Yu22X

**Name of the Vulnerable Software and Affected Versions** EyouCMS versions prior to 1.7.7 **Description** A security flaw exists in EyouCMS up to version 1.7.6. The issue is related to a SQL injection within the Backend Template Management component, specifically in the file /application/admin/logic/FilemanagerLogic.php. Manipulation of the `content` argument in an unknown function within this file can lead to SQL injection. The attack can be launched remotely, and an exploit has been publicly released. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** Update EyouCMS to version 1.7.7 or later. As a temporary workaround, restrict access to the file /application/admin/logic/FilemanagerLogic.php.

**Name of the Vulnerable Software and Affected Versions** dayrui XunRuiCMS versions up to 4.7.1 **Description** A flaw exists in dayrui XunRuiCMS that allows for cross site scripting. The issue is located in the JSONP Callback Handler component, specifically within the `dr show error`/`dr exit msg` function of the `/dayrui/Fcms/Init.php` file. Manipulation of the `callback` argument can trigger the flaw. The exploit is publicly available. The vendor was contacted but did not respond. **Recommendations** Versions prior to 4.7.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** CmsEasy versions through 7.7.7 **Description** A flaw exists in CmsEasy that allows for code injection. The issue is located in the `savetemp action` function within the `/lib/admin/template admin.php` library of the Backend Template Management Page component. Manipulation of the `content/tempdata` argument can trigger the flaw, potentially allowing for remote code execution. The exploit for this issue has been published. **Recommendations** Versions prior to 7.7.7 should be used.

**Name of the Vulnerable Software and Affected Versions** DedeCMS versions prior to 5.7.118 **Description** A flaw exists in DedeCMS that allows for SQL injection. The issue is due to the manipulation of the `orderby` argument in the /freelist main.php file. This can be exploited remotely. The exploit is publicly available. **Recommendations** Update DedeCMS to a version newer than 5.7.118.

**Name of the Vulnerable Software and Affected Versions** SeaCMS versions prior to 13.4 **Description** A flaw exists in SeaCMS that allows for SQL injection. The issue is located in an unknown function within the `js/player/dmplayer/dmku/class/mysqli.class.php` file. Manipulation of the `page/limit` argument can lead to exploitation. The attack can be carried out remotely, and the exploit is publicly available. **Recommendations** Update SeaCMS to version 13.4 or later.

**Name of the Vulnerable Software and Affected Versions** SeaCMS versions up to 13.3 **Description** A SQL injection issue exists in SeaCMS. The issue is located in the `admin video.php` file, specifically through manipulation of the `e id` argument within an unknown function. This allows for remote exploitation. The exploit has been publicly released. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.