Yinfei6

**Name of the Vulnerable Software and Affected Versions** Vinga WR-AC1200 versions 81.102.1.4370 and before **Description** A password vulnerability allows a remote attacker to execute arbitrary code via the `password` parameter at the "/goform/sysTools" and "/adm/systools.asp" endpoints. This issue has been identified in scans probing for vulnerable routers. **Recommendations** For Vinga WR-AC1200 versions 81.102.1.4370 and before, consider disabling access to the "/goform/sysTools" and "/adm/systools.asp" endpoints until a patch is available. As a temporary workaround, restrict the use of the `password` parameter in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DEK-1705 version 34.23.1 and earlier **Description** A command execution issue was discovered in the device. **Recommendations** For DEK-1705 version 34.23.1 and earlier, update to a version later than 34.23.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SA-WR915ND router firmware version 17.35.1 **Description** The issue allows for code execution. **Recommendations** For SA-WR915ND router firmware version 17.35.1, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** JHR-N916R router firmware versions prior to 21.11.1.1484 **Description** A command execution issue was found. This allows for the execution of commands, potentially leading to unauthorized access or control. **Recommendations** For versions prior to 21.11.1.1484, update to version 21.11.1.1484 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kirin Fortress Machine version 1.7-2020-0610 **Description** A SQL Injection issue allows attackers to execute arbitrary code via the "/admin.php?controller=admin commonuser" API endpoint, specifically through the `controller` parameter. This enables attackers to potentially gain unauthorized access and manipulate data. **Recommendations** For Kirin Fortress Machine version 1.7-2020-0610, consider restricting access to the "/admin.php?controller=admin commonuser" API endpoint until a patch is available. As a temporary workaround, avoid using the `controller` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dedecms versions prior to V5.7.103 **Description** The issue is related to SQL Injection. In the sys sql n query.php file, there are no restrictions on the SQL query, which can be exploited. **Recommendations** For dedecms versions prior to V5.7.103, update to version V5.7.103 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Hillstone Firewall SG-6000 versions 5.0.4.0 and earlier **Description** The issue is related to incorrect access control, allowing an attacker to bypass permissions and gain super administrator privileges in the background of the firewall. This is due to a configuration error in the report module. **Recommendations** For Hillstone Firewall SG-6000 versions 5.0.4.0 and earlier, update to a version later than 5.0.4.0 to resolve the issue. As a temporary workaround, consider restricting access to the report module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** h3c firewall versions <= 3.10 ESS6703 **Description** The issue is related to a privilege bypass. **Recommendations** For h3c firewall versions <= 3.10 ESS6703, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JIZHI CMS version 1.9.4 **Description** A CSRF issue allows adding an admin account via the index or the "/admin.php/Admin/adminadd.html" API endpoint. **Recommendations** For JIZHI CMS version 1.9.4, update to a newer version that contains a fix for this issue, if available. As a temporary workaround, consider restricting access to the "/admin.php/Admin/adminadd.html" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** dedecmdv6 version 6.1.9 **Description** The issue allows for Arbitrary file deletion via the "file manage control.php" endpoint. **Recommendations** For dedecmdv6 version 6.1.9, consider restricting access to the "file manage control.php" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** dedecmdv6 version 6.1.9 **Description** The issue is related to SQL Injection. It affects the sys sql query.php file. **Recommendations** For dedecmdv6 version 6.1.9, consider restricting access to the sys sql query.php file until a patch is available. As a temporary workaround, avoid using the `sys sql query.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** dedecmdv6 version 6.1.9 **Description** The issue allows for Remote Code Execution (RCE) via the `file manage control.php` endpoint. **Recommendations** For dedecmdv6 version 6.1.9, consider restricting access to the `file manage control.php` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Boa version 0.94.14rc21 **Description** The issue concerns SQL Injection via the `username` variable. However, it is noted that this vulnerability is disputed by multiple third parties because Boa does not ship with any support for SQL. **Recommendations** For Boa version 0.94.14rc21, as a temporary workaround, consider restricting the use of the `username` variable to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.