Abdulwahab Alismaeel

**Name of the Vulnerable Software and Affected Versions** Solvait version 24.4.2 **Description** A security flaw has been discovered that allows an attacker to elevate their privileges. By manipulating the `Request ID` and `Action Type` parameters in "/AssignToMe/SetAction" API endpoint, an attacker can bypass approval workflows leading to unauthorized access to sensitive information or approval of fraudulent requests. **Recommendations** For Solvait version 24.4.2, consider disabling the "/AssignToMe/SetAction" API endpoint or restricting access to it until a patch is available. Additionally, avoid using the `Request ID` and `Action Type` parameters in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Solvait version 24.4.2 **Description** A Stored Cross-Site Scripting (XSS) vulnerability allows remote attackers to inject malicious scripts into the application due to insufficient input validation and sanitization in the "Intrest" feature. **Recommendations** For Solvait version 24.4.2, consider disabling the "Intrest" feature until a patch is available to prevent exploitation of the Stored Cross-Site Scripting (XSS) vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZKTeco BioTime versions 8.5.4 and earlier **Description** An issue in the software allows a remote attacker to obtain sensitive information. **Recommendations** For ZKTeco BioTime versions 8.5.4 and earlier, update to a version later than 8.5.4 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.