remote attacker to write arbitrary files and execute arbitrary commands. The attack involves manipulating the file path to access restricted directories. The vulnerability can be exploited remotely. **Recommendations** For versions up to 1.4.3, as a temporary workaround, consider disabling the file upload function until a patch is available. Restrict access to the `/group1/upload` endpoint to minimize the risk of exploitation. Avoid using path traversal characters, such as `../`, in the file upload function to prevent attackers from writing files to arbitrary locations. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DataGear versions up to 4.5.1 **Description** A vulnerability was found in the Diagram Type Handler component of DataGear, which can lead to cross site scripting. The manipulation can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For versions up to 4.5.1, update to a version later than 4.5.1 to resolve the issue. As a temporary workaround, consider restricting access to the Diagram Type Handler component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DataGear versions up to 4.5.0 **Description** A critical issue was found in DataGear, affecting an unknown part of the file /analysisProject/pagingQueryData. The manipulation of the `queryOrder` argument leads to sql injection. It is possible to initiate the attack remotely. **Recommendations** For versions up to 4.5.0, upgrade to version 4.5.1 to address this issue. As a temporary workaround, consider restricting access to the `/analysisProject/pagingQueryData` endpoint until the issue is resolved. Avoid using the `queryOrder` argument in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** DataGear versions up to 1.11.1 **Description** A vulnerability has been found in the Plugin Handler component of DataGear, which can lead to cross site scripting. The manipulation can be launched on the local host. Upgrading to version 1.12.0 is able to address this issue. **Recommendations** For DataGear versions up to 1.11.1, upgrade to version 1.12.0 to address the issue. As a temporary workaround, consider restricting access to the Plugin Handler component until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** DataGear versions up to 1.11.1 **Description** A vulnerability was found in the Graph Dataset Handler component, leading to cross-site scripting. The attack can be initiated remotely. The issue affects some unknown processing of this component. **Recommendations** For versions up to 1.11.1, upgrade to version 1.12.0 to address this issue. It is recommended to upgrade the affected component.