Yaowenxiao

**Name of the Vulnerable Software and Affected Versions** Dataease SQLBot versions up to 1.5.1 **Description** A flaw exists in Dataease SQLBot that relates to improper cryptographic signature verification. The issue is located within the `validateEmbedded` function in the `backend/apps/system/middleware/auth.py` file, part of the JWT Token Handler component. This allows for manipulation, potentially leading to unauthorized access. The exploit has been publicly disclosed. The complexity of the attack is considered high, and exploitability is difficult. A warning exists in the source code regarding the use of this feature. **Recommendations** Versions prior to 1.5.1 should be updated. As a temporary workaround, consider disabling the `validateEmbedded()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Dataease SQLBot versions up to 1.4.0 **Description** A security issue has been identified in Dataease SQLBot. This issue relates to improper access controls due to manipulation of an unknown function within the file `backend/apps/system/api/assistant.py` of the API Endpoint component. The attack can be launched remotely. Multiple API endpoints are affected. The exploit is publicly available. **Recommendations** Upgrade to version 1.5.0 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** 1Panel-dev MaxKB versions up to 1.10.7 **Description** A critical issue was found in the Knowledge Base Module component, leading to csv injection. This issue can be exploited remotely. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions up to 1.10.7, upgrade to version 1.10.8 to address this issue. As a temporary workaround, consider restricting access to the Knowledge Base Module until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** songquanpeng one-api versions up to 0.6.10 **Description** A vulnerability was found in the System Setting Handler component, allowing for cross-site scripting through the manipulation of the `Homepage Content` argument. This issue can be exploited remotely. The exploit has been disclosed to the public. **Recommendations** For songquanpeng one-api versions up to 0.6.10, consider disabling the System Setting Handler component or restricting access to it until a patch is available. Avoid using the `Homepage Content` argument in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ConcreteCMS versions up to 9.3.9 **Description** A problematic vulnerability was found in ConcreteCMS, affecting an unknown functionality of the component List Block Handler. The manipulation of the `Name/Description` argument leads to cross-site scripting. The attack can be launched remotely. **Recommendations** For versions up to 9.3.9, update to a version later than 9.3.9 to resolve the issue. As a temporary workaround, consider restricting the manipulation of the `Name/Description` argument in the List Block Handler to minimize the risk of exploitation.