Zhendezuile

**Name of the Vulnerable Software and Affected Versions** HongCMS version 3.0.0 **Description** The issue allows for arbitrary file deletion. This can be achieved via the component `/admin/index.php/template/ajax?action=delete`. **Recommendations** For HongCMS version 3.0.0, as a temporary workaround, consider restricting access to the `/admin/index.php/template/ajax?action=delete` endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ZCMS version v20170206 **Description** A file inclusion issue was discovered in ZCMS, which can be exploited via the "index.php" endpoint with specific parameters, including `m`, `c`, and `a`. The vulnerability is triggered when an attacker manipulates the `a` parameter, set to `sp set config`, allowing for potential malicious file inclusion. **Recommendations** For ZCMS version v20170206, as a temporary workaround, consider restricting access to the "index.php" endpoint with the `m=home`, `c=home`, and `a=sp set config` parameters until a patch is available. Avoid using the `a` parameter with the value `sp set config` in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZCMS version v20170206 **Description** A stored cross-site scripting (XSS) issue was found in ZCMS. The issue is exploited via the `index.php` endpoint with specific parameters: `m=home`, `c=message`, and `a=add`. This allows for malicious script execution. **Recommendations** For ZCMS version v20170206, as a temporary workaround, consider restricting access to the `index.php` endpoint with the parameters `m=home`, `c=message`, and `a=add` until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** GreenCMS version 2.3.0603 **Description** The issue allows for arbitrary file deletion. This can be achieved via the "/index.php?m=admin&c=custom&a=plugindelhandle&plugin name=" API endpoint, where the `plugin name` variable is utilized. **Recommendations** For GreenCMS version 2.3.0603, as a temporary workaround, consider restricting access to the "/index.php?m=admin&c=custom&a=plugindelhandle&plugin name=" API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dhcms version 20170919 **Description** The issue allows for arbitrary folder deletion via the `/admin.php?r=admin/AdminBackup/del` API endpoint. This could potentially lead to data loss or disruption of service. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For dhcms version 20170919, as a temporary workaround, consider restricting access to the `/admin.php?r=admin/AdminBackup/del` API endpoint until a patch is available. Avoid using the `del` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bloofoxCMS version 0.5.2.1 **Description** The issue is related to an arbitrary file upload vulnerability. This vulnerability can be exploited via the "/admin/index.php?mode=content&page=media&action=edit" API endpoint. **Recommendations** For bloofoxCMS version 0.5.2.1, consider restricting access to the "/admin/index.php?mode=content&page=media&action=edit" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Taocms version 3.0.2 **Description** A SQL injection issue was found in Taocms via the `id` parameter in the includeModelCategory.php file. **Recommendations** For Taocms version 3.0.2, consider restricting access to the vulnerable `id` parameter in the includeModelCategory.php file until a patch is available.