Arvandy

**Nome do software vulnerável e versões afetadas** IT Path Solutions Contact Form to Any API, versões 1.1.6 e anteriores **Descrição** O problema está relacionado a uma vulnerabilidade de falta de autorização, que permite a exploração de níveis de segurança de controle de acesso configurados incorretamente. **Recomendações** Para o IT Path Solutions Contact Form to Any API nas versões 1.1.6 e anteriores, atualize para uma versão que contenha uma correção para este problema. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Nome do software vulnerável e versões afetadas** TextMe SMS versões 1.9.0 e anteriores **Descrição** O problema está relacionado a uma vulnerabilidade de falta de autorização, que permite a exploração de níveis de segurança de controle de acesso configurados incorretamente. **Recomendações** Para as versões 1.9.0 e anteriores do TextMe SMS, no momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** weDevs WP ERP | Solução completa de RH com recrutamento e anúncios de emprego | WooCommerce CRM & Contabilidade, versões 1.12.8 e anteriores **Descrição** O problema está relacionado à neutralização inadequada de elementos especiais utilizados em um comando SQL, também conhecida como injeção de SQL. Isso permite uma possível exploração por meio da injeção de código SQL malicioso. **Recomendações** Para as versões 1.12.8 e anteriores, atualize para uma versão posterior à 1.12.8 para resolver o problema. No momento, não há informações sobre medidas de mitigação adicionais.

**Name of the Vulnerable Software and Affected Versions** Bravo Translate versions 1.2 and earlier **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for potential exploitation by injecting malicious SQL code. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Bravo Translate versions 1.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Contact Form to Any API versions 1.1.2 and earlier **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks. **Recommendations** For versions 1.1.2 and earlier, update to a version that contains a fix for this issue, as using an outdated version poses a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Creative Solutions Contact Form Generator plugin versions <= 2.5.5 **Description** The issue is related to an Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in the Creative Solutions Contact Form Generator plugin. This vulnerability exists due to inadequate protection of the web page structure, allowing a remote attacker to conduct a cross-site scripting attack. **Recommendations** For versions <= 2.5.5, update to a version greater than 2.5.5 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ERP WordPress plugin versions prior to 1.12.4 **Description** The issue concerns a SQL injection problem. It occurs because the `type` parameter in the "erp/v1/accounting/v1/people" REST API endpoint is not properly sanitized and escaped before being used in a SQL statement. This can be exploited by high-privilege users, such as admins. **Recommendations** For versions prior to 1.12.4, update to version 1.12.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "erp/v1/accounting/v1/people" API endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** KiviCare WordPress plugin versions prior to 3.2.1 **Description** The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the page. This could be exploited against high-privilege users, such as administrators. **Recommendations** For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 4.5.4 **Description** The issue concerns a Blind SQL Injection vulnerability, specifically time-based, affecting the /EditEventTypes.php endpoint through the `EN tyid` POST parameter. **Recommendations** For ChurchCRM version 4.5.4, as a temporary workaround, consider restricting access to the /EditEventTypes.php endpoint until a patch is available. Avoid using the `EN tyid` parameter in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NotrinosERP version 0.7 **Description** The issue is a SQL injection vulnerability that can be exploited via the `OrderNumber` parameter at the "/NotrinosERP/sales/customer delivery.php" API endpoint. This allows for potential unauthorized access to database information. **Recommendations** For NotrinosERP version 0.7, as a temporary workaround, consider restricting access to the "/NotrinosERP/sales/customer delivery.php" API endpoint to minimize the risk of exploitation. Avoid using the `OrderNumber` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.