Yunyan05

**Name of the Vulnerable Software and Affected Versions** ShopXO versions prior to 6.7.2 **Description** An authorization bypass exists in the Scheduled Task Endpoint within the `app/api/controller/Crontab.php` file. This issue allows a remote attacker to bypass authorization by manipulating the `OrderClose()`, `OrderSuccess()`, `PayLogOrderClose()`, or `GoodsGiveIntegral()` functions. **Recommendations** Update to a version newer than 6.7.1. As a temporary workaround, restrict access to the `OrderClose()`, `OrderSuccess()`, `PayLogOrderClose()`, and `GoodsGiveIntegral()` functions in the `app/api/controller/Crontab.php` file.

**Name of the Vulnerable Software and Affected Versions** PbootCMS versions prior to 3.2.13 **Description** A security flaw in the Password Handler component allows for weak password recovery. The issue exists in the `retrieve()` function within the `apps/home/controller/MemberController.php` file. Remote attackers can exploit this by manipulating the `username`, `password`, `email`, or `checkcode` arguments. **Recommendations** Update to a version later than 3.2.12. As a temporary workaround, restrict access to the `retrieve()` function in the `apps/home/controller/MemberController.php` file.