Abdullah Çelebi

**Name of the Vulnerable Software and Affected Versions** PhreeBooks ERP version 5.2.3 **Description** The software contains a flaw in the Image Manager component that allows authenticated attackers to upload malicious files. Attackers can submit requests to the image upload endpoint, specifically uploading PHP files through the `imgFile` parameter to the ''bizuno/image/manager'' endpoint. These uploaded files can then be executed via the ''bizunoFS.php'' script, leading to remote code execution. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Clinic Pro (affected versions not specified) **Description** Clinic Pro contains a SQL injection flaw that allows authenticated attackers to manipulate database queries. This is achieved by injecting SQL code through the `month` parameter. Attackers can send POST requests to the ''monthly expense overview'' endpoint with manipulated `month` values. Exploitation involves boolean-based blind, time-based blind, or error-based SQL injection techniques to extract sensitive database information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Placeto CMS version Alpha rv.4 **Description** An SQL injection issue exists in Placeto CMS version Alpha rv.4 that allows authenticated attackers to manipulate database queries. The issue occurs because malicious SQL code can be injected through the `page` parameter. Attackers can send GET requests to the ''admin/edit.php'' endpoint with crafted `page` values, utilizing boolean-based blind, time-based blind, or union-based techniques to extract sensitive database information. **Recommendations** Apply a fix for Placeto CMS version Alpha rv.4 to address the SQL injection issue in the ''admin/edit.php'' endpoint.

**Name of the Vulnerable Software and Affected Versions** Tradebox version 5.4 **Description** An SQL injection issue exists in Tradebox version 5.4 that allows authenticated attackers to manipulate database queries. This is achieved by injecting SQL code through the `symbol` parameter. Attackers can send POST requests to the ''monthly deposit'' endpoint with malicious `symbol` values. Exploitation involves boolean-based blind, time-based blind, error-based, or union-based SQL injection techniques to extract sensitive database information. **Recommendations** Apply a fix for Tradebox version 5.4 to address the SQL injection issue in the ''monthly deposit'' endpoint.