Cakes

**Name of the Vulnerable Software and Affected Versions** FileThingie version 2.5.7 **Description** The software contains an arbitrary file upload issue that allows attackers to upload malicious files. This is achieved by sending ZIP archives through the 'ft2.php' endpoint. Attackers can upload ZIP files containing PHP shells, utilize the unzip functionality to extract them into accessible directories, and then execute arbitrary commands through the extracted PHP files. The vulnerable parameter is the file uploaded to the 'ft2.php' endpoint. **Recommendations** Apply a fix for FileThingie version 2.5.7.

**Name of the Vulnerable Software and Affected Versions** delpino73 Blue-Smiley-Organizer version 1.32 **Description** The software contains an SQL injection issue in the `datetime` parameter. Unauthenticated attackers can manipulate database queries by injecting SQL code through POST requests. This allows attackers to extract sensitive data using boolean-based blind and time-based blind techniques, or write files to the server using INTO OUTFILE statements. **Recommendations** Apply a fix for version 1.32 to address the SQL injection issue in the `datetime` parameter.

**Name of the Vulnerable Software and Affected Versions** GOautodial version 4.0 **Description** GOautodial version 4.0 has a persistent cross-site scripting issue. Authenticated attackers can inject malicious scripts through the event title parameter. The issue is exploitable via crafted POST requests with XSS payloads sent to the `/CreateEvent.php` endpoint, allowing for the execution of arbitrary JavaScript in victim browsers. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the `event title` parameter before processing it in the `CreateEvent.php` endpoint.

**Name of the Vulnerable Software and Affected Versions** WorkgroupMail version 7.5.1 **Description** The software contains an unquoted service path vulnerability in its Windows service configuration. This allows local attackers to potentially execute arbitrary code. Exploitation involves leveraging the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. **Recommendations** Apply appropriate quoting to the service path configuration to prevent the execution of unauthorized code.

**Name of the Vulnerable Software and Affected Versions** Mikogo version 5.2.2.150317 **Description** The software contains an unquoted service path issue in the 'Mikogo-Service' Windows service configuration. This allows attackers to inject and execute malicious code with LocalSystem privileges by placing executable files in specific path locations. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zilab Remote Console Server version 3.2.9 **Description** The software contains an unquoted service path that could allow local attackers to execute arbitrary code with elevated system privileges. Exploitation involves leveraging the unquoted binary path within the service configuration to inject malicious executables, which are then executed with LocalSystem permissions. **Recommendations** Ensure the service path is enclosed in quotes to prevent the execution of unauthorized code.

**Name of the Vulnerable Software and Affected Versions** ActiveFax Server version 6.92 Build 0316 **Description** ActiveFax Server 6.92 Build 0316 contains an unquoted service path vulnerability in the `ActiveFaxServiceNT` service. This allows local attackers to potentially execute arbitrary code by exploiting the unquoted binary path to inject malicious executables. These executables can then be launched with elevated administrative privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TheJshen ContentManagementSystem versão 1.04 **Description** Existe um problema que permite a atacantes manipular consultas de banco de dados através do parâmetro GET 'id'. Isso pode ser feito utilizando técnicas de injeção SQL baseadas em booleanos, baseadas em tempo e baseadas em UNION para extrair ou manipular informações do banco de dados por meio da criação de cargas úteis de consulta maliciosas. **Recommendations** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** html5 snmp version 1.11 **Description** The software contains a persistent cross-site scripting issue. An attacker can inject malicious scripts through the `Remark` parameter in the `add router operation.php` file. By crafting a POST request with a script payload in the `Remark` field, an attacker can execute arbitrary JavaScript in the browsers of those who view the page. The vulnerable parameter is `Remark`. The affected file is `add router operation.php`. **Recommendations** Apply a fix to the `add router operation.php` file to sanitize the `Remark` parameter and prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** html5 snmp version 1.11 **Description** The software contains multiple SQL injection flaws that allow manipulation of database queries. Attackers can leverage the `Router ID` and `Router IP` parameters to exploit error-based, time-based, and union-based injection techniques. Successful exploitation could lead to the extraction or modification of database information through crafted payloads. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RimbaLinux AhadPOS versão 1.11 **Description** Existe um problema onde solicitações POST manipuladas podem alterar consultas ao banco de dados por meio do parâmetro `alamatCustomer`. Isso permite o uso de técnicas de injeção SQL cega baseada em tempo e booleana para extrair informações ou interagir com o banco de dados subjacente. **Recommendations** No momento, não há informações sobre uma versão mais recente que contenha a correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Globitek CMS versão 1.4 **Description** Existe um problema onde atacantes podem manipular consultas de banco de dados através do parâmetro GET 'id'. Isso pode ser explorado usando técnicas de injeção SQL baseadas em booleanos, baseadas em tempo e baseadas em UNION para potencialmente extrair ou modificar informações do banco de dados. **Recommendations** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Millhouse-Project versão 1.414 **Description** Um problema de cross-site scripting persistente existe na funcionalidade de envio de comentários. Isso permite que atacantes injetem scripts maliciosos ao postar comentários com JavaScript incorporado através do endpoint 'add comment sql.php' usando o parâmetro `content`, levando à execução de scripts arbitrários nos navegadores de usuários que visualizam os comentários. **Recommendations** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.