NinjaGPT

# Summary The endpoint /admin/blog/save does not perform strict validation on user-controlled input, thus allowing attackers to insert malicious code into the database. When outputting content at the endpoint /admin/tags,...

# Summary The endpoint /admin/tags/save does not perform strict validation on user-controlled input, thus allowing attackers to insert malicious code into the database. When outputting content at the endpoint /admin/tags,...

# Summary This XSS vulnerability is different from the previously disclosed CVE-2023-29639 (blog article content) and CVE-2023-29636(blog article tile). This vulnerability occurs when adding blog categories, where the backend implementation...

# Summary The application has no CSRF protection, allowing attackers to leverage CSRF to launch various attacks against admin users. Particularly when combined with XSS vulnerabilities, this would enable attackers...

## Summary In the latest version, the endpoint /login does not encode user-controllable parameters when outputting them on the current page, resulting in Reflected XSS. This allows attackers to launch...

## Summary In the latest version, the endpoint /system/login does not encode user-controllable parameters when outputting them on the current page, resulting in Reflected XSS. This allows attackers to launch...

# Summary UEditor has an SSRF vulnerability, and this project is using the vulnerable version in

# Summary The file upload functionality endpoint /tianti-module-admin/upload/ajax/upload_file in versions ≤2.3 of this project allows uploading arbitrary PDF files without proper security processing, enabling attackers to upload malicious PDFs containing...

# Summary The project's file upload functionality in versions

# Summary User-controlled img src allows loading untrusted frames, enabling internal service probe & info gathering, content manipulation within trusted contexts. --- # Details ruoyi-admin\src\main\resources\static\ajax\libs\summernote\summernote.js **Taint Analysis** 1. The entry...