Fzh1613

**Name of the Vulnerable Software and Affected Versions** SourceCodester Free and Open Source Inventory Management System version 1.0 **Description** A critical issue affects the processing of the file ample/app/ajax/suppliar data.php, where the manipulation of the `columns` argument leads to SQL injection. This issue can be initiated remotely. **Recommendations** For SourceCodester Free and Open Source Inventory Management System version 1.0, consider restricting access to the ample/app/ajax/suppliar data.php file until a patch is available. As a temporary workaround, avoid using the `columns` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Free and Open Source Inventory Management System version 1.0 **Description** A critical issue has been discovered, affecting an unknown function of the file /ample/app/ajax/member data.php. The manipulation of the `columns` argument leads to SQL injection. This issue can be exploited remotely. **Recommendations** For SourceCodester Free and Open Source Inventory Management System version 1.0, consider restricting access to the `/ample/app/ajax/member data.php` file until a patch is available. As a temporary workaround, avoid using the `columns` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Best Courier Management System version 1.0 **Description** A problematic issue was found, allowing for cross site scripting through the manipulation of the `page` argument with malicious input, such as `</TiTlE><ScRiPt>alert(1)</ScRiPt>`. This can be exploited remotely. **Recommendations** For SourceCodester Best Courier Management System version 1.0, consider restricting the input for the `page` argument to prevent cross site scripting attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Best Courier Management System version 1.0 **Description** A vulnerability has been found in the file parcel list.php of the component GET Parameter Handler, which can be exploited to lead to cross site scripting. The manipulation of the argument `id` with malicious input, such as `</TiTlE><ScRiPt>alert(1)</ScRiPt>`, can trigger this issue. The attack can be launched remotely. **Recommendations** For SourceCodester Best Courier Management System version 1.0, consider validating and sanitizing user input for the `id` argument in the parcel list.php file to prevent cross site scripting attacks. As a temporary workaround, restrict access to the parcel list.php file until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OTCMS version 6.72 **Description** A critical issue has been found, affecting the `UseCurl` function of the `/admin/info deal.php` file in the URL Parameter Handler component. This leads to server-side request forgery and can be exploited remotely. The issue has been publicly disclosed and may be used for attacks. **Recommendations** For OTCMS version 6.72, consider disabling the `UseCurl` function in the `/admin/info deal.php` file as a temporary workaround until a patch is available. Restrict access to the URL Parameter Handler component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OTCMS version 6.72 **Description** A vulnerability was found in the function `AutoRun` of the file `apiRun.php`. The manipulation of the argument `mode` leads to cross-site scripting. The attack can be launched remotely. **Recommendations** For OTCMS version 6.72, consider disabling the `AutoRun` function of the `apiRun.php` file until a patch is available. Restrict access to the `apiRun.php` file to minimize the risk of exploitation. Avoid using the `mode` argument in the affected function until the issue is resolved.