Zongdeiqianxing

**Name of the Vulnerable Software and Affected Versions** Rengine version 1.3.0 **Description** A command injection issue was found in the scan engine function. **Recommendations** For Rengine version 1.3.0, consider disabling the scan engine function as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Halo CMS version 1.5.3 **Description** The issue is related to an arbitrary file upload vulnerability. This vulnerability can be exploited via the `/api/admin/attachments/upload` API endpoint. **Recommendations** For Halo CMS version 1.5.3, consider disabling the `/api/admin/attachments/upload` API endpoint until a patch is available to prevent exploitation of the arbitrary file upload vulnerability.

**Name of the Vulnerable Software and Affected Versions** Halo CMS version 1.5.3 **Description** The issue is related to a Server-Side Request Forgery (SSRF) in the template remote download function. This allows an attacker to forge requests from the server, potentially leading to unauthorized access to internal resources. **Recommendations** For Halo CMS version 1.5.3, consider disabling the template remote download function as a temporary workaround until a patch is available. Restrict access to this function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Rengine version 1.0.2 **Description** The issue is related to a remote code execution (RCE) vulnerability via the yaml configuration function. **Recommendations** For Rengine version 1.0.2, consider disabling the yaml configuration function as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bludit version 3.13.0 **Description** An issue was found in the unsafe implementation of the backup plugin, allowing attackers to upload arbitrary files. **Recommendations** For bludit version 3.13.0, consider disabling the backup plugin until a patch is available to prevent attackers from uploading arbitrary files.

**Name of the Vulnerable Software and Affected Versions** piwigo version 2.9.5 **Description** The issue is related to a SQL Injection vulnerability in the admin/group list.php file of piwigo. This vulnerability can be exploited via the `group` parameter to delete. **Recommendations** For piwigo version 2.9.5, consider restricting access to the admin/group list.php file until a patch is available. As a temporary workaround, avoid using the `group` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** piwigo version 2.9.5 **Description** The issue is related to a SQL Injection vulnerability in the cat move.php file, specifically via the `selection` parameter to move categories. This allows for potential exploitation. **Recommendations** For piwigo version 2.9.5, consider restricting access to the cat move.php file or the `selection` parameter until a patch is available. As a temporary workaround, avoid using the `selection` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** piwigo version 2.9.5 **Description** The issue is related to a SQL Injection vulnerability in the admin/user perm.php file. It can be exploited via the `cat false` parameter to the "admin.php?page=user perm" endpoint. **Recommendations** For piwigo version 2.9.5, consider restricting access to the admin/user perm.php file and the "admin.php?page=user perm" endpoint until a patch is available. As a temporary workaround, avoid using the `cat false` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** piwigo version 2.9.5 **Description** The issue is related to a SQL Injection vulnerability in the admin/user perm.php file. This vulnerability can be exploited via the `cat false` parameter to the "admin.php?page=group perm" endpoint. **Recommendations** For piwigo version 2.9.5, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the "admin.php?page=group perm" endpoint and avoiding the use of the `cat false` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** piwigo version 2.9.5 **Description** The issue is related to a SQL Injection vulnerability in the admin/batch manager.php file, specifically via the `filter category` parameter to the "admin.php?page=batch manager" endpoint. This vulnerability can be exploited to inject malicious SQL code. **Recommendations** For piwigo version 2.9.5, consider restricting access to the admin/batch manager.php file and the "admin.php?page=batch manager" endpoint until a patch is available. As a temporary workaround, avoid using the `filter category` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: bludit version 3.13.0 Description: The issue concerns an arbitrary file deletion vulnerability in the backup plugin. This vulnerability can be exploited via the `deleteBackup` parameter. Recommendations: For bludit version 3.13.0, consider disabling the backup plugin or restricting access to the `deleteBackup` parameter until a fix is available. Avoid using the `deleteBackup` parameter in the affected backup plugin to minimize the risk of exploitation.