Yinglongkaqi

**Name of the Vulnerable Software and Affected Versions** xiaoheiFS versions up to and including 0.3.15 **Description** xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. The standard plugin system allows administrators to upload a ZIP file containing a binary and a `manifest.json`. The server trusts the `binaries` field within the `manifest.json` file and executes the specified file without validating its contents or behavior. This can lead to Remote Code Execution (RCE). The `manifest.json` file contains the `binaries` field, which specifies the file to be executed. Version 0.4.0 resolves this issue. **Recommendations** Versions prior to 0.4.0 should be updated to version 0.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** xiaoheiFS versions prior to 4.0.0 **Description** xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. Versions up to and including 0.3.15 allow administrators to upload any file to the `plugins/payment/` directory via the `AdminPaymentPluginUpload` endpoint. The system only verifies a hardcoded password (`qweasd123456`) and does not inspect the file content. A background process, `StartWatcher`, scans this directory every 5 seconds and immediately executes any new executable files found, leading to Remote Code Execution (RCE). **Recommendations** Versions prior to 4.0.0 should be updated to version 4.0.0 or later.