Ziliudi

**Name of the Vulnerable Software and Affected Versions** inxedu through 2018-12-24 **Description** The issue allows an attacker to upload a malicious JSP file. This is achieved by exploiting the `fileType` parameter in the `/video/uploadvideo` API endpoint to modify the list of acceptable file extensions from `jpg,gif,png,jpeg` to `jpg,gif,png,jsp,jpeg`. The vulnerable code is located in the `com.inxedu.os.common.controller.VideoUploadController` class, specifically in the `gok4` method. **Recommendations** For inxedu through 2018-12-24, consider restricting access to the `/video/uploadvideo` API endpoint to prevent the upload of malicious JSP files until a fix is available. Additionally, as a temporary workaround, restrict the `fileType` parameter to only allow the original list of acceptable extensions: `jpg,gif,png,jpeg`.

**Name of the Vulnerable Software and Affected Versions** inxedu through 2018-12-24 **Description** The issue allows for information disclosure due to a SQL Injection vulnerability. This can be exploited via the `deleteFaveorite/` PATH INFO. The vulnerable code is located in the `com.inxedu.os.edu.controller.user.UserController` class, specifically in the `deleteFavorite` method, where the `courseFavoritesService.deleteCourseFavoritesById` is mishandled during the use of MyBatis. A spelling variation in an annotation is noted in `UserController.java`, with a `@RequestMapping("/deleteFaveorite/{ids}")` line. **Recommendations** For inxedu through 2018-12-24, consider restricting access to the `deleteFaveorite/` PATH INFO to minimize the risk of exploitation. As a temporary workaround, consider disabling the `deleteFavorite` method in `UserController` until a patch is available. Avoid using the `ids` parameter in the affected API endpoint until the issue is resolved.