Zihe

Name of the Vulnerable Software and Affected Versions: erjemin roll cms up to 1484fe2c4e0805946a7bcf46218509fcb34883a9 Description: A vulnerability was found in erjemin roll cms, which has been classified as problematic. This affects an unknown part of the file roll cms/roll cms/views.py. The manipulation leads to information exposure through error message. The product takes the approach of rolling releases to provide continuous delivery, and therefore, version details for affected and updated releases are not available. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Gouniverse GoLang CMS version 1.4.0 Description: A vulnerability was found in Gouniverse GoLang CMS, affecting the function `PageRenderHtmlByAlias` of the file `FrontendHandler.go`. The manipulation of the argument `alias` leads to cross-site scripting. The attack can be initiated remotely. Recommendations: For Gouniverse GoLang CMS version 1.4.0, upgrade to version 1.4.1 to address this issue. As a temporary workaround, consider restricting the use of the `PageRenderHtmlByAlias` function until the patch is applied.

Name of the Vulnerable Software and Affected Versions: LinuxOSsk Shakal-NG versions up to 1.3.3 Description: A problematic issue was found in LinuxOSsk Shakal-NG, affecting an unknown function of the file comments/views.py. The manipulation of the `next` argument leads to open redirect. It is possible to launch the attack remotely. Recommendations: For LinuxOSsk Shakal-NG versions up to 1.3.3, apply a patch to fix this issue. As a temporary workaround, consider restricting access to the `comments/views.py` file until a patch is available.

Name of the Vulnerable Software and Affected Versions: alwindoss akademy up to 35caccea888ed63d5489e211c99edff1f62efdba Description: A problem has been found in an unknown functionality of the file cmd/akademy/handler/handlers.go. The manipulation of the `emailAddress` argument leads to cross-site scripting. The attack can be launched remotely. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: master-nan Sweet-CMS up to 5f441e022b8876f07cde709c77b5be6d2f262e3f Description: A critical issue affects the unknown code of the file /table/index, leading to sql injection. The attack can be initiated remotely. This issue is declared as critical. Recommendations: To fix this issue, it is recommended to apply the patch 146359646a5a90cb09156dbd0013b7df77f2aa6c. As a temporary workaround, consider restricting access to the /table/index endpoint until the patch is applied.

Name of the Vulnerable Software and Affected Versions: master-nan Sweet-CMS up to 5f441e022b8876f07cde709c77b5be6d2f262e3f Description: A vulnerability was found in master-nan Sweet-CMS, affecting the function `LogHandler` of the file `middleware/log.go`. The manipulation leads to improper output neutralization for logs. The attack may be initiated remotely. This issue has been rated as problematic. Recommendations: To fix this issue, it is recommended to apply a patch. As a temporary workaround, consider disabling the `LogHandler` function until a patch is available. Restrict access to the `middleware/log.go` file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: kitsada8621 Digital Library Management System version 1.0 Description: A vulnerability was found in the kitsada8621 Digital Library Management System. It has been classified as problematic and affects the function `JwtRefreshAuth` of the file `middleware/jwt refresh token middleware.go`. The manipulation of the argument `Authorization` leads to improper output neutralization for logs. It is possible to launch the attack remotely. Recommendations: To fix this issue, apply the patch `81b3336b4c9240f0bf50c13cb8375cf860d945f1` to the kitsada8621 Digital Library Management System version 1.0. As a temporary workaround, consider disabling the `JwtRefreshAuth` function until the patch is applied. Restrict access to the `middleware/jwt refresh token middleware.go` file to minimize the risk of exploitation. Avoid using the `Authorization` argument in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Go-Tribe gotribe up to cd3ccd32cd77852c9ea73f986eaf8c301cfb6310 Description: A critical vulnerability has been found in Go-Tribe gotribe. The issue affects the function `Sign` of the file `pkg/token/token.go`. The manipulation of the argument `config.key` leads to hard-coded credentials. The product uses continuous delivery with rolling releases, so no version details of affected or updated releases are available. Recommendations: To fix this issue, it is recommended to apply a patch identified as 4fb9b9e80a2beedd09d9fde4b9cf5bd510baf18f. As a temporary workaround, consider disabling the `Sign` function until a patch is available. Restrict access to the `pkg/token/token.go` file to minimize the risk of exploitation. Avoid using the `config.key` argument in the affected function until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: demozx gf cms versions 1.0 through 1.0.1 Description: A critical issue has been found in the JWT Authentication component, specifically affecting the `init` function of the file `internal/logic/auth/auth.go`. This allows for the manipulation of hard-coded credentials, enabling remote attacks. The exploit for this issue has been publicly disclosed. Recommendations: For demozx gf cms versions 1.0 through 1.0.1, upgrade to version 1.0.2, which includes the patch be702ada7cb6fdabc02689d90b38139c827458a5, to address this issue. As a temporary workaround, consider restricting access to the `init` function of the `internal/logic/auth/auth.go` file until the patch is applied.

