Yanfei.Chen

**Name of the Vulnerable Software and Affected Versions** SourceCodester Online Computer and Laptop Store version 1.0 **Description** A critical issue affects the processing of the file /classes/Master.php?f=delete category, where the manipulation of the `id` argument leads to sql injection. The attack can be initiated remotely. **Recommendations** For SourceCodester Online Computer and Laptop Store version 1.0, consider restricting access to the /classes/Master.php file to minimize the risk of exploitation, and avoid using the `id` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Online Computer and Laptop Store version 1.0 **Description** A critical vulnerability was found in the Image Handler component of the affected software, specifically in the /classes/Master.php file, where the `path` argument is manipulated, leading to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For SourceCodester Online Computer and Laptop Store version 1.0, consider disabling the `delete img` functionality in the /classes/Master.php file until a patch is available. Restrict access to the vulnerable Image Handler component to minimize the risk of exploitation. Avoid using the `path` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Online Computer and Laptop Store version 1.0 **Description** A critical issue has been found in the Subcategory Handler component, specifically in the file /classes/Master.php?f=save sub category. The manipulation of the `sub category` argument leads to sql injection. This issue can be exploited remotely. **Recommendations** For version 1.0, consider disabling the `save sub category` functionality in the /classes/Master.php file until a patch is available. Restrict access to the Subcategory Handler component to minimize the risk of exploitation. Avoid using the `sub category` argument in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Online Computer and Laptop Store version 1.0 **Description** A critical issue was found in the software, affecting an unknown part of the file /classes/Master.php?f=delete sub category. The manipulation of the `id` argument leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For version 1.0, consider disabling the `delete sub category` function in the /classes/Master.php file until a patch is available. Restrict access to the /classes/Master.php?f=delete sub category endpoint to minimize the risk of exploitation. Avoid using the `id` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Online Computer and Laptop Store version 1.0 **Description** A critical vulnerability has been found in the SourceCodester Online Computer and Laptop Store, affecting the file /classes/Master.php?f=save category. The manipulation of the `category` argument leads to sql injection. The attack can be initiated remotely. **Recommendations** For version 1.0, consider disabling the `save category` function in the Master.php file until a patch is available. Restrict access to the /classes/Master.php?f=save category endpoint to minimize the risk of exploitation. Avoid using the `category` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dst-admin version 1.5.0 **Description** A critical vulnerability was found in dst-admin, affecting an unknown functionality of the file /home/cavesConsole. The manipulation of the `command` argument leads to command injection. The attack can be launched remotely. **Recommendations** For dst-admin version 1.5.0, consider disabling the functionality related to the file /home/cavesConsole to minimize the risk of exploitation. Restrict access to the `command` argument to prevent command injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dst-admin version 1.5.0 **Description** A critical issue has been found in the software, affecting some unknown functionality of the file /home/kickPlayer. The manipulation of the `userId` argument leads to command injection. The attack can be launched remotely. **Recommendations** For dst-admin version 1.5.0, as a temporary workaround, consider restricting access to the `/home/kickPlayer` file until a patch is available. Avoid using the `userId` argument in affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** dst-admin version 1.5.0 **Description** A critical issue was found in dst-admin, affecting an unknown part of the file /home/masterConsole. The manipulation of the `command` argument leads to command injection. It is possible to initiate the attack remotely. **Recommendations** For dst-admin version 1.5.0, as a temporary workaround, consider restricting access to the `command` argument to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dst-admin version 1.5.0 **Description** A critical issue has been found, affecting unknown code in the file /home/sendBroadcast. The manipulation of the `message` argument leads to command injection. This issue can be exploited remotely. **Recommendations** For dst-admin version 1.5.0, consider restricting access to the /home/sendBroadcast file to minimize the risk of exploitation. As a temporary workaround, avoid using the `message` argument in the affected file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** FastCMS version 0.1.0 **Description** A critical issue has been found in the Template Management component of FastCMS, allowing for unrestricted upload. This can be exploited remotely. The issue has been publicly disclosed and may be used for attacks. **Recommendations** For FastCMS version 0.1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.