Yaozhangyiqiyin

**Name of the Vulnerable Software and Affected Versions** Xiongwei Smart Catering Cloud Platform version 2.1.6446.28761 **Description** A SQL injection issue exists in Xiongwei Smart Catering Cloud Platform version 2.1.6446.28761. The issue is located in an unknown function within the `/dishtrade/dish trade detail get` file. Manipulating the `filter` argument can lead to SQL injection. This can be exploited remotely. The exploit is publicly available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shenzhen Sixun Software Sixun Shanghui Group Business Management System version 4.10.24.3 **Description** A weakness exists in Shenzhen Sixun Software Sixun Shanghui Group Business Management System that allows for weak password recovery. This issue is related to an unknown functionality within the file `/api/GylOperator/UpdatePasswordBatch`. The attack can be initiated remotely, and an exploit is publicly available. The vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shenzhen Sixun Software Sixun Shanghui Group Business Management System version 4.10.24.3 **Description** A security flaw exists in Shenzhen Sixun Software Sixun Shanghui Group Business Management System. The issue affects some unknown functionality associated with the file `/ExportFiles/`, potentially leading to unauthorized access to files or directories. This access can be gained remotely. Exploitation is described as having high complexity and being difficult, but an exploit has been publicly released. The vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ketr JEPaaS versions up to 7.2.8 **Description** A flaw exists in ketr JEPaaS that allows for improper authorization. This is due to manipulation of the `Authorization` argument within the file '/je/load'. The attack can be carried out remotely and the exploit has been publicly disclosed. **Recommendations** Versions prior to 7.2.8 should be updated.

**Name of the Vulnerable Software and Affected Versions** Shenzhen Sixun Software Sixun Shanghui Group Business Management System version 7 **Description** A vulnerability was found in the system, affecting an unknown part of the file "/api/GylOperator/LoadData". The manipulation leads to information disclosure and can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For Shenzhen Sixun Software Sixun Shanghui Group Business Management System version 7, as a temporary workaround, consider restricting access to the "/api/GylOperator/LoadData" endpoint until a patch is available. Avoid using this endpoint remotely to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shenzhen Sixun Software Sixun Shanghui Group Business Management System version 7 **Description** A problematic issue has been found in the Reset Password Interface component, specifically affecting the file /WebPages/Adm/OperatorStop.asp. The manipulation of the `OperId` argument leads to improper authorization, allowing for remote attacks. The complexity of an attack is rather high, and the exploitation is known to be difficult. **Recommendations** For Shenzhen Sixun Software Sixun Shanghui Group Business Management System version 7, as a temporary workaround, consider restricting access to the Reset Password Interface or disabling the `OperId` argument manipulation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.