Sut0L

**Name of the Vulnerable Software and Affected Versions** Tarkov Data Manager versions prior to 02 January 2025 **Description** The Tarkov Data Manager, a tool for managing Tarkov item data, contains an authentication bypass issue in the login endpoint. This allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel. The issue is due to a JavaScript prototype property access vulnerability combined with loose equality type coercion. The vulnerability was addressed with a series of fix commits on 02 January 2025. The API endpoint affected is `/login`. The vulnerability allows bypassing authentication through manipulation of the `username` and `password` parameters. **Recommendations** Versions prior to 02 January 2025 should be updated to the latest version to address this authentication bypass.

**Name of the Vulnerable Software and Affected Versions** Tarkov Data Manager versions prior to 02 January 2025 **Description** The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability exists in the toast notification system. This allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. The vulnerability was addressed with a series of fix commits on 02 January 2025. **Recommendations** Versions prior to 02 January 2025 should be updated.

**Name of the Vulnerable Software and Affected Versions** Tarkov Data Manager versions prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 **Description** The Tarkov Data Manager is a tool used to manage Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time-based blind SQL injection issue exists in the webhook edit and scanner `API endpoints`. An authenticated attacker can exploit this to execute arbitrary SQL queries against the MySQL database. The vulnerable `API endpoints` are susceptible due to a flaw that allows manipulation of database queries through time-based inference. **Recommendations** Update to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 or a later version to resolve this issue.