Captain-Noob

**Name of the Vulnerable Software and Affected Versions** ZimaOS versions up to and including 1.5.0 **Description** ZimaOS, a fork of CasaOS, experiences an authentication bypass issue in versions up to and including 1.5.0. The application validates usernames but improperly handles password validation for known system service accounts. Specifically, the login function fails to correctly process the password validation result for these users, granting authenticated access to anyone knowing a valid system username, regardless of the provided password. The vulnerable component is the login function. The `username` parameter is used in the authentication process. **Recommendations** Versions up to and including 1.5.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP Gurukul Hospital Management System version 4.0 **Description** A privilege escalation issue allows a remote attacker to execute arbitrary code and access sensitive information via the `session token` parameter. **Recommendations** For PHP Gurukul Hospital Management System version 4.0, consider restricting access to the `session token` parameter until a patch is available. As a temporary workaround, disabling the use of session tokens may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.