Jack Misiura

**Name of the Vulnerable Software and Affected Versions** Power BI (affected versions not specified) **Description** Insufficient input validation in Power BI Report Server can allow a remote attacker to execute code on the network. The issue stems from inadequate input checking. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns an unauthenticated SQL injection in the `GetExcursionList` method. This allows unauthenticated attackers to extract or modify all data. **Recommendations** For versions 3.1.052 and earlier, consider disabling the `GetExcursionList` method until a patch is available to prevent exploitation. Restrict access to sensitive data to minimize the risk of unauthorized modification or extraction.

**Name of the Vulnerable Software and Affected Versions** IDAttend's IDWeb application versions 3.1.052 and earlier **Description** The issue allows attackers to hijack the browsing session of the logged-in user through stored cross-site scripting in the IDWeb application. **Recommendations** For versions 3.1.052 and earlier, update to a version later than 3.1.052 to resolve the issue. As a temporary workaround, consider restricting access to sensitive features within the IDWeb application until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IDWeb application version 3.1.013 **Description** The issue allows authenticated attackers to upload arbitrary files to the web root, including dangerous files such as ASP or ASPX, which can lead to command execution on the affected server. **Recommendations** For version 3.1.013, consider restricting access to the file upload functionality until a patch is available. As a temporary workaround, monitor the web root directory for suspicious files and remove them promptly to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IDWeb application version 3.1.013 **Description** The issue concerns missing authentication in the DeleteStaff method, allowing unauthenticated attackers to delete staff information. **Recommendations** For version 3.1.013, ensure proper authentication is implemented for the DeleteStaff method to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** IDWeb application version 3.1.013 **Description** The issue allows unauthenticated attackers to retrieve any file present on the web server. This is due to an unauthenticated arbitrary file read in the IDAttend’s IDWeb application. **Recommendations** For version 3.1.013, consider restricting access to sensitive files on the web server until a patch is available. As a temporary workaround, disabling the file retrieval functionality can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns an unauthenticated SQL injection in the `GetVisitors` method, allowing unauthenticated attackers to extract or modify all data. **Recommendations** For versions 3.1.052 and earlier, consider disabling the `GetVisitors` method until a patch is available to prevent exploitation. Restrict access to sensitive data to minimize the risk of unauthorized modification or extraction. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns an unauthenticated SQL injection in the `GetExcursionDetails` method. This allows unauthenticated attackers to extract or modify all data. **Recommendations** For versions 3.1.052 and earlier, consider disabling the `GetExcursionDetails` method until a patch is available to prevent exploitation. Restrict access to sensitive data to minimize the risk of unauthorized modification or extraction.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns an unauthenticated SQL injection in the `GetCurrentPeriod` method, allowing unauthenticated attackers to extract or modify all data. **Recommendations** For versions 3.1.052 and earlier, consider disabling the `GetCurrentPeriod` method until a patch is available to prevent exploitation. Restrict access to sensitive data to minimize the risk of unauthorized data extraction or modification.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns an unauthenticated SQL injection in the GetStudentInconsistencies method, allowing unauthenticated attackers to extract or modify all data. **Recommendations** For versions 3.1.052 and earlier, consider disabling the GetStudentInconsistencies method until a patch is available to prevent exploitation. As a temporary workaround, restrict access to sensitive data to minimize the risk of unauthorized data extraction or modification. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue is related to an unauthenticated SQL injection in the GetRoomChanges method, allowing unauthenticated attackers to extract or modify all data. **Recommendations** For versions 3.1.052 and earlier, consider disabling the GetRoomChanges method until a patch is available to prevent exploitation. Restrict access to sensitive data to minimize the risk of unauthorized extraction or modification. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns an unauthenticated SQL injection in the `DeleteRoomChanges` method. This allows unauthenticated attackers to extract or modify all data. **Recommendations** For versions 3.1.052 and earlier, consider disabling the `DeleteRoomChanges` method until a patch is available to prevent exploitation. Restrict access to sensitive data to minimize the risk of unauthorized modification or extraction.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns missing authentication in the `GetLogFiles` method, allowing unauthenticated attackers to retrieve sensitive log files. **Recommendations** For versions 3.1.052 and earlier, consider disabling the `GetLogFiles` method until a patch is available to prevent unauthorized access to sensitive log files.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns missing authentication in the `GetActiveToiletPasses` method, allowing unauthenticated attackers to retrieve student information. **Recommendations** For versions 3.1.052 and earlier, consider disabling the `GetActiveToiletPasses` method until a patch is available to prevent unauthorized access to student information.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns an unauthenticated SQL injection in the `GetAssignmentsDue` method. This allows unauthenticated attackers to extract or modify all data. **Recommendations** For versions 3.1.052 and earlier, consider disabling the `GetAssignmentsDue` method until a patch is available to prevent exploitation. Restrict access to sensitive data to minimize the risk of unauthorized modification or extraction. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns missing authentication in the `DeleteAssignments` method, allowing unauthenticated attackers to delete data. **Recommendations** For versions 3.1.052 and earlier, consider disabling the `DeleteAssignments` method until a patch is available to prevent unauthorized data deletion.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue is related to reflected cross-site scripting in the StudentSearch component, allowing attackers to hijack a user's browsing session if the user clicks on a malicious link. This can be achieved by convincing the user to click on the link. **Recommendations** For versions 3.1.052 and earlier, consider disabling the StudentSearch component until a patch is available to prevent exploitation. Restrict access to this component to minimize the risk of session hijacking. Avoid using links from untrusted sources to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns an unauthenticated SQL injection in the GetStudentGroupStudents method, allowing unauthenticated attackers to extract or modify all data. **Recommendations** For versions 3.1.052 and earlier, consider disabling the GetStudentGroupStudents method until a patch is available to prevent exploitation. Restrict access to sensitive data to minimize the risk of unauthorized modification or extraction. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** Unauthenticated SQL injection in the `StudentPopupDetails Timetable` method allows extraction or modification of all data by unauthenticated attackers. **Recommendations** For versions 3.1.052 and earlier, as a temporary workaround, consider disabling the `StudentPopupDetails Timetable` method until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDWeb application versions 3.1.052 and earlier **Description** The issue concerns missing authentication in the SetDB method, which can lead to denial of service or theft of database login credentials. **Recommendations** For versions 3.1.052 and earlier, consider disabling the SetDB method until a patch is available to prevent potential exploitation. Restrict access to the database login credentials to minimize the risk of theft. At the moment, there is no information about a newer version that contains a fix for this issue.