Furkan Kutluca

Nome do software vulnerável e versões afetadas: Versões do Piramit Automation anteriores a 27/09/2024 Descrição: O problema está relacionado à neutralização inadequada de elementos especiais usados em um comando SQL, também conhecida como “injeção de SQL”, o que permite a injeção de SQL cega. Isso significa que um invasor poderia injetar código SQL malicioso no aplicativo, permitindo-lhe acessar ou modificar dados confidenciais sem ser detectado. Recomendações: Para versões anteriores a 27/09/2024, atualize para uma versão lançada após 27/09/2024 para resolver o problema. Como solução temporária, considere restringir o acesso a dados confidenciais e implementar medidas de segurança adicionais para minimizar o risco de exploração. Evite usar dados inseridos pelo usuário diretamente em comandos SQL até que o problema seja resolvido. No momento, não há informações sobre medidas de mitigação adicionais.

**Name of the Vulnerable Software and Affected Versions** EDM Informatics E-invoice versions prior to 2.1 **Description** The issue is related to improper protection for outbound error messages and alert signals, allowing account footprinting. This can potentially reveal sensitive information about user accounts. **Recommendations** For versions prior to 2.1, update to version 2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to error messages and alert signals to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** YKM CRM versions prior to 23.03.30 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Reflected XSS attacks. **Recommendations** For versions prior to 23.03.30, update to a version 23.03.30 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Virames Vira-Investing versions prior to 1.0.84.86 **Description** The issue is related to an Improper Neutralization of Script-Related HTML Tags in a Web Page, which allows Cross-Site Scripting (XSS). This is a type of attack where an attacker can inject malicious scripts into a website, potentially allowing them to steal user data or take control of the user's session. **Recommendations** For versions prior to 1.0.84.86, update to version 1.0.84.86 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Vira-Investing versions prior to 1.0.84.86 **Description** The issue is related to improper protection for outbound error messages and alert signals, allowing account footprinting. This can potentially reveal sensitive information about user accounts. **Recommendations** For versions prior to 1.0.84.86, update to version 1.0.84.86 or later to resolve the issue. As a temporary workaround, consider restricting access to error messages and alert signals to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Smartpower Web versions prior to 23.01.01 **Description** The issue affects Group Arge Energy and Control Systems Smartpower Web, allowing Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. **Recommendations** For versions prior to 23.01.01, update to version 23.01.01 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Smartpower Web versions prior to 23.01.01 **Description** The issue is related to an Improper Input Validation vulnerability that allows SQL Injection in Smartpower Web. This vulnerability can be exploited due to the lack of proper validation of user input, potentially leading to unauthorized access to sensitive data. **Recommendations** For versions prior to 23.01.01, update to a version 23.01.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the Smartpower Web application until the update can be applied. Additionally, restricting user input to only expected and validated formats can help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Smartpower Web versions prior to 23.01.01 **Description** The issue is related to improper input validation, which allows SQL Injection in Smartpower Web. This can be exploited due to the lack of proper validation of user input. **Recommendations** For versions prior to 23.01.01, update to version 23.01.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the SQL database to minimize the risk of exploitation. Avoid using user-supplied input in SQL queries until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Smartpower Web versions prior to 23.01.01 **Description** The issue is related to a Server-Side Request Forgery (SSRF) vulnerability. This vulnerability allows for Server Side Request Forgery. **Recommendations** For versions prior to 23.01.01, update to version 23.01.01 or later to resolve the issue.