Zyhsec

**Name of the Vulnerable Software and Affected Versions** JavaMall versions prior to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0 **Description** A flaw exists in JavaMall that allows for unrestricted file uploads. This issue impacts the `Upload` function within the file `src/main/java/com/macro/mall/controller/MinioController.java`. The attack can be initiated remotely. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JavaMall versions prior to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0 **Description** A path traversal issue exists due to manipulation of the `objectName` argument within the `delete` function located in the file src/main/java/com/macro/mall/controller/MinioController.java. This allows for remote exploitation. The product utilizes continuous delivery with rolling releases, making specific version details for affected and updated releases unavailable. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** Versions prior to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0 should be updated. As a temporary workaround, restrict access to the `delete` function in the `MinioController.java` file until a patch is available. Avoid using untrusted or user-supplied input for the `objectName` parameter in the affected API endpoint.

**Name of the Vulnerable Software and Affected Versions** newbee-mall-plus version 2.0.0 **Description** A flaw exists in newbee-mall-plus version 2.0.0 that allows for unrestricted file uploads. This issue is located within the `Upload` function of the `src/main/java/ltd/newbee/mall/controller/common/UploadController.java` file, specifically affecting the Product Information Edit Page component. The vulnerability is triggered by manipulating the `File` argument, enabling remote attackers to upload files without restrictions. The details of this issue have been publicly disclosed. The vendor was informed of this disclosure but did not provide a response. **Recommendations** Apply a fix to the `Upload` function in `src/main/java/ltd/newbee/mall/controller/common/UploadController.java` to restrict file upload types and sizes.

**Name of the Vulnerable Software and Affected Versions** rawchen ecms (affected versions not specified) **Description** A cross site scripting issue exists in rawchen ecms. The `updateProductServlet` function within the `src/servlet/product/updateProductServlet.java` file, specifically related to the Add New Product Page component, is susceptible to exploitation through manipulation of the `productName` argument. This allows for remote exploitation and the exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** h-moses moga-mall versions prior to 392d631a5ef15962a9bddeeb9f1269b9085473fa **Description** A vulnerability exists in h-moses moga-mall. The issue affects the `addProduct` function within the file src/main/java/com/ms/product/controller/PmsProductController.java, allowing for unrestricted file upload through manipulation of the `objectName` argument. This attack can be performed remotely. The product uses a rolling release system, and version information for affected or updated releases is not disclosed. **Recommendations** Versions prior to 392d631a5ef15962a9bddeeb9f1269b9085473fa should be updated. As a temporary workaround, consider restricting access to the `addProduct` function until a suitable update is available.

**Name of the Vulnerable Software and Affected Versions** yougou-mall versions prior to 0a771fa817c924efe52c8fe0a9a6658eee675f9f **Description** A path traversal issue exists in the `Upload` function within the file src/main/java/per/ccm/ygmall/extra/controller/ResourceController.java. The software utilizes a rolling release model, meaning continuous delivery and a lack of specific version details for affected or updated releases. Manipulation of the system can lead to path traversal. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.