Meifukun

Name of the Vulnerable Software and Affected Versions SourceCodester Loan Management System versão 1.0 Description Existe uma falha de lógica de negócios devido à validação insuficiente no lado do servidor. Os administradores podem criar 'Planos de Empréstimo' com taxas de penalidade para pagamentos atrasados. A interface do usuário restringe valores negativos no campo 'Penalidade Mensal por Atraso', mas essa verificação está ausente no backend. Um invasor pode ignorar a restrição do lado do cliente manipulando a solicitação HTTP POST para enviar um valor negativo para o parâmetro `penalty rate`. Recommendations Garanta que a validação no lado do servidor seja implementada para o parâmetro `penalty rate` para evitar que valores negativos sejam aceitos.

Name of the Vulnerable Software and Affected Versions SourceCodester Loan Management System versão 1.0 Description Uma falha de lógica de negócios existe devido à falta de validação adequada de entrada. Especificamente, o sistema permite que administradores definam 'Planos de Empréstimo' com uma duração em meses, mas não verifica se a duração é um número inteiro positivo. Um invasor pode enviar um valor negativo para o parâmetro de meses, e o sistema aceitará esses dados inválidos, criando um plano de empréstimo com uma duração negativa. Recommendations Certifique-se de que o valor de duração para planos de empréstimo seja validado para ser um número inteiro positivo.

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the interest percentage. This results in the creation of loan plans with negative interest rates.

A Blind SQL Injection vulnerability exists in SourceCodester Loan Management System v1.0. The vulnerability is located in the ajax.php file (specifically the save loan action). The application fails to properly sanitize user input supplied to the "borrower id" parameter in a POST request, allowing an authenticated attacker to inject malicious SQL commands.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A Reflected Cross-Site Scripting (XSS) issue exists. The application does not properly sanitize input, which allows remote attackers to inject arbitrary web script or HTML via a crafted URL. The vulnerability is located in the `add category.php` file through the `msg` parameter. **Recommendations** Apply input sanitization to the `msg` parameter in the `add category.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the application. The application does not properly sanitize input, which allows for the injection of arbitrary web scripts or HTML. This occurs through a crafted URL targeting the `add customer.php` file via the `msg` parameter. **Recommendations** Apply input sanitization to the `msg` parameter in the `add customer.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the application. The issue is located in the `add supplier.php` file through the `msg` parameter. The application does not properly sanitize input, which allows remote attackers to inject arbitrary web script or HTML via a crafted URL. **Recommendations** Apply input sanitization to the `msg` parameter in the `add supplier.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A reflected cross-site scripting (XSS) issue exists in SourceCodester Sales and Inventory System version 1.0. The issue is located in the `add purchase.php` file through the `msg` parameter. The application does not properly sanitize input, allowing remote attackers to inject arbitrary web scripts or HTML via a manipulated URL. **Recommendations** Apply input sanitization to the `msg` parameter in the `add purchase.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A reflected cross-site scripting (XSS) issue exists in SourceCodester Sales and Inventory System. The problem is located in the `index.php` file through the `msg` parameter. The application does not properly sanitize input, which allows attackers to inject arbitrary web scripts or HTML via a manipulated URL. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider sanitizing the `msg` parameter in the `index.php` file to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A reflected cross-site scripting (XSS) issue exists in SourceCodester Sales and Inventory System 1.0. The issue is located in the `add sales.php` file through the `msg` parameter. The application does not properly sanitize input, which allows remote attackers to inject arbitrary web scripts or HTML via a manipulated URL. **Recommendations** Sanitize the input for the `msg` parameter in the `add sales.php` file to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A Stored Cross-Site Scripting (XSS) issue exists in the application. The application does not properly sanitize the `website` parameter in a POST request to the `update details.php` file. This allows authenticated attackers to inject arbitrary web scripts or HTML. The injected content is stored in the database and executed when the store details page is accessed. **Recommendations** Update the application to a version that properly sanitizes the `website` parameter in the `update details.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A Reflected Cross-Site Scripting (XSS) issue exists. The application does not properly sanitize input, potentially allowing remote attackers to inject arbitrary web scripts or HTML through a specially crafted URL. The issue is located in the `view payments.php` file via the `limit` parameter. **Recommendations** Apply input sanitization to the `limit` parameter in the `view payments.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Sales and Inventory System version 1.0 **Description** A reflected cross-site scripting (XSS) issue exists in SourceCodester Sales and Inventory System version 1.0. The issue is located in the `view customers.php` file through the `limit` parameter. The application does not properly sanitize input, allowing remote attackers to inject arbitrary web script or HTML via a manipulated URL. **Recommendations** Apply input sanitization to the `limit` parameter in the `view customers.php` file.

A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. When an administrator or user visits the Category list page (or any page where this category is rendered), the injected JavaScript executes immediately in their browser.

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-stock.php file. The application fails to validate the "txtqty" parameter during stock entry, allowing negative values to be processed. This causes the system to decrease the inventory level instead of increasing it, leading to inventory corruption and potential Denial of Service by depleting stock records.

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Sales and Inventory System 1.0 in the view product.php file via the "limit" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.