Zre0X1C

**Name of the Vulnerable Software and Affected Versions** CLTPHP version 3.0 **Description** A security issue exists in CLTPHP 3.0 related to SQL injection. Manipulation of the `keyword` argument within an unknown function of the `/home/search.html` file can lead to exploitation. The attack can be performed remotely, and details about the exploit have been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System version 1.0 **Description** A cross site scripting issue exists in Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System version 1.0. The issue is related to the manipulation of the `keywords` argument within the file '/i/359'. This allows for remote execution of the attack. The exploit details have been publicly disclosed, and the vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sui Shang Information Technology Suishang Enterprise-Level B2B2C Multi-User Mall System version 1.0 **Description** A flaw exists in the system that allows for cross site scripting. Manipulation of the `category id` argument in the file '/Point/index/activity state/1/category id/1001' can trigger this issue. The attack can be executed remotely. The exploit has been published. The vendor was contacted but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 07FLYCMS versions up to 20250831 07FLY-CMS versions up to 20250831 07FlyCRM versions up to 20250831 **Description** A SQL injection issue exists due to manipulation of the `Username` argument in the file `/index.php/Login/login`. The attack can be initiated remotely. The exploit has been made public. The vendor was contacted but did not respond. **Recommendations** Versions up to 20250831: Avoid using the `Username` parameter in the `/index.php/Login/login` endpoint.

**Name of the Vulnerable Software and Affected Versions** 07FLYCMS, 07FLY-CMS, and 07FlyCRM versions up to 20250831 **Description** A cross-site scripting issue exists in 07FLYCMS, 07FLY-CMS, and 07FlyCRM. The vulnerability is located in the `/index.php/sysmanage/Login` file, where manipulation of the `Name` parameter can lead to the execution of malicious scripts. The attack can be performed remotely, and the exploit has been publicly disclosed. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** Versions up to 20250831 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 07FLYCMS, 07FLY-CMS, and 07FlyCRM versions up to 20250831 **Description** A cross-site scripting (XSS) flaw exists due to the manipulation of the `Name` argument in an unknown part of the `/index.php` file. This allows for remote execution of scripts. The exploit has been published. The vendor was contacted regarding this issue but did not respond. **Recommendations** Versions up to 20250831 are affected. As a temporary workaround, consider restricting access to the `/index.php` file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Yida ECMS Consulting Enterprise Management System version 1.0 Description: A cross-site scripting issue exists in Yida ECMS Consulting Enterprise Management System 1.0. The vulnerability is located in the POST Request Handler component, specifically within the `/login.do` API endpoint. Manipulation of the `requestUrl` parameter allows for the execution of malicious scripts. The exploit has been publicly disclosed. Recommendations: As a temporary workaround, consider restricting access to the `/login.do` API endpoint until a fix is available. Sanitize the `requestUrl` parameter to prevent the injection of malicious scripts.

Name of the Vulnerable Software and Affected Versions: erjinzhi 10OA version 1.0 Description: A security flaw exists in erjinzhi 10OA version 1.0. The issue is related to some unknown functionality within the file `/trial/mvc/item`. Manipulation of the `Name` argument can lead to cross-site scripting. The attack can be initiated remotely, and the exploit has been publicly released. The vendor was contacted but did not respond. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: erjinzhi 10OA version 1.0 Description: A flaw exists in erjinzhi 10OA version 1.0, impacting an unknown function within the `/trial/mvc/finder` file. Manipulation of the `Name` argument can lead to cross-site scripting. This issue is potentially exploitable remotely, and details about the exploit have been publicly disclosed. The vendor was notified but did not respond. Recommendations: As a mitigation, sanitize or encode the `Name` argument to prevent the injection of malicious scripts. Consider restricting access to the `/trial/mvc/finder` file.

Name of the Vulnerable Software and Affected Versions: erjinzhi 10OA version 1.0 Description: A path traversal vulnerability exists due to manipulation of the `File` argument in the `/view/file.aspx` file. The exploit is publicly available. The vendor was contacted but did not respond. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: erjinzhi 10OA version 1.0 Description: A vulnerability exists in erjinzhi 10OA version 1.0. The issue involves cross site scripting caused by manipulation of the `Name` argument in an unknown function of the `/trial/mvc/catalogue` file. This manipulation can be initiated remotely. The exploit has been publicly disclosed. The vendor was contacted regarding this disclosure but did not respond. Recommendations: As a temporary workaround, consider restricting access to the `/trial/mvc/catalogue` file to minimize the risk of exploitation. Sanitize the `Name` argument to prevent the injection of malicious scripts. Disable or remove the vulnerable function if it is not essential for the application's functionality.

**Name of the Vulnerable Software and Affected Versions** Jinher OA version 1.0 **Description** A cross site scripting issue exists due to the manipulation of the `Account` argument. The issue affects an unknown function within the file `/jc6/platform/sys/login!changePassWord.action` of the POST Request Handler component. The attack can be launched remotely. The exploit is now public. **Recommendations** As a temporary workaround, consider restricting access to the `/jc6/platform/sys/login!changePassWord.action` endpoint until a fix is available. Sanitize the `Account` argument to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** Campcodes Online Loan Management System version 1.0 **Description** A weakness exists in Campcodes Online Loan Management System that allows for SQL injection. The issue is located in an unknown function within the `/ajax.php?action=delete borrower` file. Manipulation of the `ID` argument can trigger the injection. The exploit is publicly available and could be exploited remotely. **Recommendations** As a temporary workaround, consider restricting access to the `/ajax.php?action=delete borrower` file until a fix is available. Sanitize the `ID` parameter before using it in any database queries.

**Name of the Vulnerable Software and Affected Versions** Jinher OA version 1.0 **Description** A vulnerability exists in the processing of the `GetTreeDate.aspx` file within Jinher OA. Manipulation of the `ID` argument results in a SQL injection. Remote exploitation is possible. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Campcodes Online Loan Management System version 1.0 Description: A vulnerability exists in Campcodes Online Loan Management System that allows for SQL injection. The issue affects an unknown part of the `/ajax.php?action=delete plan` file. Manipulation of the `ID` argument can lead to successful exploitation. The attack can be performed remotely, and the exploit has been publicly disclosed. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.