Name of the Vulnerable Software and Affected Versions: Go-Tribe gotribe-admin version 1.0 Description: A vulnerability was found in the Log Handler component of Go-Tribe gotribe-admin, affecting the function `InitRoutes` of the file internal/app/routes/routes.go. This issue leads to deserialization, potentially allowing code execution. Recommendations: Apply a patch with ID 45ac90d6d1f82716f77dbcdf8e7309c229080e3c to fix this issue. As a temporary workaround, consider disabling the `InitRoutes` function until the patch is applied. Restrict access to the Log Handler component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Qidianbang qdbcrm version 1.1.0 **Description** A vulnerability was found in the Password Reset component of Qidianbang qdbcrm, affecting some unknown functionality of the file /user/edit?id=2. This issue leads to cross-site request forgery and can be exploited remotely. The exploit has been disclosed to the public. **Recommendations** For Qidianbang qdbcrm version 1.1.0, as a temporary workaround, consider restricting access to the /user/edit?id=2 endpoint of the Password Reset component until a patch is available. Additionally, avoid using the `id` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AlexanderLivanov FotosCMS2 versions up to 2.4.3 **Description** A problematic vulnerability was found in the Cookie Handler component of the file profile.php, where the manipulation of the `username` argument leads to cross-site scripting. The attack can be initiated remotely. **Recommendations** For AlexanderLivanov FotosCMS2 versions up to 2.4.3, consider disabling the `username` argument in the profile.php file of the Cookie Handler component as a temporary workaround until a patch is available. Restrict access to the profile.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** flusity CMS (affected versions not specified) **Description** A problematic issue has been found in flusity CMS, affecting the `loadPostAddForm` function of the file core/tools/posts.php. The manipulation of the `edit post id` argument leads to cross-site scripting. The attack may be initiated remotely. **Recommendations** To fix this issue, it is recommended to apply a patch. As a temporary workaround, consider disabling the `loadPostAddForm` function until a patch is available. Restrict access to the core/tools/posts.php file to minimize the risk of exploitation. Avoid using the `edit post id` argument in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** flusity CMS (affected versions not specified) **Description** A critical issue has been discovered, affecting the `handleFileUpload` function in the `core/tools/upload.php` file. The manipulation of the `uploaded file` argument leads to unrestricted upload. This issue can be exploited remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** flusity CMS (affected versions not specified) **Description** A problematic issue was found in the function `loadPostAddForm` of the file `core/tools/posts.php`, where the manipulation of the argument `menu id` leads to cross-site scripting. This issue can be exploited remotely. **Recommendations** Apply a patch to fix this issue. As a temporary workaround, consider restricting access to the `loadPostAddForm` function in the `core/tools/posts.php` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** flusity CMS (affected versions not specified) **Description** A problematic issue has been identified in flusity CMS, affecting the `loadCustomBlocCreateForm` function within the `/core/tools/customblock.php` file of the Dashboard component. Manipulation of the `customblock place` argument can lead to cross site scripting. The attack can be initiated remotely, and the exploit has been publicly disclosed. **Recommendations** Apply the patch named 81252bc764e1de2422e79e36194bba1289e7a0a5 to resolve this issue.