Tomapu

**Name of the Vulnerable Software and Affected Versions** Verydows version 2.0 **Description** The issue is related to a security problem where an attacker can inject malicious code. The estimated number of potentially affected devices worldwide is not available. The problem can be exploited through the `/index.php?m=api&c=stats&a=count` API endpoint, specifically via the `referrer` parameter. **Recommendations** For Verydows version 2.0, as a temporary workaround, consider restricting access to the `/index.php?m=api&c=stats&a=count` API endpoint to minimize the risk of exploitation. Avoid using the `referrer` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verydows version 2.0 **Description** A CSRF issue was discovered that allows adding an admin account via the "index.php?m=backend&c=admin&a=add&step=submit" endpoint, specifically by manipulating the `a` and `step` variables. **Recommendations** For version 2.0, consider implementing proper CSRF protection mechanisms to prevent unauthorized admin account additions. As a temporary workaround, restrict access to the "index.php?m=backend&c=admin&a=add&step=submit" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Hotels Server versions prior to 2018-11-05 **Description** The issue allows for SQL Injection via the `username` parameter in the "controller/fetchpwd.php" API endpoint. **Recommendations** For versions prior to 2018-11-05, update to a version released after 2018-11-05 to resolve the issue.