IceCMS issues

IceWk-uniApp 小程序hbuilder下载依赖失败

1

项目 'IceWk-uniApp' 开始编译... 请注意运行模式下，因日志输出、sourcemap以及未压缩源码等原因，性能和包体积，均不及发行模式。若要正式发布，请点击发行菜单或使用cli发布命令进行发布小程序各家浏览器内核及自定义组件实现机制存在差异，可能存在样式布局兼容问题，参考：https://uniapp.dcloud.io/matter?id=mp 正在编译中... Browserslist: caniuse-lite is outdated. Please run: npx update-browserslist-db@latest Why you should do it regularly: https://github.com/browserslist/update-db#readme at subPage/commen/post.vue:1 Module build failed (from ./node_modules/@dcloudio/webpack-uni-mp-loader/lib/script.js): Error: 组件...

longzb2008

change the user password by brute force cracking

2

The impact code in IceCMS/IceWk-ment/src/main/java/com/ttice/icewkment/controller/UserController.java： if(!claims){ //前端接收后进行处理 Result.fail(403,"Token已过期",null); } //验证之前密码是否正确 QueryWrapper wrapper = new QueryWrapper(); wrapper.eq("user_id",userid); User usercheak = userMapper.selectOne(wrapper); String password = usercheak.getPassword(); if(Objects.equals(password, yuanPassWord)) { User user =...

QuanYex

Arbitrary file upload

In the updateimage path of the imageApi file, the upload file type is not restricted, causing any file to be uploaded. At the same time, it is set to store...

QuanYex

There is a CSRF vulnerability that can delete the message

After the administrator open the following page, and click the the Submit request, square message with ID 264 will be deleted. ``` history.pushState('', '', '/') ```

topdayplus

Vulnerabilities that allow arbitrary information traversal and modification by any user

2

api:/api/User/ChangeUser/(self_token) Calling this interface, we can modify the information of any user by modifying the UserID field.there will be no validation ![image](https://github.com/Thecosy/IceCMS/assets/93959921/cefd80d4-27c4-40ef-b46e-83b763d6b706) Try to log in to user test39, it...

Ungitshell

资源列表添加报错

vue.runtime.esm.js:619 [Vue warn]: Property or method "input" is not defined on the instance but referenced during render. Make sure that this property is reactive, either in the data option, or...

mlb0925

两个安全漏洞

【腾讯云】尊敬的腾讯云用户，您好！您的腾讯云账号XXXXXXXXXXXXXX下的服务器：XXXXXXXXXXXXXXXX[CentOS-YO0q]，实例ID：XXXXXXXXXX，地域：华北地区 (北京)，时间：2023-05-12 06:27:51(GMT+8:00)，检测到存在待处理的应用漏洞：Apache Shiro 身份验证绕过漏洞(CVE-2022-32532)，威胁等级：严重，可能会给黑客留下可乘之机【腾讯云】尊敬的腾讯云用户，您好！您的腾讯云账号（账号ID：XXXXXXXXXXX）下的服务器：XXXXXXXXXXXXXXX [CentOS-YO0q]，实例ID：XXXXXXXXXXXXXXXXX，地域：华北地区 (北京)，时间：2023-05-07 04:18:03(GMT+8:00)，检测到存在待处理的应急漏洞：FastJson代码执行漏洞(CVE-2022-25845)，威胁等级：严重，可能会给黑客留下可乘之机

371091997